Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Dec 2013 20:05:55 +0100
From: Salvatore Bonaccorso <>
Cc: David Bremner <>
Subject: Re: CVE Request: gitolite world writable files for
 fresh installs of v3.5.3


On Mon, Oct 21, 2013 at 02:18:21PM -0600, Kurt Seifried wrote:
> Hash: SHA1
> On 10/20/2013 10:54 PM, Sitaram Chamarty wrote:
> > Announcement: 
> >!topic/gitolite/Tu1sjaf7A4A/discussion
> >
> >  Code change: 
> >
> >
> > 
> (or)
> >
> >
> >  Brief description (main points of announcement): Fresh installs
> > between fa06a34 (approx Sep 3rd) and v3.5.3, inclusive, create a
> > few world writable files.  Sites which installed before that date
> > are not affected, even if they subsequently upgraded to the faulty
> > commit or beyond.  Affected sites need to run a one-time 'chmod -R'
> > to fix.
> > 
> Please use CVE-2013-4451 for this issue.

A small side note on this CVE: David Bremner found that gitolite
previous to that commit also was vulnerable to a local filesystem
information leak: Depending on the user umask running gitolite setup,
he might create world readable files in the repositories, in
particular the gitolite-admin one.

As example in the Debian packaging postinst, [1] would result in a
world-readable /var/lib/gitolite3/repositories/gitolite-admin.git.


But this actually might not need a separate CVE for this issue
(altough different versions are affected, if I understand it correctly
both fall under CWE-276, Incorrect Default Permissions?).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.