Bug 12187

Summary: gitolite new security issue CVE-2013-7203
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dmorganec, mageia, makowski.mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Alerts/578968/
Whiteboard: MGA3TOO
Source RPM: gitolite, gitolite3 CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 11726    

Description David Walser 2014-01-03 17:11:14 CET 
Fedora has issued an advisory on December 25:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/125611.html

The issue is fixed upstream in 3.5.3.1.

It's unclear why we have a gitolite3 package that's actually an older version of gitolite 3.x than the gitolite package is.  Maybe it could be obsoleted?

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-03 17:11:55 CET

CC: (none) => boklm, dmorganec, mageia
Blocks: (none) => 11726
Whiteboard: (none) => MGA3TOO

Comment 1 Philippe Makowski 2014-01-04 16:43:14 CET 
according to discussion here:

https://groups.google.com/forum/#!topic/gitolite/Tu1sjaf7A4A/discussion

which in particular states:

"If you *are* affected, (i.e., you did a fresh install of gitolite 
between fa06a34 and v3.5.3), merely upgrading will NOT fix the problem, 
and you *must* do a one-time chmod fixup as described below. "

the chmod fixup is noted in the workaround section (which is probably useful information to have put here...)

"
  - EXISTING INSTALLS: if it affects you (see next section for details), 
    you need to do a one-time 'chmod -R go-rwx' (or such) on 
    ~/.gitolite.rc, ~/.gitolite, and ~/repositories/gitolite-admin.git
"

Finally, the commit that introduced this was fa06a34, which set the umask as early as possible and was committed on September 3 2013 (https://github.com/sitaramc/gitolite/commit/fa06a34) and as a result earlier versions are _NOT_ affected.

Given that we provide :
gitolite 3.5.1 that was released 2013-03-27 , it's not affected.
gitolite3 3.04 that was released 2012-06-26, it's not affected.
gitolite 3.3 that was released 2012-12-29, it's not affected.

so we are not affected

Status: NEW => RESOLVED
CC: (none) => makowski.mageia
Resolution: (none) => INVALID

Comment 2 Philippe Makowski 2014-01-04 16:44:23 CET 
(In reply to David Walser from comment #0)
> It's unclear why we have a gitolite3 package that's actually an older
> version of gitolite 3.x than the gitolite package is.  Maybe it could be
> obsoleted?
gitolite3 is no longer present in Cauldron
Comment 3 David Walser 2014-01-04 17:27:17 CET 
D Morgan just removed gitolite3 from Cauldron.  gitolite should probably obsolete it.
Nicolas Vigier 2014-05-08 18:06:56 CEST

CC: boklm => (none)