Attachment #257002 for bug #284360

View | Details | Raw Unified | Return to bug 284360
Collapse All | Expand All




  <vuln vid="752a81cb-dbd4-11ef-a489-a78527073c14">
    <topic>gitea -- enforce attachment file type restrictions</topic>
    <affects>
      <package>
	<name>gitea</name>
	<range><lt>1.23.0</lt></range>
      </package>
    </affects>
    <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
       <p>The Gitea project reports:</p>
       <blockquote cite="https://github.com/go-gitea/gitea/releases/tag/v1.23.0">
         <p>Issue posters and users with repository write access are able to
         edit attachment names in a way that circumvents the instance-level
         file extension restrictions using the edit attachment APIs.  [...]
         Add checks for these endpoints.</p>
       </blockquote>
      </body>
    </description>
    <references>
      <url>https://github.com/go-gitea/gitea/pull/32151</url>
    </references>
    <dates>
      <discovery>2024-11-06</discovery>
      <entry>2024-01-26</entry>
    </dates>
  </vuln>

  <vuln vid="41711c0d-db27-11ef-873e-8447094a420f">
    <topic>Vaultwarden -- Muiltiple vulnerabilities</topic>
    <affects>




PORTNAME=	gitea
DISTVERSIONPREFIX=	v
DISTVERSION=	1.23.1
PORTREVISION=	1
CATEGORIES=	www
MASTER_SITES=	https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \
		https://dl.gitea.io/gitea/${DISTVERSION}/


RUN_DEPENDS=	git:devel/git

USES=		cpe gmake go:1.23,no_targets
USE_RC_SUBR=	gitea

EXTRACT_AFTER_ARGS=	--strip-components 1 # since 1.17.0, archive includes gitea-src-VERSION directory

	@${MKDIR} ${STAGEDIR}${ETCDIR}/conf
	${INSTALL_DATA} ${WRKDIR}/app.ini.sample ${STAGEDIR}${ETCDIR}/conf/app.ini.sample
	${INSTALL_DATA} ${WRKSRC}/custom/conf/app.example.ini ${STAGEDIR}${ETCDIR}/conf/app.ini.defaults
	${MKDIR} ${STAGEDIR}${DATADIR}
	${MKDIR} ${STAGEDIR}/var/db/gitea
	${MKDIR} ${STAGEDIR}/var/db/gitea/gitea-repositories
	${MKDIR} ${STAGEDIR}/var/log/gitea

do-install-BINDATA-off:
	cd ${WRKSRC} && ${COPYTREE_SHARE} "options public templates" ${STAGEDIR}${DATADIR}

Lines 1-3 Link Here

(-)b/www/gitea/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1734459279	1	TIMESTAMP = 1737883673
2	SHA256 (gitea-src-1.22.6.tar.gz) = 251a3ee97e11f288764f9e15d0163116a04f2811b9d0d3c32f46a04f90f0756e	2	SHA256 (gitea-src-1.23.1.tar.gz) = da4d36c4c9fe3980b4ba130526cf030ba7dba51d3a6844c6723a6eaef34b6df9
3	SIZE (gitea-src-1.22.6.tar.gz) = 54465618	3	SIZE (gitea-src-1.23.1.tar.gz) = 55539987




#
# This sample configuration runs Gitea with a local database.  Before
# running this configuration, make sure to change the INTERNAL_TOKEN,
# JWT_SECRET, LFS_JWT_SECRET, and SECRET_KEY variables.  SECRET_KEY is
# a password of your choosing, INTERNAL_TOKEN is a 64-byte random
# number in BASE64 encoding, JWT_SECRET is a 32-byte random number in
# BASE64 encoding.
#
# You can generate appropriate values using:
#   gitea generate secret [INTERNAL_TOKEN|JWT_SECRET|LFS_JWT_SECRET|SECRET_KEY]
# and then copy that output to the appropriate place in this file.
#
# Alternatively, you can let Gitea add these to the config for you; you
# need to make app.ini writeable by the git user.
#
# There are no pre-configured users; the first user to register becomes an
# admin.  In this sample configuration, the HTTP server only listens on

Lines 41-46 gitea_start() { Link Here

(-)b/www/gitea/files/gitea.in (+1 lines)
41	done	41	done
42	/usr/sbin/daemon %%DAEMONARGS%% \	42	/usr/sbin/daemon %%DAEMONARGS%% \
43	-u ${gitea_user} -p ${pidfile} \	43	-u ${gitea_user} -p ${pidfile} \
		44	-l daemon -s warning \
44	/usr/bin/env -i \	45	/usr/bin/env -i \
45	"GITEA_WORK_DIR=${gitea_shared}" \	46	"GITEA_WORK_DIR=${gitea_shared}" \
46	"GITEA_CUSTOM=${gitea_custom}" \	47	"GITEA_CUSTOM=${gitea_custom}" \

Lines 1-3 Link Here

(-)b/www/gitea/pkg-plist (+3 lines)
1	@sample %%ETCDIR%%/conf/app.ini.sample	1	@sample %%ETCDIR%%/conf/app.ini.sample
2	%%ETCDIR%%/conf/app.ini.defaults	2	%%ETCDIR%%/conf/app.ini.defaults
3	sbin/gitea	3	sbin/gitea
		4	@dir(git,git,755) /var/db/gitea
		5	@dir(git,git,755) /var/db/gitea/gitea-repositories
		6	@dir(git,git,755) /var/log/gitea

Return to bug 284360

Lines 1-3 Link Here

(-)b/security/vuxml/vuln/2025.xml (+28 lines)
		1	<vuln vid="752a81cb-dbd4-11ef-a489-a78527073c14">
		2	<topic>gitea -- enforce attachment file type restrictions</topic>
		3	<affects>
		4	<package>
		5	<name>gitea</name>
		6	<range><lt>1.23.0</lt></range>
		7	</package>
		8	</affects>
		9	<description>
		10	<body xmlns="http://www.w3.org/1999/xhtml">
		11	<p>The Gitea project reports:</p>
		12	<blockquote cite="https://github.com/go-gitea/gitea/releases/tag/v1.23.0">
		13	<p>Issue posters and users with repository write access are able to
		14	edit attachment names in a way that circumvents the instance-level
		15	file extension restrictions using the edit attachment APIs. [...]
		16	Add checks for these endpoints.</p>
		17	</blockquote>
		18	</body>
		19	</description>
		20	<references>
		21	<url>https://github.com/go-gitea/gitea/pull/32151</url>
		22	</references>
		23	<dates>
		24	<discovery>2024-11-06</discovery>
		25	<entry>2024-01-26</entry>
		26	</dates>
		27	</vuln>
		28
1	<vuln vid="41711c0d-db27-11ef-873e-8447094a420f">	29	<vuln vid="41711c0d-db27-11ef-873e-8447094a420f">
2	<topic>Vaultwarden -- Muiltiple vulnerabilities</topic>	30	<topic>Vaultwarden -- Muiltiple vulnerabilities</topic>
3	<affects>	31	<affects>

Lines 1-7 Link Here

(-)b/www/gitea/Makefile (-3 / +6 lines)
1	PORTNAME= gitea	1	PORTNAME= gitea
2	DISTVERSIONPREFIX= v	2	DISTVERSIONPREFIX= v
3	DISTVERSION= 1.22.6	3	DISTVERSION= 1.23.1
4	PORTREVISION= 1
5	CATEGORIES= www	4	CATEGORIES= www
6	MASTER_SITES= https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \	5	MASTER_SITES= https://github.com/go-gitea/gitea/releases/download/${DISTVERSIONPREFIX}${DISTVERSION}/ \
7	https://dl.gitea.io/gitea/${DISTVERSION}/	6	https://dl.gitea.io/gitea/${DISTVERSION}/
Lines 16-22 LICENSE_FILE= ${WRKSRC}/LICENSE Link Here
16		15
17	RUN_DEPENDS= git:devel/git	16	RUN_DEPENDS= git:devel/git
18		17
19	USES= cpe gmake go:1.22,no_targets	18	USES= cpe gmake go:1.23,no_targets
20	USE_RC_SUBR= gitea	19	USE_RC_SUBR= gitea
21		20
22	EXTRACT_AFTER_ARGS= --strip-components 1 # since 1.17.0, archive includes gitea-src-VERSION directory	21	EXTRACT_AFTER_ARGS= --strip-components 1 # since 1.17.0, archive includes gitea-src-VERSION directory
Lines 71-76 do-install: Link Here
71	@${MKDIR} ${STAGEDIR}${ETCDIR}/conf	70	@${MKDIR} ${STAGEDIR}${ETCDIR}/conf
72	${INSTALL_DATA} ${WRKDIR}/app.ini.sample ${STAGEDIR}${ETCDIR}/conf/app.ini.sample	71	${INSTALL_DATA} ${WRKDIR}/app.ini.sample ${STAGEDIR}${ETCDIR}/conf/app.ini.sample
73	${INSTALL_DATA} ${WRKSRC}/custom/conf/app.example.ini ${STAGEDIR}${ETCDIR}/conf/app.ini.defaults	72	${INSTALL_DATA} ${WRKSRC}/custom/conf/app.example.ini ${STAGEDIR}${ETCDIR}/conf/app.ini.defaults
		73	${MKDIR} ${STAGEDIR}${DATADIR}
		74	${MKDIR} ${STAGEDIR}/var/db/gitea
		75	${MKDIR} ${STAGEDIR}/var/db/gitea/gitea-repositories
		76	${MKDIR} ${STAGEDIR}/var/log/gitea
74		77
75	do-install-BINDATA-off:	78	do-install-BINDATA-off:
76	cd ${WRKSRC} && ${COPYTREE_SHARE} "options public templates" ${STAGEDIR}${DATADIR}	79	cd ${WRKSRC} && ${COPYTREE_SHARE} "options public templates" ${STAGEDIR}${DATADIR}

Lines 7-21 Link Here

(-)b/www/gitea/files/app.ini.sample.in (-7 / +9 lines)
7	#	7	#
8	# This sample configuration runs Gitea with a local database. Before	8	# This sample configuration runs Gitea with a local database. Before
9	# running this configuration, make sure to change the INTERNAL_TOKEN,	9	# running this configuration, make sure to change the INTERNAL_TOKEN,
10	# JWT_SECRET, and SECRET_KEY variables. SECRET_KEY is a password of your	10	# JWT_SECRET, LFS_JWT_SECRET, and SECRET_KEY variables. SECRET_KEY is
11	# choosing, INTERNAL_TOKEN is a 64-byte random number in BASE64 encoding,	11	# a password of your choosing, INTERNAL_TOKEN is a 64-byte random
12	# JWT_SECRET is a 32-byte random number in BASE64 encoding.	12	# number in BASE64 encoding, JWT_SECRET is a 32-byte random number in
		13	# BASE64 encoding.
13	#	14	#
14	# You can generate the token using for example:	15	# You can generate appropriate values using:
15	# openssl rand -base64 64	16	# gitea generate secret [INTERNAL_TOKEN\|JWT_SECRET\|LFS_JWT_SECRET\|SECRET_KEY]
		17	# and then copy that output to the appropriate place in this file.
16	#	18	#
17	# You can let Gitea add these to the config for you; you need to make	19	# Alternatively, you can let Gitea add these to the config for you; you
18	# app.ini writeable by the git user.	20	# need to make app.ini writeable by the git user.
19	#	21	#
20	# There are no pre-configured users; the first user to register becomes an	22	# There are no pre-configured users; the first user to register becomes an
21	# admin. In this sample configuration, the HTTP server only listens on	23	# admin. In this sample configuration, the HTTP server only listens on