Giteabot account was compromised

[lafriks]

We are currently investigating suspiscious activity from an account with write access priviledge to go-gitea organization. A binary was added to releases across multiple go-gitea repositories. We cleaned up all releases and drop temporarily access from the account. We will investigate futhermore to understand what really happen to prevent it in the future and be transparent with you trough the process. In the meantime, if you find any suspicious activity please report them under this issue.

UPDATE: No source code or other Gitea infrastructure was affected, including https://dl.gitea.io/ so it's safe to use it to download Gitea binaries.

GitHub account that was hacked is under full control and also have set 2FA so this should not happen in future again.

What was done:

• Most of go-gitea organization repositories new release&tag was created with name 0 and added install.exe binary (13KB in size) to that release that was malicious (from our analysis contained crypto currency miner). All these releases and binaries was deleted within 2-3 hours from when they were added.
• Also 1.4.2 release windows Gitea .exe binary on GitHub was replaced by same 13K binary as above. So if Gitea is working, you are safe.
• Just in case we did retag 1.4.2 to trigger CI to rebuild binaries so sha256 will be different now as it was before retag.

We have contacted GitHub but have not received any answer from them, yet

UPDATE2:
No actual gitea binaries were compromised so all hashes mentioned in comments below are safe.

SHA256 of malicious .exe file:
bfc5a0358b1ad76ffbc1e1f4670bd3240536e2fbac88272cee3003322a15fffe

UPDATE3:
v1.4.2 has been rereleased at about 2018-06-07 20:00:00 UTC+08

[daviian]

In the meantime please be careful when downloading our released binaries, especially the windows ones, until further notice. E.g. keep an eye on the size of the binaries, or a double .exe file ending.
We've found out our .exe binaries within release 1.4.2 were altered as well.

We work hard to follow all trails, clean up and get back to daily business as soon as possible.

[Mauladen]

@daviian Maybe then it is necessary to sign releases?

[daviian]

@Mauladen Thank you for your input. We definitely will discuss this.

[OmarAssadi]

Ouch! Yeah, signed binaries would be ideal.

[Mauladen]

[daviian]

@Mauladen We've rebuilt the binaries for 1.4.2 release just to be sure we provide safe ones.

Or did you mean something else?

[lafriks]

This is normal. We retaged 1.4.2 to retrigger CI to rebuild binaries as windows binary for that release was removed and there was added new one malicious one

[axifive]

@daviian, Maybe @Mauladen meant that 1.4.2 release commit without GPG signature, but 1.4.1 was

[Mauladen]

Still need to edit the list of changes

[sapk]

@axifive commit where not gpg signed by user but github that does it automaticaly (with github key) when the merger is the same the PR author. I wouldn't it consider more safer because if github account were compromised I will been also show as "verified". But we could start to sign tag from now (to be discuss). For information we are, working on signing binary since it is more easy to corrumpt thzan binary as the git commit tree.

[hasufell]

You should upload a tarball created by git-archive (in addition to those that github automatically generates) which you sign with signify. You can get an idea on how that works/looks here:

• https://github.com/nicklan/pnmixer/blob/master/MAINTAINING.md#releasing
• https://github.com/nicklan/pnmixer/releases/tag/v0.7.2

Libressl uses the same technology.

[CountMurphy]

Is there anymore information on this? What was the payload of the binary? Are users going to be informed about this through a blog post or anything? Were any of the linux binaries compromised? I'm rather concerned about what these things may have done to my servers. I'm doubly concerned that I only found out about this browsing the issue page by chance vs an official notice on the project page/blog

[asiekierka]

Is the Gitea 1.4.2 release safe to update to from source code at this point in time?