Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727664 - <dev-vcs/fossil-2.11.1: Multiple vulnerabilities
Summary: <dev-vcs/fossil-2.11.1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.fossil-scm.org/home/info/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 732236
Blocks:
  Show dependency tree
 
Reported: 2020-06-09 14:26 UTC by Sam James
Modified: 2020-07-28 20:20 UTC (History)
2 users (show)

See Also:
Package list:
dev-vcs/fossil-2.11.1
Runtime testing required: No
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 14:26:32 UTC
Details when available.

@maintainer(s), please bump to 2.11.1.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-27 13:17:42 UTC
"Security: Fossil now assumes that the schema of every database it opens has been tampered with by an adversary and takes extra precautions to ensure that such tampering is harmless.

Security: Fossil now puts the Content-Security-Policy in the HTTP reply header, in addition to also leaving it in the HTML <head> section, so that it is always available, even if a custom skin overrides the HTML <head> and omits the CSP in the process."
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-27 13:18:15 UTC
(In reply to Sam James (sec padawan) from comment #1)
> "Security: Fossil now assumes that the schema of every database it opens has
> been tampered with by an adversary and takes extra precautions to ensure
> that such tampering is harmless.
> 
> Security: Fossil now puts the Content-Security-Policy in the HTTP reply
> header, in addition to also leaving it in the HTML <head> section, so that
> it is always available, even if a custom skin overrides the HTML <head> and
> omits the CSP in the process."

Whoops! Ignore this, I think.
Comment 3 Aaron W. Swenson gentoo-dev 2020-07-03 00:27:56 UTC
(In reply to Sam James (sec padawan) from comment #0)
> Details when available.
> 
> @maintainer(s), please bump to 2.11.1.

This is the bit that was fixed:

    Make the "fossil git export" command more restrictive about characters that
    it allows in tag names....
    [sanitize] each argument and make it part of an "echo" command run by the
    shell.

https://www.fossil-scm.org/home/info/c9a592dde7fe493f
Comment 4 Aaron W. Swenson gentoo-dev 2020-07-03 00:29:13 UTC
(In reply to Sam James (sec padawan) from comment #2)
> (In reply to Sam James (sec padawan) from comment #1)
> > "Security: Fossil now assumes that the schema of every database it opens has
> > been tampered with by an adversary and takes extra precautions to ensure
> > that such tampering is harmless.
> > 
> > Security: Fossil now puts the Content-Security-Policy in the HTTP reply
> > header, in addition to also leaving it in the HTML <head> section, so that
> > it is always available, even if a custom skin overrides the HTML <head> and
> > omits the CSP in the process."
> 
> Whoops! Ignore this, I think.

You're right on ignoring this bit...kind of. 2.11 is a fix for those two items. While >=2.11.1 is a fix for the git export command.
Comment 5 Larry the Git Cow gentoo-dev 2020-07-09 01:44:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=855990ab005418102e3f8329b0808483805dd820

commit 855990ab005418102e3f8329b0808483805dd820
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2020-07-09 01:44:01 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2020-07-09 01:44:09 +0000

    dev-vcs/fossil: Bump to 2.11.1
    
    Security fix: Make the "fossil git export" command more restrictive about
    characters that it allows in tag names.
    
    Bug: https://bugs.gentoo.org/727664
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-vcs/fossil/Manifest             |  1 +
 dev-vcs/fossil/fossil-2.11.1.ebuild | 72 +++++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)
Comment 6 Aaron W. Swenson gentoo-dev 2020-07-09 01:50:28 UTC
Please stabilize the following target:
dev-vcs/fossil-2.11.1 ~amd64 ~arm ~ppc ~ppc64 ~x86
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-11 19:59:18 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-07-17 07:02:15 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-07-17 07:22:03 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-07-17 07:40:23 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-07-17 07:44:37 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 12 Larry the Git Cow gentoo-dev 2020-07-26 17:44:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4b83278335c05731b96be3f374894b0332171cf

commit a4b83278335c05731b96be3f374894b0332171cf
Author:     Rafael Martins <rafaelmartins@gentoo.org>
AuthorDate: 2020-07-26 17:44:35 +0000
Commit:     Rafael Martins <rafaelmartins@gentoo.org>
CommitDate: 2020-07-26 17:44:40 +0000

    dev-vcs/fossil: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/727664
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Rafael Martins <rafaelmartins@gentoo.org>

 dev-vcs/fossil/Manifest              |  4 --
 dev-vcs/fossil/fossil-2.10-r1.ebuild | 72 ------------------------------------
 dev-vcs/fossil/fossil-2.10.ebuild    | 57 ----------------------------
 dev-vcs/fossil/fossil-2.11.ebuild    | 72 ------------------------------------
 dev-vcs/fossil/fossil-2.8.ebuild     | 57 ----------------------------
 dev-vcs/fossil/fossil-2.9.ebuild     | 57 ----------------------------
 6 files changed, 319 deletions(-)