Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CADMWQoN+5h8vzSt+DFKN1YTzma0V3TFgiH2o6d2P6Tu50xRmsg@mail.gmail.com>
Date: Wed, 25 Nov 2015 16:28:18 +0100
From: Jacob Vosmaer <jacob@...lab.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: RCE in gitlab-shell 2.6.6-2.6.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I would like to request one (1) CVE for the vulnerability in
gitlab-shell described below. Thanks in advance.

We have found a remote code execution vulnerability in gitlab-shell
2.6.6 and 2.6.7. This affects GitLab Community Edition 8.2.0 and
GitLab Enterprise Edition 8.2.0. GitLab 8.1.4 and earlier versions
are not affected by this vulnerability.

GitLab allows users to push and pull Git data over SSH. To prevent
full system access via SSH we use gitlab-shell, a program that
sanitizes and validates SSH commands that run on the GitLab server
to send and receive Git data. Due to a change in gitlab-shell
2.6.6-2.6.7, an attacker who has a user account on a GitLab server
can bypass the sanitization in gitlab-shell and run arbitrary
commands on the GitLab server.

The only versions of GitLab that include a vulnerable version of
gitlab-shell  are GitLab Community Edition 8.2.0 and GitLab Enterprise
Edition 8.2.0. If you are still running GitLab 8.1 or earlier then
you are not affected by this vulnerability.  As an administrator
you can check your gitlab-shell version by going to
gitlab.example.com/admin and looking in the upper right corner in
the 'Components' section. Only gitlab-shell versions 2.6.6 and 2.6.7
are affected.

If you installed GitLab 8.2.0 on your server then you should  [upgrade
immediately](https://about.gitlab.com/update/).

This vulnerability was fixed by:
https://gitlab.com/gitlab-org/gitlab-shell/commit/dacb8ec07645f254c3a2cf7d6f1d6c26b4f33dce

Best regards,

Jacob Vosmaer
GitLab Inc.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJWVdMIAAoJEB2vXw0YK62WrOYH/3qJbQfKpEeRkKRobDQwjpXw
85NHkoeTPmneHe41KEeUrgt5YdkrZs4kjTlaAq5CgbxRgVTQdo907q4Y4O3TgmBl
gnO0qJ7qATTKkZoK3h5YQUckhDXeyRIC4xYxmADefBRBKrlyWQWgh61p2rN/5/1T
v3YmdDa+2DqYYhxNIUhHeIL9sF7XVhD3fOwNSZ/2w6ShgP9Zc1i6fHO0vbkU0ZX0
WpG5h8TGIuvp6BgaIBo0u0eFgC7Q3e9Wi3GWwr200GAwOqqfIQDJKpFAUbH/EVTp
SGR/lwxbrspUkU8cMNEwJBs4eREBxH0cIyq1TtqZlyRYhJrqYzjhNHg1Npi7bPg=
=hvt4
-----END PGP SIGNATURE-----

Best regards,

Jacob Vosmaer
GitLab B.V.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.