From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Oct 10 07:00:00 2012 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A5083EFF for ; Wed, 10 Oct 2012 07:00:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [8.8.178.135]) by mx1.freebsd.org (Postfix) with ESMTP id 7CA3F8FC12 for ; Wed, 10 Oct 2012 07:00:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q9A700O7030645 for ; Wed, 10 Oct 2012 07:00:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q9A700qi030644; Wed, 10 Oct 2012 07:00:00 GMT (envelope-from gnats) Resent-Date: Wed, 10 Oct 2012 07:00:00 GMT Resent-Message-Id: <201210100700.q9A700qi030644@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, milki Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 275EDE7B; Wed, 10 Oct 2012 06:52:35 +0000 (UTC) (envelope-from milki@cibo.ircmylife.com) Received: from cibo.ircmylife.com (unknown [IPv6:2607:f2f8:af08::2]) by mx1.freebsd.org (Postfix) with ESMTP id EE5568FC0A; Wed, 10 Oct 2012 06:52:34 +0000 (UTC) Received: from cibo.ircmylife.com (localhost [127.0.0.1]) by cibo.ircmylife.com (8.14.5/8.14.5) with ESMTP id q9A6qVjj084717; Tue, 9 Oct 2012 23:52:31 -0700 (PDT) (envelope-from milki@cibo.ircmylife.com) Received: (from milki@localhost) by cibo.ircmylife.com (8.14.5/8.14.5/Submit) id q9A6qV7a084716; Tue, 9 Oct 2012 23:52:31 -0700 (PDT) (envelope-from milki) Message-Id: <201210100652.q9A6qV7a084716@cibo.ircmylife.com> Date: Tue, 9 Oct 2012 23:52:31 -0700 (PDT) From: milki To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/172565: [MAINTAINER] devel/gitolite: update to 3.1,1 Cc: tdb@FreeBSD.org X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Oct 2012 07:00:00 -0000 X-List-Received-Date: Wed, 10 Oct 2012 07:00:00 -0000 >Number: 172565 >Category: ports >Synopsis: [MAINTAINER] devel/gitolite: update to 3.1,1 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Oct 10 07:00:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: milki >Release: FreeBSD 8.3-RELEASE-p3 amd64 >Organization: cibo >Environment: System: FreeBSD cibo.ircmylife.com 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun 12 00:39:29 UTC 2012 >Description: - Update to 3.1,1 Changes: https://github.com/sitaramc/gitolite/compare/v3.04...v3.1 https://raw.github.com/sitaramc/gitolite/51ab768e2a121eac48fa82bb41ef121f44082e64/CHANGELOG tdb: Please host the distfile 3.01-3.04 path traversal vulnerability advisory eadler has submitted a CVE-ID request Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: ports) >How-To-Repeat: >Fix: --- gitolite-3.1,1.patch begins here --- diff -ruN --exclude=CVS /usr/ports/devel/gitolite/Makefile ./Makefile --- /usr/ports/devel/gitolite/Makefile 2012-08-05 12:36:46.000000000 -0700 +++ ./Makefile 2012-10-09 23:48:12.000000000 -0700 @@ -6,7 +6,8 @@ # PORTNAME= gitolite -PORTVERSION= 3.04 +PORTVERSION= 3.1 +PORTEPOCH= 1 CATEGORIES= devel MASTER_SITES= http://milki.github.com/${PORTNAME}/ \ LOCAL/tdb diff -ruN --exclude=CVS /usr/ports/devel/gitolite/distinfo ./distinfo --- /usr/ports/devel/gitolite/distinfo 2012-08-05 12:36:46.000000000 -0700 +++ ./distinfo 2012-10-09 21:17:59.000000000 -0700 @@ -1,2 +1,2 @@ -SHA256 (gitolite-3.04.tar.gz) = 900dd144ddfa88cc21fadfef7652799ead78c1be52304506994307c448e6b618 -SIZE (gitolite-3.04.tar.gz) = 114010 +SHA256 (gitolite-3.1.tar.gz) = 36fc270c29e980f7217c203656373d1c44f73035fe18053163301cd10a4e0f04 +SIZE (gitolite-3.1.tar.gz) = 119322 diff -ruN --exclude=CVS /usr/ports/devel/gitolite/pkg-plist ./pkg-plist --- /usr/ports/devel/gitolite/pkg-plist 2012-08-05 12:36:46.000000000 -0700 +++ ./pkg-plist 2012-10-09 21:27:01.000000000 -0700 @@ -19,6 +19,7 @@ %%SITE_PERL%%/Gitolite/Triggers/RepoUmask.pm %%SITE_PERL%%/Gitolite/Triggers/Shell.pm %%SITE_PERL%%/Gitolite/Triggers/Writable.pm +%%SITE_PERL%%/Gitolite/Triggers/RefexExpr.pm libexec/gitolite/VERSION libexec/gitolite/VREF/COUNT libexec/gitolite/VREF/EMAIL-CHECK @@ -28,6 +29,8 @@ libexec/gitolite/VREF/VOTES libexec/gitolite/VREF/lock libexec/gitolite/VREF/partial-copy +libexec/gitolite/VREF/refex-expr +libexec/gitolite/check-g2-compat libexec/gitolite/commands/D libexec/gitolite/commands/access libexec/gitolite/commands/creator @@ -43,26 +46,28 @@ libexec/gitolite/commands/perms libexec/gitolite/commands/print-default-rc libexec/gitolite/commands/push +libexec/gitolite/commands/rsync libexec/gitolite/commands/sshkeys-lint libexec/gitolite/commands/sskm libexec/gitolite/commands/sudo libexec/gitolite/commands/svnserve libexec/gitolite/commands/symbolic-ref +libexec/gitolite/commands/who-pushed libexec/gitolite/commands/writable -libexec/gitolite/check-g2-compat libexec/gitolite/convert-gitosis-conf libexec/gitolite/gitolite libexec/gitolite/gitolite-shell libexec/gitolite/syntactic-sugar/continuation-lines libexec/gitolite/syntactic-sugar/keysubdirs-as-groups libexec/gitolite/triggers/partial-copy -libexec/gitolite/triggers/upstream libexec/gitolite/triggers/post-compile/ssh-authkeys libexec/gitolite/triggers/post-compile/ssh-authkeys-shell-users +libexec/gitolite/triggers/post-compile/update-description-file libexec/gitolite/triggers/post-compile/update-git-configs libexec/gitolite/triggers/post-compile/update-git-daemon-access-list libexec/gitolite/triggers/post-compile/update-gitweb-access-list libexec/gitolite/triggers/renice +libexec/gitolite/triggers/upstream @dirrm %%SITE_PERL%%/Gitolite/Conf @dirrm %%SITE_PERL%%/Gitolite/Hooks @dirrm %%SITE_PERL%%/Gitolite/Test --- gitolite-3.1,1.patch ends here --- --- vuxml.patch begins here --- diff -ruN --exclude=CVS /usr/ports/devel/gitolite/vuxml.patch ./vuxml.patch --- /usr/ports/devel/gitolite/vuxml.patch 1969-12-31 16:00:00.000000000 -0800 +++ ./vuxml.patch 2012-10-09 23:47:39.000000000 -0700 @@ -0,0 +1,44 @@ +Index: vuln.xml +=================================================================== +--- vuln.xml (revision 305628) ++++ vuln.xml (working copy) +@@ -51,6 +51,39 @@ + + --> + ++ ++ gitolite - path traversal vulnerability ++ ++ ++ gitolite ++ 3.013.04 ++ ++ ++ ++ ++

Sitaram Chamarty reports:

++
++

I'm sorry to say there is a potential path traversal vulnerability in ++ v3. Thanks to Stephane Chazelas for finding it and alerting me.

++

Can it affect you? This can only affect you if you are using wild ++ card repos, *and* at least one of your patterns allows the string ++ "../" to match multiple times.

++

How badly can it affect you? A malicious user who *also* has the ++ ability to create arbitrary files in, say, /tmp (e.g., he has his own ++ userid on the same box), can compromise the entire "git" user. ++ Otherwise the worst he can do is create arbitrary repos in /tmp.

++
++ ++ ++ ++ https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion ++ ++ ++ 2012-10-09 ++ 2012-10-10 ++ ++ ++ + + chromium -- multiple vulnerabilities + --- vuxml.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: