Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Mon, Oct 21, 2013 at 02:18:21PM -0600, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/20/2013 10:54 PM, Sitaram Chamarty wrote:
> > Announcement: 
> > https://groups.google.com/forum/#!topic/gitolite/Tu1sjaf7A4A/discussion
> >
> >  Code change: 
> > https://github.com/sitaramc/gitolite/commit/3dad4f8e3214d6ab5f71823019a624fa48b055a3
> (or)
> > http://code.google.com/p/gitolite/source/detail?r=3dad4f8e3214d6ab5f71823019a624fa48b055a3#
> >
> >  Brief description (main points of announcement): Fresh installs
> > between fa06a34 (approx Sep 3rd) and v3.5.3, inclusive, create a
> > few world writable files.  Sites which installed before that date
> > are not affected, even if they subsequently upgraded to the faulty
> > commit or beyond.  Affected sites need to run a one-time 'chmod -R'
> > to fix.
>
> Please use CVE-2013-4451 for this issue.

A small side note on this CVE: David Bremner found that gitolite
previous to that commit also was vulnerable to a local filesystem
information leak: Depending on the user umask running gitolite setup,
he might create world readable files in the repositories, in
particular the gitolite-admin one.

As example in the Debian packaging postinst, [1] would result in a
world-readable /var/lib/gitolite3/repositories/gitolite-admin.git.

 [1] http://sources.debian.net/src/gitolite3/3.5.2-1/debian/postinst#L74

But this actually might not need a separate CVE for this issue
(altough different versions are affected, if I understand it correctly
both fall under CWE-276, Incorrect Default Permissions?).

Regards,
Salvatore