oss-sec mailing list archives

Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3

From: cve-assign () mitre org
Date: Mon, 23 Dec 2013 15:30:43 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brief description (main points of announcement): Fresh installs
between fa06a34 (approx Sep 3rd) and v3.5.3, inclusive, create a few
world writable files.

gitolite previous to that commit also was vulnerable to a local
filesystem information leak: Depending on the user umask running
gitolite setup, he might create world readable files


Use CVE-2013-7203 for this issue that affects additional older
versions of gitolite that were not affected by CVE-2013-4451.

altough different versions are affected, if I understand it correctly
both fall under CWE-276


The different-versions observation is what makes it necessary to have
separate CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSuJzUAAoJEKllVAevmvmsdtAH/3E55EfasgiMgNGOmBM/n7PQ
3qJt1aQvx7jj+GkFJqAcZE3OT5QAmZWkUyVmshbS7SPzbYSTV35ZRM0wuE3G/Bhc
2GwirLWVXs1UNvQvSLHOvCyfHobQ/j3hfDK0ExQ+WkQo5xbYXqLpBBOAXaCZ03pZ
Zv/E/t4AOWJvuO7R8RE4aljTBiQ1f6I/bTNN+IjFp9csFOWZIoS3JNswXTqYPUWx
qXRyCI+P8ebiR25ZLDjL7HKE7Dea3yUda+RNjynovVC+IfnoAgnhu8w6cPzs+0a3
hGI4pYnTvqX3OS/u7Z5UPR4AZIaS61IzswujMYeIO+ZmzB8LCQyrEHkeaTecsRo=
=gpze
-----END PGP SIGNATURE-----

Current thread:

CVE Request: gitolite world writable files for fresh installs of v3.5.3 Sitaram Chamarty (Oct 20)
- Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Kurt Seifried (Oct 21)
  - Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 Salvatore Bonaccorso (Dec 23)
    - Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 cve-assign (Dec 23)