Merge branch 'release_16.01' into dev

galaxyproject · Feb 24, 2016 · 63d7b7a · 63d7b7a
2 parents ed82982 + c6b010a
commit 63d7b7a
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 0 deletions.
diff --git a/doc/source/releases/16.01.rst b/doc/source/releases/16.01.rst
@@ -342,6 +342,24 @@ Enhancements
 * Add a log.warn() if extracted file does not exist when changing permissions.
   (thanks to `@nsoranzo <https://github.com/nsoranzo>`__.)
   `Pull Request 939`_
+* Add a safe_relpath util function for ensuring a path does not reference an absolute or parent directory.
+  `Commit f540a16`_
+
+Security
+-------------------------------
+
+.. security
+
+* Security fixes for history imports.
+  `Commit bf1c77d`_
+* Security fixes for object store paths.
+  `Commit 5da91bd`_
+* Remove sample tracking manual external service transfer due to security concerns.
+  `Commit cd8b965`_
+* Security fixes for tool shed repository browsing.
+  `Commit e4a1d57`_
+* Security fixes for tool shed hg push and capsule/tarball uploads.
+  `Commit e845d64`_
 
 Fixes
 -------------------------------
@@ -742,3 +760,10 @@ Fixes
 .. _Pull Request 1551: https://github.com/galaxyproject/galaxy/pull/1551
 .. _Pull Request 1554: https://github.com/galaxyproject/galaxy/pull/1554
 .. _Pull Request 1558: https://github.com/galaxyproject/galaxy/pull/1558
+
+.. _Commit f540a16: https://github.com/galaxyproject/galaxy/commit/f540a16768307995ea49c5d241948537ebbfa540
+.. _Commit bf1c77d: https://github.com/galaxyproject/galaxy/commit/bf1c77d171f079f42d481ad465dbaef3bac8b4d4
+.. _Commit 5da91bd: https://github.com/galaxyproject/galaxy/commit/5da91bddcda3ad3a4942e752d9b4bb3e7872046c
+.. _Commit cd8b965: https://github.com/galaxyproject/galaxy/commit/cd8b96553f673145ee64a86d32960ba42643baed
+.. _Commit e4a1d57: https://github.com/galaxyproject/galaxy/commit/e4a1d5727805168a9fd15aca1cdd21630ada2bbc
+.. _Commit e845d64: https://github.com/galaxyproject/galaxy/commit/e845d649c672c51cc2336da0d880c9ff74ea6b5f
diff --git a/doc/source/releases/16.01_announce.rst b/doc/source/releases/16.01_announce.rst
@@ -76,6 +76,83 @@ support Python 2.6. For more information, see Galaxy Github
 .. _wheels: http://pythonwheels.com/
 .. _pip: https://pip.pypa.io/en/stable/
 
+Security
+===========================================================
+
+Multiple security vulnerabilities were identified during this release cycle and
+fixed concurrently with the release. In addition, the fixes have been
+backported to older releases.
+
+The Galaxy Committers would like to thank `Youri Hoogstrate
+<https://github.com/yhoogstrate>`_ at the Erasmus MC, Rotterdam, who initially
+reported the ``hg push`` vulnerability. Through additional auditing based on
+this attack vector, we discovered the other vulnerabilities.
+
+**Galaxy**
+  Multiple security vulnerabilities were discovered in Galaxy that allow
+  malicious actors to read and write files on the Galaxy server. Additionally,
+  Galaxy servers on which a rarely used feature has been enabled are vulnerable
+  to an arbitrary code execution exploit.
+
+  1. A write vulnerability exists in the history import mechanism. It is
+     possible to create a history tar archive that contains files with parent
+     directory components in the file path (e.g. ``foo/../../bar`` would
+     extract to ``../bar``), and these archive members would be written if the
+     user running the Galaxy server had write permission to the given path.
+
+  2. A read vulnerability exists in the object store path composition code.
+     Galaxy allows clients to add elements to the end of a path to "extra"
+     files associated with a dataset (as is the case with composite datatypes).
+     These elements were not being checked to ensure they did not contain
+     relative parent references (``..``) or did not start with an absolute path
+     character (``/``). Because of this, the dataset display methods could be
+     manipulated to return the contents of any files for which the Galaxy
+     server user had read permission.
+
+  3. An arbitrary code execution vulnerability exists in the Galaxy sample
+     tracking system. The sample tracking system included a feature which
+     allowed administrators to browse remote "external services" (such as
+     sequencers) to choose files to transfer to the Galaxy server. This
+     browsing code used a shell invocation which did not sanitize user input.
+     However, this code is only reachable if at least one external service has
+     ever been defined. 
+
+  Fixes for all three issues have been applied to Galaxy releases back to
+  v14.10.
+
+**Tool Shed**
+  Multiple security vulnerabilities were discovered in the Tool Shed that allow
+  malicious actors to read and write files on the Tool Shed server outside of
+  normal Tool Shed repository directories.
+
+  1. A write vulnerability exists in the Tool Shed tarball and capsule upload
+     functionality. It is possible to create a tar archive that contains files
+     with parent directory components in the file path (e.g.  ``foo/../../bar``
+     would extract to ``../bar``), and these archive members would be written
+     if the user running the Tool Shed had write permission to the given path.
+     The Tool Shed tarball handling code checked for invalid characters (``/``
+     or ``..``) at the beginning of the path but not for ``..`` in the middle
+     of a path.
+
+  2. A read vulnerability exists in multiple places. The first is in the (now
+     deprecated) ``hg push`` functionality for updating Tool Shed repositories.
+     This method allows malicious actors to push symlinks whose targets are
+     outside the repository (either via an absolute or relative path). The
+     contents of the targets would then be visible in the Tool Shed repository
+     contents viewer, if the Tool Shed user has read permission on the target.
+
+  3. A second read vulnerability exists in the Tool Shed repository contents
+     viewer. The viewer would allow a malicious actor to specify a path outside
+     the repository, and if the Tool Shed system user had read permissions on
+     that path, it would be displayed. The viewer also did not check to ensure
+     that the targets of symlinks in a repository did not point outside the
+     repository.
+
+  The repository contents viewer read vulnerability also exists in Galaxy, but
+  is only reachable/exploitable by admin users. Fixes for vulnerability #3 have
+  been applied to Galaxy/Tool Shed releases back to v14.10, and issues #1 and
+  #2 have been applied to releases back to v15.01.
+
 Release Notes
 ===========================================================