Bug 23398

Summary: cgit new security issue CVE-2018-14912
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: High CC: cjw, mageia, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga6-64-ok, mga6-32-ok
Source RPM: cgit-0.12-4.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-06 21:42:00 CEST 
Debian has issued an advisory on August 4:
https://www.debian.org/security/2018/dsa-4263

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-06 21:42:24 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-07 07:30:17 CEST 
Assigning to all packagers collectively, since the registered maintainer for this package, Colin, is likely unavailable.

Also CC'ing cjw, who once rebuilt this package.

CC: (none) => cjw, mageia, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-08-14 23:39:39 CEST 
Fedora has issued an advisory for this today (August 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AJGHSPWQTKGAQBXOKAFW5SB4TPIEFITP/
Comment 3 Thomas Backlund 2018-08-23 23:43:51 CEST 

Cauldron fixed in:  cgit-0.12-5.mga7



Fixed mga6 packages:

SRPM:
cgit-0.12-3.1.mga6.src.rpm


i586:
cgit-0.12-3.1.mga6.i586.rpm


x86_64:
cgit-0.12-3.1.mga6.x86_64.rpm

Version: Cauldron => 6
Severity: normal => critical
Priority: Normal => High
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => tmb
Whiteboard: MGA6TOO => (none)

Comment 4 Thomas Backlund 2018-08-23 23:58:26 CEST 
confirmed fix working on x86_64

Whiteboard: (none) => MGA6-64-OK

Comment 5 Thomas Backlund 2018-08-24 00:06:45 CEST 
Advisory, added to svn:

type: security
subject: Updated cgit packages fix security vulnerability
CVE:
 - CVE-2018-14912
src:
  6:
   core:
     - cgit-0.12-3.1.mga6
description: |
  Jann Horn discovered a directory traversal vulnerability in cgit, a fast
  web frontend for git repositories written in C. A remote attacker can take
  advantage of this flaw to retrieve arbitrary files via a specially crafted
  request, when 'enable-http-clone=1' (default) is not turned off.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23398
 - https://www.debian.org/security/2018/dsa-4263

Keywords: (none) => advisory

Comment 6 Thomas Backlund 2018-08-24 01:02:37 CEST 
Works on mga infra, and tested on 32bit vm...

validating

Keywords: (none) => validated_update
Whiteboard: MGA6-64-OK => mga6-64-ok, mga6-32-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-08-24 01:36:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0351.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED