Bug 23398 - cgit new security issue CVE-2018-14912
Summary: cgit new security issue CVE-2018-14912
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok, mga6-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-06 21:42 CEST by David Walser
Modified: 2018-08-24 01:36 CEST (History)
5 users (show)

See Also:
Source RPM: cgit-0.12-4.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-06 21:42:00 CEST
Debian has issued an advisory on August 4:
https://www.debian.org/security/2018/dsa-4263

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-06 21:42:24 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-07 07:30:17 CEST
Assigning to all packagers collectively, since the registered maintainer for this package, Colin, is likely unavailable.

Also CC'ing cjw, who once rebuilt this package.

CC: (none) => cjw, mageia, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-08-14 23:39:39 CEST
Fedora has issued an advisory for this today (August 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AJGHSPWQTKGAQBXOKAFW5SB4TPIEFITP/
Comment 3 Thomas Backlund 2018-08-23 23:43:51 CEST

Cauldron fixed in:  cgit-0.12-5.mga7



Fixed mga6 packages:

SRPM:
cgit-0.12-3.1.mga6.src.rpm


i586:
cgit-0.12-3.1.mga6.i586.rpm


x86_64:
cgit-0.12-3.1.mga6.x86_64.rpm

Version: Cauldron => 6
Severity: normal => critical
Priority: Normal => High
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => tmb
Whiteboard: MGA6TOO => (none)

Comment 4 Thomas Backlund 2018-08-23 23:58:26 CEST
confirmed fix working on x86_64

Whiteboard: (none) => MGA6-64-OK

Comment 5 Thomas Backlund 2018-08-24 00:06:45 CEST
Advisory, added to svn:

type: security
subject: Updated cgit packages fix security vulnerability
CVE:
 - CVE-2018-14912
src:
  6:
   core:
     - cgit-0.12-3.1.mga6
description: |
  Jann Horn discovered a directory traversal vulnerability in cgit, a fast
  web frontend for git repositories written in C. A remote attacker can take
  advantage of this flaw to retrieve arbitrary files via a specially crafted
  request, when 'enable-http-clone=1' (default) is not turned off.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23398
 - https://www.debian.org/security/2018/dsa-4263

Keywords: (none) => advisory

Comment 6 Thomas Backlund 2018-08-24 01:02:37 CEST
Works on mga infra, and tested on 32bit vm...

validating

Keywords: (none) => validated_update
Whiteboard: MGA6-64-OK => mga6-64-ok, mga6-32-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-08-24 01:36:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0351.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.