Bug 17495

Summary: cgit new security issues CVE-2016-1899, CVE-2016-1900, CVE-2016-1901
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/673018/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: cgit-0.11.2-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-01-14 18:29:43 CET 
Three CVEs have been assigned for security issues fixed in cgit 0.12:
http://openwall.com/lists/oss-security/2016/01/14/6

Mageia 5 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2016-01-14 18:29:52 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Colin Guthrie 2016-01-15 10:24:51 CET 
I'm just going to update to cgit 0.12 unless anyone shouts otherwise.
Comment 2 David Walser 2016-01-22 14:39:36 CET 
OpenSuSE has issued an advisory for this today (January 22):
http://lists.opensuse.org/opensuse-updates/2016-01/msg00067.html

They also updated to 0.12, so that seems to be the best course of action.
Comment 3 David Walser 2016-01-22 18:49:01 CET 
Updated packages uploaded for Mageia 5 and Cauldron by Colin.

Advisory:
========================

Updated cgit package fixes security vulnerabilities:

Reflected Cross Site Scripting and Header Injection in Mimetype Query String
in cgit before 0.12 (CVE-2016-1899).

Stored Cross Site Scripting and Header Injection in Filename Parameter in
cgit before 0.12 (CVE-2016-1900).

Integer Overflow resulting in Buffer Overflow in cgit before 0.12
(CVE-2016-1901).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1901
http://lists.opensuse.org/opensuse-updates/2016-01/msg00067.html
========================

Updated packages in core/updates_testing:
========================
cgit-0.12-1.mga5

from cgit-0.12-1.mga5.src.rpm

Version: Cauldron => 5
CC: (none) => mageia
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)

David Walser 2016-01-22 18:49:15 CET

URL: (none) => http://lwn.net/Vulnerabilities/673018/

Comment 4 William Kenney 2016-02-02 18:35:10 CET 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
cgit

default install of cgit

[root@localhost wilcal]# urpmi cgit
Package cgit-0.11.2-1.mga5.i586 is already installed

http://localhost/cgit gets the following webpage:

cgit logo 	Git repository browser
a fast webinterface for the git dscm
index	
No repositories found
generated by cgit v0.11.2 at 2016-02-02 17:26:08 (GMT)

I'd say that confirms that cgit got installed and is working.

install cgit from updates_testing

Reboot system

[root@localhost wilcal]# urpmi cgit
Package cgit-0.12-1.mga5.i586 is already installed

http://localhost/cgit gets the following webpage:

cgit logo 	Git repository browser
a fast webinterface for the git dscm
index	
No repositories found
generated by cgit v0.12 at 2016-02-02 17:32:52 (GMT)

cgit got updated and is working.

CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK

Comment 5 William Kenney 2016-02-02 18:56:01 CET 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
cgit

default install of cgit

[root@localhost wilcal]# urpmi cgit
Package cgit-0.11.2-1.mga5.x86_64 is already installed

http://localhost/cgit gets the following webpage:

cgit logo 	Git repository browser
a fast webinterface for the git dscm
index	
No repositories found
generated by cgit v0.11.2 at 2016-02-02 17:45:11 (GMT)

Confirms that cgit got installed and is working.

install cgit from updates_testing

Reboot system

[root@localhost wilcal]# urpmi cgit
Package cgit-0.12-1.mga5.x86_64 is already installed

http://localhost/cgit gets the following webpage:

cgit logo 	Git repository browser
a fast webinterface for the git dscm
index	
No repositories found
generated by cgit v0.12 at 2016-02-02 17:32:52 (GMT)

cgit got updated and is working.

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 6 William Kenney 2016-02-02 18:56:33 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-02-03 02:52:25 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 7 Mageia Robot 2016-02-05 18:27:40 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0047.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED