GX-2018-0006 - Unauthorized File System Operations via New Upload API

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

GX-2018-0006 - Unauthorized File System Operations via New Upload API

John Chilton
DESCRIPTION

A high severity security vulnerability was recently discovered in
Galaxy 18.05's new upload API by the Galaxy Committers Team. Anyone
with a Galaxy account can exploit this vulnerability to read and write
arbitrary files on the Galaxy host accessible by the system user
Galaxy runs as.

This is possible due to insecure handling of tar file extraction.

This vulnerability has been assigned the disclosure ID GX-2018-0006.

AFFECTED VERSIONS

This vulnerability affects Galaxy version 18.05 only (and the current
development branch).

IMPACT

Administrators of Galaxy 18.05 servers should patch immediately.
Galaxy servers running versions of Galaxy older than 18.05 are
unaffected by this problem.

The fix sanitizes the contents of tar files during upload while extracting them.

INSTRUCTIONS

The fixes are available on the `release_18.05` branch in the Galaxy
GitHub repository[2]. You can simply `git pull` or use your normal
update procedure to get the changes.

For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.

--John Chilton (on behalf of the Galaxy Committers)

[1] https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md
[2] https://github.com/galaxyproject/galaxy/
_______________________________________________
galaxy-announce mailing list
[hidden email]
https://lists.galaxyproject.org/listinfo/galaxy-announce
To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/