Summary: | www/gitea: Update to 1.16.4 (was: 1.15.11: fixes security vulnerability) | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Stefan Bethke <stb> | ||||||||||||
Component: | Individual Port(s) | Assignee: | Florian Smeets <flo> | ||||||||||||
Status: | Closed FIXED | ||||||||||||||
Severity: | Affects Many People | CC: | de-freebsd, dvl, fcharlier, fernape, flo, fsbruva, nk, ports-secteam | ||||||||||||
Priority: | Normal | Keywords: | needs-patch, security | ||||||||||||
Version: | Latest | Flags: | koobs:
maintainer-feedback?
(flo) koobs: merge-quarterly? |
||||||||||||
Hardware: | Any | ||||||||||||||
OS: | Any | ||||||||||||||
Bug Depends on: | 262898 | ||||||||||||||
Bug Blocks: | |||||||||||||||
Attachments: |
|
Description
Stefan Bethke
2022-01-30 16:54:40 UTC
Patch forthcoming as soon as Github has the archive available for download. Why not jump to 1.16.0? The U2F API will no longer be available in a few days, and the fix (implementing webauthn) is in https://github.com/go-gitea/gitea/pull/17957 , which is only in 1.16, and not 1.15.11. ^Triage: maintainer-feedback not required if not requested first Also, why open a PR when the archive is not even available? Created attachment 231929 [details]
www/gitea: Update to v1.16.0
I've been running my patch for over two weeks now. Everything's working as it should.
Stefan can you review and approve the patch, or even better submit an update for 1.16.1? Or do you want to submit a patch for 1.15.11 first and commit that? Is someone going to submit a vuxml entry? Otherwise I'll create one before committing the patch. (In reply to Florian Smeets from comment #5) I won't be able to work on this until Sunday. I'm working on updating my patch to v1.16.1, I hadn't noticed there was a new release Created attachment 231934 [details]
www/gitea: Update to v1.16.1
Created attachment 232519 [details]
www/gitea: Update to v1.16.4
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=801b2b6299b1cd191cbddc03a676c9e549ce522a commit 801b2b6299b1cd191cbddc03a676c9e549ce522a Author: Namkhai B <me@forkbomb9.ch> AuthorDate: 2022-03-17 22:43:02 +0000 Commit: Florian Smeets <flo@FreeBSD.org> CommitDate: 2022-03-17 22:43:02 +0000 www/gitea: Update to 1.16.4 PR: 261576 Approved by: maintainer timeout www/gitea/Makefile | 2 +- www/gitea/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) I've gone ahead and committed the latest update. I'll add a vuxml entry tomorrow. After updating www/gitea from 1.15.10 to 1.16.4 gitea no longer starts and i have no idea how to debug this. What i do and get: ``` git@gitea:~$ export GITEA_WORK_DIR=/usr/local/share/gitea git@gitea:~$ export GITEA_CUSTOM=/usr/local/etc/gitea git@gitea:~$ export HOME=/usr/local/git git@gitea:~$ export PATH=/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin git@gitea:~$ export USER=git git@gitea:~$ /usr/local/sbin/gitea web 2022/03/26 13:52:15 cmd/web.go:102:runWeb() [I] Starting Gitea on PID: 20975 2022/03/26 13:52:15 cmd/web.go:150:runWeb() [I] Global init 2022/03/26 13:52:15 routers/init.go:106:GlobalInitInstalled() [I] Git Version: 2.35.1, Wire Protocol Version 2 Enabled 2022/03/26 13:52:15 routers/init.go:109:GlobalInitInstalled() [I] AppPath: /usr/local/sbin/gitea 2022/03/26 13:52:15 routers/init.go:110:GlobalInitInstalled() [I] AppWorkPath: /usr/local/share/gitea 2022/03/26 13:52:15 routers/init.go:111:GlobalInitInstalled() [I] Custom path: /usr/local/etc/gitea 2022/03/26 13:52:15 routers/init.go:112:GlobalInitInstalled() [I] Log path: /var/log/gitea 2022/03/26 13:52:15 routers/init.go:113:GlobalInitInstalled() [I] Configuration file: /usr/local/etc/gitea/conf/app.ini 2022/03/26 13:52:15 routers/init.go:114:GlobalInitInstalled() [I] Run Mode: Prod 2022/03/26 13:52:16 ...dules/setting/log.go:283:newLogService() [I] Gitea v1.16.4 built with GNU Make 4.3, go1.18 git@gitea:~$ echo $? 1 git@gitea:~$ cat /var/log/gitea/gitea.log cat: /var/log/gitea/gitea.log: No such file or directory ``` gitea was built with the following options on my poudriere build server: ``` root@build01:/usr/local/etc/poudriere.d# cat 12amd64-php7-options/www_gitea/options # This file is auto-generated by 'make config'. # Options for gitea-1.11.5_1 _OPTIONS_READ=gitea-1.11.5_1 _FILE_COMPLETE_OPTIONS_LIST=BINDATA GIT_LFS PAM SQLITE OPTIONS_FILE_UNSET+=BINDATA OPTIONS_FILE_SET+=GIT_LFS OPTIONS_FILE_UNSET+=PAM OPTIONS_FILE_UNSET+=SQLITE ``` Any help appreciated to shed some light on this. Created attachment 232767 [details]
contents from /var/log/debug when attempting to start gitea
Same situation here. My gitea won't start either. Log attached.
