Security researchers have uncovered multiple critical vulnerabilities in Fedora's Pagure code hosting platform that could have enabled supply chain attacks against the Linux distribution.
The most severe flaw, tracked as CVE-2024-47516, allowed attackers to inject malicious code into any repository hosted on Pagure instances through an argument injection vulnerability. This could have been exploited to modify package specifications and compromise the software supply chain.
Three additional vulnerabilities were also discovered:
- A path traversal vulnerability (CVE-2024-4982)
- Two symbolic link following issues in repository file handling (CVE-2024-4981 and CVE-2024-47515)
All of these flaws potentially enabled attackers to modify repository contents and package specifications to introduce malicious code into the distribution pipeline.
The main vulnerability stemmed from improper handling of Git commands in Pagure's code. Researchers found they could exploit this to write arbitrary files by injecting arguments into Git log commands.
By combining this with Pagure's SSH authentication system, attackers could gain unauthorized shell access to Pagure servers. The attack involved overwriting the .bashrc file of the git user to execute arbitrary commands when users connected via SSH.
The vulnerabilities were reported to Red Hat in April 2024 and quickly patched on production systems within hours. Pagure version 5.14.1 was released in May with fixes for all reported issues.
In an unrelated move, Fedora has decided to migrate from Pagure to Forgejo, a fork of the Gitea platform. This transition is expected to improve the security posture of Fedora's package hosting infrastructure.
The discovery highlights ongoing security challenges in software supply chain systems and the importance of proper input validation and secure coding practices in development platforms.