Bug 23680 - gitolite new security issue CVE-2018-16976
Summary: gitolite new security issue CVE-2018-16976
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-13 00:37 CEST by David Walser
Modified: 2018-11-03 12:56 CET (History)
8 users (show)

See Also:
Source RPM: gitolite-3.6.7-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-13 00:37:05 CEST
openSUSE has issued an advisory on October 5:
https://lists.opensuse.org/opensuse-updates/2018-10/msg00019.html

The issue is fixed upstream in 3.6.9.

Mageia 6 is also affected.
David Walser 2018-10-13 00:37:21 CEST

CC: (none) => ngompa13, shlomif
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-13 08:35:29 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2018-10-15 23:04:56 CEST
Fedora has issued an advisory for this on September 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FW77TT3SZUDFVK3UYO6WNT7GFUHWXDUO/
Comment 3 Bruno Cornec 2018-10-21 19:08:07 CEST
gitolite 3.6.10 uploaded in cauldron and mga6

Status: NEW => ASSIGNED
CC: (none) => bruno
Assignee: shlomif => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 David Walser 2018-10-21 19:35:47 CEST
Advisory:
========================

Updated gitolite package fixes security vulnerability:

Gitolite before 3.6.9 does not (in certain configurations involving @all or a
regex) properly restrict access to a Git repository that is in the process of
being migrated until the full set of migration steps has been completed. This
can allow valid users to obtain unintended access (CVE-2018-16976).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16976
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FW77TT3SZUDFVK3UYO6WNT7GFUHWXDUO/
========================

Updated packages in core/updates_testing:
========================
gitolite-3.6.10-1.mga6

from gitolite-3.6.10-1.mga6.src.rpm

Severity: normal => major

Comment 5 Herman Viaene 2018-10-30 12:11:16 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Found http://www.bigfastblog.com/gitolite-installation-step-by-step to try to setup gitolite in the laptop itself. This implies skipping all steps of clone and install commands so at CLI at gitolite user:
$ ssh-keygen -t rsa -f gitolitekey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in gitolitekey.
Your public key has been saved in gitolitekey.pub.
etc.....
$ gitolite setup -pk gitolitekey.pub
Initialized empty Git repository in /var/lib/gitolite/repositories/gitolite-admin.git/
Initialized empty Git repository in /var/lib/gitolite/repositories/testing.git/

I  did not venture any further than checking all files are there AFAICS, I am far from fluent at git.
Just tried three other commands
$ gitolite list-users
@all
gitolitekey
$ gitolite list-repos
gitolite-admin
testing
$ gitolite query-rc -a
ACCESS_1=ARRAY(0x86cb248)
COMMAND=ARRAY(0x86e33a0)
COMMANDS=HASH(0x86c10a0)
ENABLE=ARRAY(0x86c1830)
GIT_CONFIG_KEYS=
GL_ADMIN_BASE=/var/lib/gitolite/.gitolite
GL_BINDIR=/usr/share/gitolite
GL_LIBDIR=/usr/share/gitolite/lib
GL_LOGFILE=/var/lib/gitolite/.gitolite/logs/gitolite-2018-10.log
GL_REPO_BASE=/var/lib/gitolite/repositories
GL_TID=394
LOG_EXTRA=1
LOG_TEMPLATE=/var/lib/gitolite/.gitolite/logs/gitolite-%y-%m.log
POST_COMPILE=ARRAY(0x86e3320)
POST_CREATE=ARRAY(0x86e3350)
ROLES=HASH(0x86c16a0)
UMASK=63
All looks reasonable to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 6 Thomas Andrews 2018-11-02 14:51:05 CET
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-11-03 11:50:32 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2018-11-03 12:56:36 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0434.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.