CVE-2018-1002161

SQL injection in multiple remote calls

Summary

This is a critical security bug.


Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By

passing carefully constructed arguments to these calls, an unauthenticated user

can issue arbitrary SQL commands to Koji’s database. This gives the attacker

broad ability to manipulate or destroy data.


There is no known workaround. All Koji admins are encouraged to update to a

fixed version as soon as possible.

Bug fix

We are releasing updates for each affected version of Koji to fix this bug. The following releases all contain the fix:


Note: the legacy-py24 branch is unaffected since it is client-only (no hub).


For users who have customized their Koji code, we recommend rebasing your work onto the appropriate update release. If this is not feasible, the patch should be very easy to apply. Please see Koji issue 1183 for the code details.


As with all changes to hub code, you must restart httpd for the changes to take effect.

Links

Fixed versions can be found at our releases page:


https://pagure.io/koji/releases


Questions and answers about this issue


https://docs.pagure.org/koji/CVE-2018-1002161-FAQ/