A critical security vulnerability in Fedora's Pagure source code hosting platform could have allowed attackers to modify any package in the Linux distribution, security researchers revealed. The flaw, tracked as CVE-2024-47516, was discovered by researcher Thomas Chauchefoin.
The vulnerability stemmed from an argument injection weakness in Pagure's code that handles Git repository operations. By exploiting this flaw, attackers could write to arbitrary files on Pagure instances, potentially leading to remote code execution.
"These bugs would have allowed us to modify any of the repositories stored on Pagure and thus the specification of any Fedora package to change its upstream sources, scripts or distribution patches," explained Chauchefoin in his analysis.
Three additional vulnerabilities were also uncovered:
- CVE-2024-4982: Path traversal vulnerability
- CVE-2024-4981: Symbolic link following issue in temporary clones
- CVE-2024-47515: Another symbolic link vulnerability in archive generation
The main exploit worked by injecting malicious arguments into Git commands through Pagure's web interface. This allowed creating or overwriting files on the system, which could then be leveraged to gain unauthorized shell access.
The research team responsibly disclosed the vulnerabilities to Pagure maintainers through Red Hat's Bugzilla in April 2024. The issues were quickly patched on production systems within hours, with official fixes released in Pagure version 5.14.1 in May.
In an unrelated move, Fedora has decided to migrate from Pagure to Forgejo, a fork of the Gitea platform. This transition is expected to improve the security posture of Fedora's package hosting infrastructure.
The discovery highlights ongoing security challenges in software supply chain systems. While the specific vulnerabilities have been addressed, the researchers note that deeper architectural issues around Git command execution remain.