security issue for fresh installs using v3.5.3
14 views
Skip to first unread message
Sitaram Chamarty
Oct 20, 2013, 10:28:04 PM10/20/13
to Nathan Ferch, gito...@googlegroups.com, gitolite...@googlegroups.com, milki, lkun...@v3.sk, David Bremner
[changed subject line]
On 10/21/2013 04:16 AM, Nathan Ferch wrote:
> When installing gitolite, there's several world writable files and
[snipped]
Ouch! Thanks for catching this.
WHAT IT IS
- This is a bug introduced in
fa06a34 set umask as early as possible (Sep 3rd)
- It only affects **fresh** installs made after Sep 3. See below for
more on this.
CURRENT STATUS
- I have just pushed out v3.5.3.1 to fix the problem.
WORKAROUND
- EXISTING INSTALLS: if it affects you (see next section for details),
you need to do a one-time 'chmod -R go-rwx' (or such) on
~/.gitolite.rc, ~/.gitolite, and ~/repositories/gitolite-admin.git
You don't actually need to upgrade, since the bug only shows up in
the very first "gitolite setup" command that runs *before* the rc
file is created. Once the rc file exists, this bug does not happen.
- NEW INSTALLS: just use v3.5.3.1 (pushed a few minutes ago).
- RPM/DEB/etc users: see below; you may not be affected at all.
WHO IT AFFECTS
- This does NOT affect anyone who installed v3.5.2 or earlier, even if
you later upgraded to the offending commit or beyond. That is, only
the initial install counts.
- This DOES affect anyone who did a *fresh* install using fa06a34 or
later (i.e., sometime since Sep 3rd).
If you only use the latest tagged version instead of following
"master", it affects you if you did a fresh install using v3.5.3.
- Since package maintainers pick up only versioned tags, and v3.5.3
was pushed only a week ago, it may not have propagated yet.
For example, at this time, Fedora still has v3.5.2, and when the
maintainer next picks it up, he will pick up v3.5.3.1, so Fedora RPM
users should not be affected. I hope Debian is the same!
sitaram
PS: Nathan: I blindly "approved" your post without reading even the
subject line carefully. As a result, this has become "announced",
making it imperative that a fix be pushed out asap. Normally I
inform the package maintainers first before making a more general
announcement.
On the plus side, existing users are not really affected, as
explained above. But in terms of process, I still screwed up (over
and above the bug itself!)
At least part of the problem is my time zone, and my habit of waking
up at 5am-ish and approving any new posts before getting my morning
cuppa, checking work emails, and then coming to gmail. Sigh...
On 10/21/2013 04:16 AM, Nathan Ferch wrote:
> When installing gitolite, there's several world writable files and
[snipped]
Ouch! Thanks for catching this.
WHAT IT IS
- This is a bug introduced in
fa06a34 set umask as early as possible (Sep 3rd)
- It only affects **fresh** installs made after Sep 3. See below for
CURRENT STATUS
- I have just pushed out v3.5.3.1 to fix the problem.
WORKAROUND
- EXISTING INSTALLS: if it affects you (see next section for details),
you need to do a one-time 'chmod -R go-rwx' (or such) on
~/.gitolite.rc, ~/.gitolite, and ~/repositories/gitolite-admin.git
You don't actually need to upgrade, since the bug only shows up in
the very first "gitolite setup" command that runs *before* the rc
file is created. Once the rc file exists, this bug does not happen.
- NEW INSTALLS: just use v3.5.3.1 (pushed a few minutes ago).
- RPM/DEB/etc users: see below; you may not be affected at all.
WHO IT AFFECTS
- This does NOT affect anyone who installed v3.5.2 or earlier, even if
you later upgraded to the offending commit or beyond. That is, only
the initial install counts.
- This DOES affect anyone who did a *fresh* install using fa06a34 or
later (i.e., sometime since Sep 3rd).
If you only use the latest tagged version instead of following
"master", it affects you if you did a fresh install using v3.5.3.
- Since package maintainers pick up only versioned tags, and v3.5.3
was pushed only a week ago, it may not have propagated yet.
For example, at this time, Fedora still has v3.5.2, and when the
maintainer next picks it up, he will pick up v3.5.3.1, so Fedora RPM
users should not be affected. I hope Debian is the same!
sitaram
PS: Nathan: I blindly "approved" your post without reading even the
subject line carefully. As a result, this has become "announced",
making it imperative that a fix be pushed out asap. Normally I
inform the package maintainers first before making a more general
announcement.
