Bug 24421 - koji new security issue CVE-2018-1002161
Summary: koji new security issue CVE-2018-1002161
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-25 00:23 CET by David Walser
Modified: 2019-04-11 00:08 CEST (History)
4 users (show)

See Also:
Source RPM: koji-1.16.1-4.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 1.12.2 and 1.16.2

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-02-25 00:23:19 CET 
Upstream has issued an advisory on February 21:
https://docs.pagure.org/koji/CVE-2018-1002161/

The issue is fixed upstream in 1.12.2 and 1.16.2.

Mageia 6 is also affected.
David Walser 2019-02-25 00:23:28 CET

Whiteboard: (none) => MGA6TOO

David Walser 2019-03-09 17:33:31 CET

Status comment: (none) => Fixed upstream in 1.12.2 and 1.16.2

Comment 1 David Walser 2019-03-10 01:38:01 CET 
Fixed in koji-1.17.0-1.mga7 in Cauldron by Neal.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 David Walser 2019-03-10 02:15:23 CET 
Updated package uploaded for Mageia 6 by Neal.

Advisory:
========================

Updated koji packages fix security vulnerability:

Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By
passing carefully constructed arguments to these calls, an unauthenticated user
can issue arbitrary SQL commands to Koji’s database. This gives the attacker
broad ability to manipulate or destroy data (CVE-2018-1002161).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002161
https://docs.pagure.org/koji/CVE-2018-1002161/
========================

Updated packages in core/updates_testing:
========================
koji-1.12.2-1.mga6
koji-hub-1.12.2-1.mga6
koji-hub-plugins-1.12.2-1.mga6
koji-builder-1.12.2-1.mga6
koji-vm-1.12.2-1.mga6
koji-utils-1.12.2-1.mga6
koji-web-1.12.2-1.mga6

from koji-1.12.2-1.mga6.src.rpm

Assignee: ngompa13 => qa-bugs
CC: (none) => ngompa13

Comment 3 Herman Viaene 2019-03-11 11:20:39 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Tried at CLI
$ koji -h
Usage: koji [global-options] command [command-options-and-arguments]

Common commands: build, download-build, help, latest-pkg, list-targets, search

Options:
  -h, --help            show this help message and exit
  -c FILE, --config=FILE
                        use alternate configuration file
  -p PROFILE, --profile=PROFILE
                        specify a configuration profile
and loads more
$ koji  --help-commands
Available commands:

admin commands:
        add-external-repo         Create an external repo and/or add one to a tag
        add-group                 Add a group to a tag
        add-group-pkg             Add a package to a group's package listing
        add-group-req             Add a group to a group's required list
etc......

Tried to find some easy example, but concluded I would need some days-weeks o study, so abandoning this to people with more knowledge or experience on the subject.

CC: (none) => herman.viaene

Comment 4 David Walser 2019-03-12 15:29:22 CET 
Fedora has issued an advisory for this on February 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZK4UFB6Q4EDKJYDCXJ7R43EBRSWBS3SR/
Dave Hodgins 2019-04-10 22:32:35 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Dave Hodgins 2019-04-10 22:58:41 CEST 
Validating based on packages all updating cleanly using qarepo.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2019-04-11 00:08:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0144.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.