A security vulnerability was recently discovered by Inge Alexander Raknes that
would allow a malicious person to execute arbitrary code on a Galaxy server.
The vulnerability was in a method that uses Python "pickle" functionality to
decode state information from tool forms. Because pickles can be used to
instantiate arbitrary Python objects, tool states could be constructed to
exploit this vulnerability.
Because this vulnerability allows for arbitrary code execution, administrators
are strongly encouraged to apply this fix IMMEDIATELY. We have tried to make it
as easy and quick as possible for server administrators to update their Galaxy
instances. The fix has been applied to every stable release from 2013.01.13
until the tip, so it is possible to get this fix on older releases without
updating to a newer feature release. You can do this by identifying your
current release and updating to the `latest_<release_date>` tag corresponding
to your release.
For example, if you are running release_2013.11.04 (or a subsequent commit to
the stable branch of Galaxy between release_2013.11.04 and release_2014.02.10),
you can update with:
% hg pull
% hg update latest_2013.11.04
For the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER PROCESSES.
If you do not want to pull any upstream changes, we have also created a
standalone patch that fixes this problem, with multiple versions depending on
your current Galaxy release:
- pickle-2013.11.04.patch - This patch should apply cleanly (with offset/fuzz)
to releases from 2013.11.04 up to the current stable tip. Available at:
- pickle-2013.01.13.patch - This patch should apply cleanly (with offset/fuzz)
to releases from 2013.01.13 up to 2013.08.12, and possibly older versions of
Galaxy as well. Available at:
If you happen to be running a very recent revision on the default branch or
the newly created next-stable branch, a pickle-default.patch file exists at the
For older releases or instances with conflicting local modifications, manual
application of the patch should not be difficult as it only includes a few
small changes. To apply the patch, navigate to the root of your Galaxy
directory, then run (replacing <url_to_patch> with the URL above that is
correct for your release):
% wget -O pickle.patch <url_to_patch>
% curl -o pickle.patch <url_to_patch>
% patch -p1 < pickle.patch
patching file lib/galaxy/util/__init__.py
Hunk #1 succeeded at 575 with fuzz 2 (offset -113 lines).
patching file lib/galaxy/webapps/galaxy/controllers/ucsc_proxy.py
Again, for the changes to take effect, YOU MUST RESTART ALL GALAXY SERVER
The Galaxy Team would like to extend special thanks to Inge Alexander Raknes
and colleagues, who privately disclosed the vulnerability, with a full analysis
and proof of concept.
Credit for the fix and subsequent testing goes to my fellow Galaxy Team members
John Chilton and Dannon Baker.
On behalf of the Galaxy Team,
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
To search Galaxy mailing lists use the unified search at: