Bug 172565

Summary: [MAINTAINER] devel/gitolite: update to 3.1,1
Product: Ports & Packages Reporter: Jonathan Chu <milki>
Component: Individual Port(s)Assignee: Steve Wills <swills>
Status: Closed FIXED    
Severity: Affects Only Me CC: tdb
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
gitolite-3.1,1.patch
none
file.diff none

Description Jonathan Chu 2012-10-10 08:00:00 UTC 
- Update to 3.1,1

Changes:
https://github.com/sitaramc/gitolite/compare/v3.04...v3.1
https://raw.github.com/sitaramc/gitolite/51ab768e2a121eac48fa82bb41ef121f44082e64/CHANGELOG

tdb: Please host the distfile

3.01-3.04 path traversal vulnerability advisory
eadler has submitted a CVE-ID request

Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: ports)
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2012-10-10 08:00:34 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->swills

swills@ wants his PRs (via the GNATS Auto Assign Tool)
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2012-10-10 12:59:43 UTC 
On 10 October 2012 02:52, milki <milki@rescomp.berkeley.edu> wrote:
>
>>Number:         172565
>>Category:       ports
>>Synopsis:       [MAINTAINER] devel/gitolite: update to 3.1,1
>>Confidential:   no
>>Severity:       non-critical
>>Priority:       low
>>Responsible:    freebsd-ports-bugs
>>State:          open
>>Quarter:
>>Keywords:
>>Date-Required:
>>Class:          maintainer-update
>>Submitter-Id:   current-users
>>Arrival-Date:   Wed Oct 10 07:00:00 UTC 2012
>>Closed-Date:
>>Last-Modified:
>>Originator:     milki
>>Release:        FreeBSD 8.3-RELEASE-p3 amd64
>>Organization:
> cibo
>>Environment:
> System: FreeBSD cibo.ircmylife.com 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun 12 00:39:29 UTC 2012
>>Description:
> - Update to 3.1,1
>
> Changes:
> https://github.com/sitaramc/gitolite/compare/v3.04...v3.1
> https://raw.github.com/sitaramc/gitolite/51ab768e2a121eac48fa82bb41ef121f44082e64/CHANGELOG
>
> tdb: Please host the distfile
>
> 3.01-3.04 path traversal vulnerability advisory
> eadler has submitted a CVE-ID request
>
> Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: ports)
>>How-To-Repeat:
>>Fix:
>
> --- gitolite-3.1,1.patch begins here ---
> diff -ruN --exclude=CVS /usr/ports/devel/gitolite/Makefile ./Makefile
> --- /usr/ports/devel/gitolite/Makefile  2012-08-05 12:36:46.000000000 -0700
> +++ ./Makefile  2012-10-09 23:48:12.000000000 -0700
> @@ -6,7 +6,8 @@
>  #
>
>  PORTNAME=      gitolite
> -PORTVERSION=   3.04
> +PORTVERSION=   3.1
> +PORTEPOCH=     1
>  CATEGORIES=    devel
>  MASTER_SITES=  http://milki.github.com/${PORTNAME}/ \
>                 LOCAL/tdb
> diff -ruN --exclude=CVS /usr/ports/devel/gitolite/distinfo ./distinfo
> --- /usr/ports/devel/gitolite/distinfo  2012-08-05 12:36:46.000000000 -0700
> +++ ./distinfo  2012-10-09 21:17:59.000000000 -0700
> @@ -1,2 +1,2 @@
> -SHA256 (gitolite-3.04.tar.gz) = 900dd144ddfa88cc21fadfef7652799ead78c1be52304506994307c448e6b618
> -SIZE (gitolite-3.04.tar.gz) = 114010
> +SHA256 (gitolite-3.1.tar.gz) = 36fc270c29e980f7217c203656373d1c44f73035fe18053163301cd10a4e0f04
> +SIZE (gitolite-3.1.tar.gz) = 119322
> diff -ruN --exclude=CVS /usr/ports/devel/gitolite/pkg-plist ./pkg-plist
> --- /usr/ports/devel/gitolite/pkg-plist 2012-08-05 12:36:46.000000000 -0700
> +++ ./pkg-plist 2012-10-09 21:27:01.000000000 -0700
> @@ -19,6 +19,7 @@
>  %%SITE_PERL%%/Gitolite/Triggers/RepoUmask.pm
>  %%SITE_PERL%%/Gitolite/Triggers/Shell.pm
>  %%SITE_PERL%%/Gitolite/Triggers/Writable.pm
> +%%SITE_PERL%%/Gitolite/Triggers/RefexExpr.pm
>  libexec/gitolite/VERSION
>  libexec/gitolite/VREF/COUNT
>  libexec/gitolite/VREF/EMAIL-CHECK
> @@ -28,6 +29,8 @@
>  libexec/gitolite/VREF/VOTES
>  libexec/gitolite/VREF/lock
>  libexec/gitolite/VREF/partial-copy
> +libexec/gitolite/VREF/refex-expr
> +libexec/gitolite/check-g2-compat
>  libexec/gitolite/commands/D
>  libexec/gitolite/commands/access
>  libexec/gitolite/commands/creator
> @@ -43,26 +46,28 @@
