oss-sec mailing list archives
Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3
From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 23 Dec 2013 20:05:55 +0100
Hi, On Mon, Oct 21, 2013 at 02:18:21PM -0600, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/20/2013 10:54 PM, Sitaram Chamarty wrote:Announcement: https://groups.google.com/forum/#!topic/gitolite/Tu1sjaf7A4A/discussion Code change: https://github.com/sitaramc/gitolite/commit/3dad4f8e3214d6ab5f71823019a624fa48b055a3(or)http://code.google.com/p/gitolite/source/detail?r=3dad4f8e3214d6ab5f71823019a624fa48b055a3# Brief description (main points of announcement): Fresh installs between fa06a34 (approx Sep 3rd) and v3.5.3, inclusive, create a few world writable files. Sites which installed before that date are not affected, even if they subsequently upgraded to the faulty commit or beyond. Affected sites need to run a one-time 'chmod -R' to fix.Please use CVE-2013-4451 for this issue.
A small side note on this CVE: David Bremner found that gitolite previous to that commit also was vulnerable to a local filesystem information leak: Depending on the user umask running gitolite setup, he might create world readable files in the repositories, in particular the gitolite-admin one. As example in the Debian packaging postinst, [1] would result in a world-readable /var/lib/gitolite3/repositories/gitolite-admin.git. [1] http://sources.debian.net/src/gitolite3/3.5.2-1/debian/postinst#L74 But this actually might not need a separate CVE for this issue (altough different versions are affected, if I understand it correctly both fall under CWE-276, Incorrect Default Permissions?). Regards, Salvatore
Current thread:
- CVE Request: gitolite world writable files for fresh installs of v3.5.3 Sitaram Chamarty (Oct 20)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Kurt Seifried (Oct 21)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Salvatore Bonaccorso (Dec 23)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 cve-assign (Dec 23)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Salvatore Bonaccorso (Dec 23)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Kurt Seifried (Oct 21)