Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727664 - <dev-vcs/fossil-2.11.1: Multiple vulnerabilities
Summary: <dev-vcs/fossil-2.11.1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.fossil-scm.org/home/info/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 732236
Blocks:
  Show dependency tree
 
Reported: 2020-06-09 14:26 UTC by Sam James
Modified: 2020-07-28 20:20 UTC (History)
2 users (show)

See Also:
Package list:
dev-vcs/fossil-2.11.1
Runtime testing required: No
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 14:26:32 UTC 
Details when available.

@maintainer(s), please bump to 2.11.1.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-27 13:17:42 UTC 
"Security: Fossil now assumes that the schema of every database it opens has been tampered with by an adversary and takes extra precautions to ensure that such tampering is harmless.

Security: Fossil now puts the Content-Security-Policy in the HTTP reply header, in addition to also leaving it in the HTML <head> section, so that it is always available, even if a custom skin overrides the HTML <head> and omits the CSP in the process."
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-27 13:18:15 UTC 
(In reply to Sam James (sec padawan) from comment #1)
> "Security: Fossil now assumes that the schema of every database it opens has
> been tampered with by an adversary and takes extra precautions to ensure
> that such tampering is harmless.
> 
> Security: Fossil now puts the Content-Security-Policy in the HTTP reply
> header, in addition to also leaving it in the HTML <head> section, so that
> it is always available, even if a custom skin overrides the HTML <head> and
> omits the CSP in the process."

Whoops! Ignore this, I think.
Comment 3 Aaron W. Swenson gentoo-dev 2020-07-03 00:27:56 UTC 
(In reply to Sam James (sec padawan) from comment #0)
> Details when available.
> 
> @maintainer(s), please bump to 2.11.1.

This is the bit that was fixed:

    Make the "fossil git export" command more restrictive about characters that
    it allows in tag names....
    [sanitize] each argument and make it part of an "echo" command run by the
    shell.

https://www.fossil-scm.org/home/info/c9a592dde7fe493f
Comment 4 Aaron W. Swenson gentoo-dev 2020-07-03 00:29:13 UTC 
(In reply to Sam James (sec padawan) from comment #2)
> (In reply to Sam James (sec padawan) from comment #1)
> > "Security: Fossil now assumes that the schema of every database it opens has
> > been tampered with by an adversary and takes extra precautions to ensure
> > that such tampering is harmless.
> > 
> > Security: Fossil now puts the Content-Security-Policy in the HTTP reply
> > header, in addition to also leaving it in the HTML <head> section, so that
> > it is always available, even if a custom skin overrides the HTML <head> and
> > omits the CSP in the process."
> 
> Whoops! Ignore this, I think.

You're right on ignoring this bit...kind of. 2.11 is a fix for those two items. While >=2.11.1 is a fix for the git export command.
Comment 5 Larry the Git Cow gentoo-dev 2020-07-09 01:44:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=855990ab005418102e3f8329b0808483805dd820

commit 855990ab005418102e3f8329b0808483805dd820
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2020-07-09 01:44:01 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2020-07-09 01:44:09 +0000

    dev-vcs/fossil: Bump to 2.11.1
    
    Security fix: Make the "fossil git export" command more restrictive about
    characters that it allows in tag names.
    
    Bug: https://bugs.gentoo.org/727664
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-vcs/fossil/Manifest             |  1 +
 dev-vcs/fossil/fossil-2.11.1.ebuild | 72 +++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)
Comment 6 Aaron W. Swenson gentoo-dev 2020-07-09 01:50:28 UTC 
Please stabilize the following target:
dev-vcs/fossil-2.11.1 ~amd64 ~arm ~ppc ~ppc64 ~x86
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-11 19:59:18 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-07-17 07:02:15 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-07-17 07:22:03 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-07-17 07:40:23 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-07-17 07:44:37 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 12 Larry the Git Cow gentoo-dev 2020-07-26 17:44:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4b83278335c05731b96be3f374894b0332171cf

commit a4b83278335c05731b96be3f374894b0332171cf
Author:     Rafael Martins <rafaelmartins@gentoo.org>
AuthorDate: 2020-07-26 17:44:35 +0000
Commit:     Rafael Martins <rafaelmartins@gentoo.org>
CommitDate: 2020-07-26 17:44:40 +0000

    dev-vcs/fossil: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/727664
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Rafael Martins <rafaelmartins@gentoo.org>

 dev-vcs/fossil/Manifest              |  4 --
 dev-vcs/fossil/fossil-2.10-r1.ebuild | 72 ------------------------------------
 dev-vcs/fossil/fossil-2.10.ebuild    | 57 ----------------------------
 dev-vcs/fossil/fossil-2.11.ebuild    | 72 ------------------------------------
 dev-vcs/fossil/fossil-2.8.ebuild     | 57 ----------------------------
 dev-vcs/fossil/fossil-2.9.ebuild     | 57 ----------------------------
 6 files changed, 319 deletions(-)