Galaxy Security Vulnerability

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Galaxy Security Vulnerability

Nate Coraor (nate@bx.psu.edu)
A security vulnerability was recently discovered by Inge Alexander Raknes that would allow a malicious person to execute arbitrary code on a Galaxy server. The vulnerability was in a method that uses Python "pickle" functionality to decode state information from tool forms. Because pickles can be used to instantiate arbitrary Python objects, tool states could be constructed to exploit this vulnerability.

Because this vulnerability allows for arbitrary code execution, administrators are strongly encouraged to apply this fix IMMEDIATELY. We have tried to make it as easy and quick as possible for server administrators to update their Galaxy instances. The fix has been applied to every stable release from 2013.01.13 until the tip, so it is possible to get this fix on older releases without updating to a newer feature release. You can do this by identifying your current release and updating to the `latest_<release_date>` tag corresponding to your release.

For example, if you are running release_2013.11.04 (or a subsequent commit to the stable branch of Galaxy between release_2013.11.04 and release_2014.02.10), you can update with:

 % hg pull
 % hg update latest_2013.11.04

For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.


If you do not want to pull any upstream changes, we have also created a standalone patch that fixes this problem, with multiple versions depending on your current Galaxy release:

 - pickle-2013.11.04.patch - This patch should apply cleanly (with offset/fuzz) to releases from 2013.11.04 up to the current stable tip. Available at: https://depot.galaxyproject.org/patch/pickle-2013.11.04.patch

 - pickle-2013.01.13.patch - This patch should apply cleanly (with offset/fuzz) to releases from 2013.01.13 up to 2013.08.12, and possibly older versions of Galaxy as well. Available at: https://depot.galaxyproject.org/patch/pickle-2013.01.13.patch

 If you happen to be running a very recent revision on the default branch or the newly created next-stable branch, a pickle-default.patch file exists at the same place.

For older releases or instances with conflicting local modifications, manual application of the patch should not be difficult as it only includes a few small changes. To apply the patch, navigate to the root of your Galaxy directory, then run (replacing <url_to_patch> with the URL above that is correct for your release):

 % wget -O pickle.patch <url_to_patch>

or:

 % curl -o pickle.patch <url_to_patch>

and then:

 % patch -p1 < pickle.patch
 patching file lib/galaxy/util/__init__.py
 Hunk #1 succeeded at 575 with fuzz 2 (offset -113 lines).
 patching file lib/galaxy/webapps/galaxy/controllers/ucsc_proxy.py

Again, for the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.


The Galaxy Team would like to extend special thanks to Inge Alexander Raknes and colleagues, who privately disclosed the vulnerability, with a full analysis and proof of concept.

Credit for the fix and subsequent testing goes to my fellow Galaxy Team members John Chilton and Dannon Baker.

On behalf of the Galaxy Team,
--nate

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: Galaxy Security Vulnerability

Dooley, Damion
Does this apply to all past galaxy installs?  I have an older galaxy site I've been wanting to phase out rather than upgrade. For now I'd like to use a patch but site version (parent: 7148:17d57db9a7c0 ) predates any of the tags.  I presume I'd have to just implement the patch by hand?

Regards,

Damion



Message: 7
Date: Thu, 31 Jul 2014 14:55:57 -0400
From: Nate Coraor <[hidden email]>
To: Galaxy Development <[hidden email]>,
        [hidden email]
Subject: [galaxy-dev] Galaxy Security Vulnerability
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="us-ascii"

A security vulnerability was recently discovered by Inge Alexander Raknes that would allow a malicious person to execute arbitrary code on a Galaxy server. The vulnerability was in a method that uses Python "pickle" functionality to decode state information from tool forms. Because pickles can be used to instantiate arbitrary Python objects, tool states could be constructed to exploit this vulnerability.
...

 - pickle-2013.01.13.patch - This patch should apply cleanly (with offset/fuzz) to releases from 2013.01.13 up to 2013.08.12, and possibly older versions of Galaxy as well. Available at: https://depot.galaxyproject.org/patch/pickle-2013.01.13.patch


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: Galaxy Security Vulnerability

John Chilton-4
This bug predates Galaxy's transition to mercurial - so I would
definitely encourage applying the patch by hand and restarting Galaxy.

-John

On Tue, Aug 5, 2014 at 9:13 PM, Dooley, Damion <[hidden email]> wrote:

> Does this apply to all past galaxy installs?  I have an older galaxy site I've been wanting to phase out rather than upgrade. For now I'd like to use a patch but site version (parent: 7148:17d57db9a7c0 ) predates any of the tags.  I presume I'd have to just implement the patch by hand?
>
> Regards,
>
> Damion
>
>
>
> Message: 7
> Date: Thu, 31 Jul 2014 14:55:57 -0400
> From: Nate Coraor <[hidden email]>
> To: Galaxy Development <[hidden email]>,
>         [hidden email]
> Subject: [galaxy-dev] Galaxy Security Vulnerability
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="us-ascii"
>
> A security vulnerability was recently discovered by Inge Alexander Raknes that would allow a malicious person to execute arbitrary code on a Galaxy server. The vulnerability was in a method that uses Python "pickle" functionality to decode state information from tool forms. Because pickles can be used to instantiate arbitrary Python objects, tool states could be constructed to exploit this vulnerability.
> ...
>
>  - pickle-2013.01.13.patch - This patch should apply cleanly (with offset/fuzz) to releases from 2013.01.13 up to 2013.08.12, and possibly older versions of Galaxy as well. Available at: https://depot.galaxyproject.org/patch/pickle-2013.01.13.patch
>
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/