GX-2018-0006 - Unauthorized File System Operations via New Upload API
A high severity security vulnerability was recently discovered in
Galaxy 18.05's new upload API by the Galaxy Committers Team. Anyone
with a Galaxy account can exploit this vulnerability to read and write
arbitrary files on the Galaxy host accessible by the system user
Galaxy runs as.
This is possible due to insecure handling of tar file extraction.
This vulnerability has been assigned the disclosure ID GX-2018-0006.
This vulnerability affects Galaxy version 18.05 only (and the current
Administrators of Galaxy 18.05 servers should patch immediately.
Galaxy servers running versions of Galaxy older than 18.05 are
unaffected by this problem.
The fix sanitizes the contents of tar files during upload while extracting them.
The fixes are available on the `release_18.05` branch in the Galaxy
GitHub repository. You can simply `git pull` or use your normal
update procedure to get the changes.
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.
--John Chilton (on behalf of the Galaxy Committers)