On the plus side, existing users are not really affected, as
explained above. But in terms of process, I still screwed up (over
and above the bug itself!)
At least part of the problem is my time zone, and my habit of waking
up at 5am-ish and approving any new posts before getting my morning
cuppa, checking work emails, and then coming to gmail. Sigh...
Sitaram Chamarty
Oct 21, 2013, 3:20:56 AM10/21/13
to Nathan Ferch, gito...@googlegroups.com, gitolite...@googlegroups.com, milki, lkun...@v3.sk, David Bremner
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I think one clarification is needed:
If you *are* affected, (i.e., you did a fresh install of gitolite
between fa06a34 and v3.5.3), merely upgrading will NOT fix the problem,
and you *must* do a one-time chmod fixup as described below.
sitaram
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSZNXUAAoJEKRCkIUIgjeli58P/RHgpVeSZKUupVG3QOCXIDTK
wBGwg5kacuT2+PychA3wLCuzrbf2pH/JkyUb7RpE54+d/qMEpsyxTpDXgGx/Zizm
Fi5AARQ8GldWtaO18DZ0S2n8f4jMwntGU1P+SD8wsiyNuchMJXb5G+rIYzmoDAuT
6r+n+kuQXhzef9uJqWZ9a6MXXinZoAQ7C/C9KlL6oiZLTvAldyFQPV1u5ya9yhL9
q3RHk/BohwG8OBuN8yTW/fh35lvjjUpQFNUcu4oTRlrSKCdzJmx0u7dwN3ripamG
l4r0f1VFtWplpOibL/NlmbpMF+2SANa/zYd96KLySId+lbgUDMEW5uGwbOFNpJbz
0FsCNLKOeSiB2RxyDh0yW5jkQHT0bk0BfvFeBD1xMAlKYVrez0M1mPZvRKtSGlvi
WVzUGG7xemu5BnfUubAN1/aXrLeDOq41iQO3RvxzYo5tqU1MwyWRF64SVk18nd52
KbLpkHVrTl9GI0r22MYHobNe+Z2c2aypwf6dg8HY1xwIy359TUBpS7SfVCIIUYRJ
hfcp9JeSYiY//lZyNuJmyvq8Oe9oYOXcVJihKFNIqAvfybEUYhh1jRPAfXXbzaP5
G10dlKJOl5EU8sCc3v2+EJQzbeVwOi6CNJoMf9A9iXNizzfIiCSYci0OPbPjdS+I
z1k6Ln+ttIgzvzc/b5OG
=XBbP
-----END PGP SIGNATURE-----
Hash: SHA1
I think one clarification is needed:
If you *are* affected, (i.e., you did a fresh install of gitolite
between fa06a34 and v3.5.3), merely upgrading will NOT fix the problem,
and you *must* do a one-time chmod fixup as described below.
sitaram
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSZNXUAAoJEKRCkIUIgjeli58P/RHgpVeSZKUupVG3QOCXIDTK
wBGwg5kacuT2+PychA3wLCuzrbf2pH/JkyUb7RpE54+d/qMEpsyxTpDXgGx/Zizm
Fi5AARQ8GldWtaO18DZ0S2n8f4jMwntGU1P+SD8wsiyNuchMJXb5G+rIYzmoDAuT
6r+n+kuQXhzef9uJqWZ9a6MXXinZoAQ7C/C9KlL6oiZLTvAldyFQPV1u5ya9yhL9
q3RHk/BohwG8OBuN8yTW/fh35lvjjUpQFNUcu4oTRlrSKCdzJmx0u7dwN3ripamG
l4r0f1VFtWplpOibL/NlmbpMF+2SANa/zYd96KLySId+lbgUDMEW5uGwbOFNpJbz
0FsCNLKOeSiB2RxyDh0yW5jkQHT0bk0BfvFeBD1xMAlKYVrez0M1mPZvRKtSGlvi
WVzUGG7xemu5BnfUubAN1/aXrLeDOq41iQO3RvxzYo5tqU1MwyWRF64SVk18nd52
KbLpkHVrTl9GI0r22MYHobNe+Z2c2aypwf6dg8HY1xwIy359TUBpS7SfVCIIUYRJ
hfcp9JeSYiY//lZyNuJmyvq8Oe9oYOXcVJihKFNIqAvfybEUYhh1jRPAfXXbzaP5
G10dlKJOl5EU8sCc3v2+EJQzbeVwOi6CNJoMf9A9iXNizzfIiCSYci0OPbPjdS+I
z1k6Ln+ttIgzvzc/b5OG
=XBbP
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages