oss-sec mailing list archives
Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3
From: cve-assign () mitre org
Date: Mon, 23 Dec 2013 15:30:43 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brief description (main points of announcement): Fresh installs between fa06a34 (approx Sep 3rd) and v3.5.3, inclusive, create a few world writable files.
gitolite previous to that commit also was vulnerable to a local filesystem information leak: Depending on the user umask running gitolite setup, he might create world readable files
Use CVE-2013-7203 for this issue that affects additional older versions of gitolite that were not affected by CVE-2013-4451.
altough different versions are affected, if I understand it correctly both fall under CWE-276
The different-versions observation is what makes it necessary to have separate CVE IDs. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSuJzUAAoJEKllVAevmvmsdtAH/3E55EfasgiMgNGOmBM/n7PQ 3qJt1aQvx7jj+GkFJqAcZE3OT5QAmZWkUyVmshbS7SPzbYSTV35ZRM0wuE3G/Bhc 2GwirLWVXs1UNvQvSLHOvCyfHobQ/j3hfDK0ExQ+WkQo5xbYXqLpBBOAXaCZ03pZ Zv/E/t4AOWJvuO7R8RE4aljTBiQ1f6I/bTNN+IjFp9csFOWZIoS3JNswXTqYPUWx qXRyCI+P8ebiR25ZLDjL7HKE7Dea3yUda+RNjynovVC+IfnoAgnhu8w6cPzs+0a3 hGI4pYnTvqX3OS/u7Z5UPR4AZIaS61IzswujMYeIO+ZmzB8LCQyrEHkeaTecsRo= =gpze -----END PGP SIGNATURE-----
Current thread:
- CVE Request: gitolite world writable files for fresh installs of v3.5.3 Sitaram Chamarty (Oct 20)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Kurt Seifried (Oct 21)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Salvatore Bonaccorso (Dec 23)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 cve-assign (Dec 23)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Salvatore Bonaccorso (Dec 23)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Kurt Seifried (Oct 21)