Re: pagure: private repositories accessible through ssh

[Patrick Uiterwijk <puiterwijk () redhat com>]

On Sat, Jul 22, 2017 at 2:20 PM, Stefan Bühler <stbuehler () lighttpd net> wrote:
> Hi,
>
> pagure [1], a git-centered forge, supports private repositories [2]:
>
> > PRIVATE_PROJECTS
> > ~~~~~~~~~~~~~~~~
> >
> > This configuration key allows you to host private repositories. These
> > repositories are visible only to the creator of the repository and to
> > the users who are given access to the repository.  No information is
> > leaked about the private repository which means redis doesn't have the
> > access to the repository and even fedmsg doesn't get any
> > notifications.
> >
> > Defaults to: ``False``
>
> But the gitolite config, which is used to configure SSH-access, allows
> "@all" users to access all repositories - private or not.
>
> I proposed the attached patch upstream in [3].

This issue has been assigned CVE-2017-1002151.

> After patching you should ensure gitolite.conf gets regenerated from
> scratch.
>
> cheers,
> Stefan
>
> [1]: https://pagure.io/pagure
> [2]: https://pagure.io/pagure/blob/master/f/doc/configuration.rst
> [3]: https://pagure.io/pagure/pull-request/2426

Patrick