Nov 8, 2013 - Jacob Vosmaer

Security vulnerability in gitlab-shell (CVE-2013-4546)

Learn more about remote code execution vulnerability in gitlab-shell (CVE-2013-4546).

Security vulnerability in gitlab-shell (CVE-2013-4546)

We have learned about a second remote code execution vulnerability in gitlab-shell. This issue was fixed in gitlab-shell 1.7.4, so users who updated gitlab-shell after our recent security announcement are not affected.

Remote code execution vulnerability in the repository import feature of older versions of GitLab

There is a remote code execution vulnerability in the repository import feature of older versions of GitLab. This vulnerability has been assigned the CVE identifier CVE-2013-4546.

Versions affected: 5.0, 5.1, 5.2, 5.3, 5.4, 6.0, 6.1, 6.2

Not affected: 4.2 and earlier

Fixed versions: 5.4.1, Community Edition 6.2.3, Enterprise Edition 6.2.0 (all using gitlab-shell 1.7.4)

Impact

When creating a new project a GitLab user can specify that a remote repository should be imported into the new project. In affected versions the import URL text field can be used to execute code on the GitLab server. Only authenticated users can create new projects and import repositories.

This vulnerability was fixed in gitlab-shell 1.7.4. All users running GitLab 5.4 or newer should verify that they are using gitlab-shell 1.7.4 or newer (cat /home/git/gitlab-shell/VERSION) and upgrade gitlab-shell immediately if necessary.

Releases

Gitlab-shell 1.7.4 is available from https://gitlab.com/gitlab-org/gitlab-shell and https://github.com/gitlabhq/gitlab-shell . To upgrade gitlab-shell it suffices to run sudo su git -c 'git fetch && git checkout v1.7.4' in /home/git/gitlab-shell .

Workarounds

If you are unable to upgrade you can disable the repository import functionality in GitLab by deleting the following code block from app/contexts/projects/create_context.rb and restarting GitLab:

# Import project from cloneable resource
if @project.valid? && @project.import_url.present?
  shell = Gitlab::Shell.new
  if shell.import_repository(@project.path_with_namespace, @project.import_url)
    # We should create satellite for imported repo
    @project.satellite.create unless @project.satellite.exists?
    @project.imported = true
    true
  else
    @project.errors.add(:import_url, 'cannot clone repo')
  end
end

Credits

Thanks to Remy van Elst https://raymii.org/ for reporting the vulnerability to us.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source