>  libexec/gitolite/commands/perms
>  libexec/gitolite/commands/print-default-rc
>  libexec/gitolite/commands/push
> +libexec/gitolite/commands/rsync
>  libexec/gitolite/commands/sshkeys-lint
>  libexec/gitolite/commands/sskm
>  libexec/gitolite/commands/sudo
>  libexec/gitolite/commands/svnserve
>  libexec/gitolite/commands/symbolic-ref
> +libexec/gitolite/commands/who-pushed
>  libexec/gitolite/commands/writable
> -libexec/gitolite/check-g2-compat
>  libexec/gitolite/convert-gitosis-conf
>  libexec/gitolite/gitolite
>  libexec/gitolite/gitolite-shell
>  libexec/gitolite/syntactic-sugar/continuation-lines
>  libexec/gitolite/syntactic-sugar/keysubdirs-as-groups
>  libexec/gitolite/triggers/partial-copy
> -libexec/gitolite/triggers/upstream
>  libexec/gitolite/triggers/post-compile/ssh-authkeys
>  libexec/gitolite/triggers/post-compile/ssh-authkeys-shell-users
> +libexec/gitolite/triggers/post-compile/update-description-file
>  libexec/gitolite/triggers/post-compile/update-git-configs
>  libexec/gitolite/triggers/post-compile/update-git-daemon-access-list
>  libexec/gitolite/triggers/post-compile/update-gitweb-access-list
>  libexec/gitolite/triggers/renice
> +libexec/gitolite/triggers/upstream
>  @dirrm %%SITE_PERL%%/Gitolite/Conf
>  @dirrm %%SITE_PERL%%/Gitolite/Hooks
>  @dirrm %%SITE_PERL%%/Gitolite/Test
> --- gitolite-3.1,1.patch ends here ---
> --- vuxml.patch begins here ---
> diff -ruN --exclude=CVS /usr/ports/devel/gitolite/vuxml.patch ./vuxml.patch
> --- /usr/ports/devel/gitolite/vuxml.patch       1969-12-31 16:00:00.000000000 -0800
> +++ ./vuxml.patch       2012-10-09 23:47:39.000000000 -0700
> @@ -0,0 +1,44 @@
> +Index: vuln.xml
> +===================================================================
> +--- vuln.xml   (revision 305628)
> ++++ vuln.xml   (working copy)
> +@@ -51,6 +51,39 @@
> +
> + -->
> + <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> ++  <vuln vid="f94befcd-1289-11e2-a25e-525400272390">
> ++    <topic>gitolite - path traversal vulnerability</topic>
> ++    <affects>
> ++      <package>
> ++      <name>gitolite</name>
> ++      <range><ge>3.01</ge><le>3.04</le></range>
> ++      </package>
> ++    </affects>
> ++    <description>
> ++      <body xmlns="http://www.w3.org/1999/xhtml">
> ++      <p>Sitaram Chamarty reports:</p>
> ++      <blockquote cite="https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion">
> ++        <p>I'm sorry to say there is a potential path traversal vulnerability in
> ++        v3. Thanks to Stephane Chazelas for finding it and alerting me.</p>
> ++        <p>Can it affect you? This can only affect you if you are using wild
> ++        card repos, *and* at least one of your patterns allows the string
> ++        "../" to match multiple times.</p>
> ++        <p>How badly can it affect you? A malicious user who *also* has the
> ++        ability to create arbitrary files in, say, /tmp (e.g., he has his own
> ++        userid on the same box), can compromise the entire "git" user.
> ++        Otherwise the worst he can do is create arbitrary repos in /tmp.</p>
> ++      </blockquote>
> ++      </body>
> ++    </description>
> ++    <references>
> ++      <mlist msgid="CAMK1S_jotna+d_X2C-+es-M28i1aUBcsNeiXxwJ63EshQ8ht6w@mail.gmail.com">https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion</mlist>
> ++    </references>
> ++    <dates>
> ++      <discovery>2012-10-09</discovery>
> ++      <entry>2012-10-10</entry>
> ++    </dates>
> ++  </vuln>
> ++
> +   <vuln vid="e6161b65-1187-11e2-afe3-00262d5ed8ee">
> +     <topic>chromium -- multiple vulnerabilities</topic>
> +     <affects>

VuXML is correct, the chromium parts shouldn't change though ;)

Since 'milki' submitted the PR the issues has gotten a CVE, so please add
<cvename>CVE-2012-4506</cvename> above the mlist.


-- 
Eitan Adler
Comment 3 Steve Wills freebsd_committer freebsd_triage 2012-10-11 02:41:31 UTC 
State Changed
From-To: open->closed

Committed. Thanks!