Re-open based on comment 12 (and another report on twitter) @Florian Was this change merged to quarterly? My build options as taken from pkg info: Options : BINDATA : off GIT_LFS : on PAM : on SQLITE : on Full build log here: * https://services.unixathome.org/poudriere/build.html?mastername=123amd64-default-primary&build=2022-03-28_01h18m09s * https://services.unixathome.org/poudriere/data/123amd64-default-primary/2022-03-28_01h18m09s/logs/gitea-1.16.4.log I've been running 1.16.4 for quite some time now without trouble. The only difference between what I use and comment #12 is I use the rc.d service instead of starting by hand. Also looking at comment #13's log it would seem it's a permission issue for the log file? I'm not a go dev tho, so I might be wrong. Also v1.16.5. (In reply to Namkhai B. from comment #16) The permissions were my first thought too, but gitea runs as user git and that user has full access to /var/log/gitea and the immediate crash upon start happens no matter if /var/log/gitea/gitea.log exists (with owner git:git of course) or not. (In reply to Dan Langille from comment #15) I don't have any issue with 1.16.4 on stable/13. Looking at the log Mar 28 00:06:03 git gitea[35791]: [signal SIGBUS: bus error code=0x3 addr=0x24c4ebf pc=0x24c4ebf] That leaves me to believe that something is seriously wrong with your go or gitea package. Can you rebuild the go and gitea package and try again? (In reply to CTS - FreeBSD Team from comment #12) Why are you trying to start gitea in a non standard way? What happens when you use the RC script? Can you make sure /var/log/gitea/ is created with the correct permissions? What is in the log? drwxr-xr-x 3 git git 21 Mar 28 00:00 /var/log/gitea/ (In reply to Florian Smeets from comment #19) I'm not the person you're replying to: [git dan ~] % ls -ld /var/log/gitea/ 22:18:57 drwxr-xr-x 2 git git 11 2022.03.27 00:06 /var/log/gitea// Created attachment 232789 [details]
www/gitea: Update to 1.16.5
I tried git 1.16.5 and it works. Patch attached.
I am happy to commit if the maintainer approves. .... but this update was done after maintainer timeout. Do we need to wait two weeks given two reports breakages? (In reply to Dan Langille from comment #21) @Dan, 1.16.5 contains security and bug fixes requiring MFH [1]. Can you open a separate issue for the update and set 'depends on' here to the new issue. @Florian It doesn't look like a vuxml entry was added for the 1.15.11 or merged. Could you clarify/confirm? [1] https://github.com/go-gitea/gitea/blob/v1.16.5/CHANGELOG.md (In reply to Dan Langille from comment #23) Timeouts apply on the basis of change (patch) proposal times. A new proposal (and update) thus usually starts a new timer. Having said that, if one can isolate a regression related specifically to the original change, that leaves the door open to 'followup changes' to 'finish' or fix issues. I can't see any 'specific' changes mentioned in the 1.16.5 changelogs upstream that indicate fixes for this specific (bus error)issue, but I did not review the github issues referenced in detail. lastly: As it appears the 1.15.11 hasn't been merged to quarterly, nor a vuxml entry added yet, and 1.16.5 includes more security updates and bugfixes, there's a case to be made further changes/commits without applying the timeout. (In reply to Kubilay Kocak from comment #25) I strenuously disagree. I was having the same issue (unreported) on Freebsd-12.3. However, downgrading go to 1.17 using pkg, and then rebuilding gitea fixed the issue. I believe gitea 1.16.5 fixes the reported issues because they are related from the 23 Mar upgrade of go to 1.18 within the ports tree. The gitea 1.16.5 changelog you referenced makes heavy mention of all the work to enable using go 1.18. (In reply to Namkhai B. from comment #16) @Namkhai, what version of go are you running that is successfully running gitea 1.16.4? (In reply to Florian Smeets from comment #18) @Florian, what version of go are you running that is successfully running gitea 1.16.4? (In reply to Dan Langille from comment #21) @Dan, can you try reverting go to 1.17 to see if that also fixes your issue? (In reply to CTS - FreeBSD Team from comment #12) @CTS, can you try reverting go to 1.17 to see if that also fixes your issue? (In reply to fsbruva from comment #26) root@wg:~ # go version go version go1.17.6 freebsd/amd64 (In reply to fsbruva from comment #26) It does appear the problems were related to go. However, the upgrade to 1.16.5 needs to progress ASAP to fix known vulnerability issues. security/vuxml must also be updated. I'm out of time for this, sorry. I can test patches, but have to concentrate on other projects. (In reply to Dan Langille from comment #28) Understood, and concur with 1.16.5 proceeding quickly as top priority. (In reply to fsbruva from comment #26) Not sure what specifically is being disagreed with here, I only stated that i couldn't identify a specific change that 'obviously' caused this issue, not that there definitely weren't any. That aside, it sounds like the issue might possibly be (or related to or involve): https://github.com/go-gitea/gitea/issues/19187 Either way, current status: - 1.16.4 needs a xuml entry - 1.16.5 (via 262898) needs a vuxml entry, commit and merge (if QA passes). Any committer may take that issue. For comments/updates relating to the 1.16.5 update, please do so on bug 262898 (In reply to Kubilay Kocak from comment #30) Excellent point. I can try my hand at the two needed vuxml entries. (In reply to Florian Smeets from comment #19) I did start it by hand, so you can better see what happens. The output of `service gitea start`: ``` root@gitea:~# service gitea start root@gitea:~# echo $? 0 root@gitea:~# service gitea status gitea is not running. ``` This isn't helpful at all. All it produces are the messages i posted earlier in `/var/log/debug.log` (garbled with ANSI codes): ``` Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mcmd/web.go:102:^[[32mrunWeb()^[[0m ^[[1;32m[I]^[[0m Starting Gitea on PID: ^[[1m12653^[[0m Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mcmd/web.go:150:^[[32mrunWeb()^[[0m ^[[1;32m[I]^[[0m Global init Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mrouters/init.go:106:^[[32mGlobalInitInstalled()^[[0m ^[[1;32m[I]^[[0m Git Version: 2.35.1, Wire Protocol Version 2 Enabled Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mrouters/init.go:109:^[[32mGlobalInitInstalled()^[[0m ^[[1;32m[I]^[[0m AppPath: ^[[1m/usr/local/sbin/gitea^[[0m Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mrouters/init.go:110:^[[32mGlobalInitInstalled()^[[0m ^[[1;32m[I]^[[0m AppWorkPath: ^[[1m/usr/local/share/gitea^[[0m Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mrouters/init.go:111:^[[32mGlobalInitInstalled()^[[0m ^[[1;32m[I]^[[0m Custom path: ^[[1m/usr/local/etc/gitea^[[0m Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mrouters/init.go:112:^[[32mGlobalInitInstalled()^[[0m ^[[1;32m[I]^[[0m Log path: ^[[1m/var/log/gitea^[[0m Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mrouters/init.go:113:^[[32mGlobalInitInstalled()^[[0m ^[[1;32m[I]^[[0m Configuration file: ^[[1m/usr/local/etc/gitea/conf/app.ini^[[0m Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32mrouters/init.go:114:^[[32mGlobalInitInstalled()^[[0m ^[[1;32m[I]^[[0m Run Mode: ^[[1mProd^[[0m Mar 29 10:56:25 gitea gitea[12652]: ^[[36m2022/03/29 10:56:25 ^[[0m^[[32m...dules/setting/log.go:283:^[[32mnewLogService()^[[0m ^[[1;32m[I]^[[0m Gitea v^[[1m1.16.4^[[0m^[[1m built with GNU Make 4.3, go1.18^[[0m ``` It doesn't write ANYTHING to `/var/log/gitea/gitea.log`. No matter if it exists with proper permissions beforehand or not. @fsbruva: I can't promise that i'll be able to try go1.17 this week. (This is just to clarify some questions, no offence meant! I am not a native speaker so i may have chosen a wrong tone, sorry in advance if that happened) (In reply to fsbruva from comment #26) OK, that was easier than i thought. gitea-1.16.4 rebuilt with go-1.17.8,1 works for me too. Dan's patch to gitea-1.16.5 (also built with go-1.17.8,1) works for me too! (In reply to Kubilay Kocak from comment #24) I started creating a vuxml entry but I gave up. Gitea does not do advisories. Its just a list of links to ~30-40 bugs, and the bugs don't even describe the issue fixed in detail, so... After abandoning the vuxml I forgot about the MFH. I agree that one of us committers should commit the patch to 1.16.5 ASAP. So Dan you have my blessing, but I don't have any hat handy to approve this. I'm sorry that I have not been able to contribute to this. Please do not wait for my blessing to push the update to the newest version. I should be able to work on the port again at the end of April. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b788272c6c2ff5b21dd6991f7f680e39e6041b12 commit b788272c6c2ff5b21dd6991f7f680e39e6041b12 Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2022-03-29 21:06:34 +0000 Commit: Florian Smeets <flo@FreeBSD.org> CommitDate: 2022-03-29 21:11:35 +0000 www/gitea: Update to 1.16.5 - Fixes for runtime issues with go1.18 - Fixes for security issues Changes: https://github.com/go-gitea/gitea/releases/tag/v1.16.5 PR: 262898, 261576 Reported by: dvl, CTS - FreeBSD Team <de-freebsd@ctseuro.com> Approved by: maintainer Security: 83466f76-aefe-11ec-b4b6-d05099c0c059 www/gitea/Makefile | 2 +- www/gitea/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) A commit in branch 2022Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a9f3a4c9cb2070ff5671bc791f7b0d42b0ce71db commit a9f3a4c9cb2070ff5671bc791f7b0d42b0ce71db Author: Namkhai B <me@forkbomb9.ch> AuthorDate: 2022-03-17 22:43:02 +0000 Commit: Florian Smeets <flo@FreeBSD.org> CommitDate: 2022-03-29 21:28:30 +0000 www/gitea: Update to 1.16.4 PR: 261576 Approved by: maintainer timeout (cherry picked from commit 801b2b6299b1cd191cbddc03a676c9e549ce522a) www/gitea/Makefile | 2 +- www/gitea/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) A commit in branch 2022Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e3af7d020f102c934154db26094e1d94cac6891e commit e3af7d020f102c934154db26094e1d94cac6891e Author: Dan Langille <dvl@FreeBSD.org> AuthorDate: 2022-03-29 21:06:34 +0000 Commit: Florian Smeets <flo@FreeBSD.org> CommitDate: 2022-03-29 21:28:30 +0000 www/gitea: Update to 1.16.5 - Fixes for runtime issues with go1.18 - Fixes for security issues Changes: https://github.com/go-gitea/gitea/releases/tag/v1.16.5 PR: 262898, 261576 Reported by: dvl, CTS - FreeBSD Team <de-freebsd@ctseuro.com> Approved by: maintainer Security: 83466f76-aefe-11ec-b4b6-d05099c0c059 (cherry picked from commit b788272c6c2ff5b21dd6991f7f680e39e6041b12) www/gitea/Makefile | 2 +- www/gitea/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) Vuxml added and merged to quarterly. Thanks. |