Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 834982 (CVE-2022-0905)

Summary: <www-apps/gitea-1.16.4: incorrect authorization when using pam auth
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: hydrapolic, maintainer-needed, matthew
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/24588
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-12 04:20:06 UTC 
CVE-2022-0905 (https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb):

Improper Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.

Seemingly not in any release despite CVE description.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-12 17:25:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06b7723e8af08d9d0dd4922d4e83efcf3e69647e

commit 06b7723e8af08d9d0dd4922d4e83efcf3e69647e
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-03-11 20:06:00 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2022-03-12 17:24:51 +0000

    www-apps/gitea: drop vulnerable
    
    Bug: https://bugs.gentoo.org/834982
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/24496
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 www-apps/gitea/Manifest            |   1 -
 www-apps/gitea/gitea-1.16.1.ebuild | 107 -------------------------------------
 2 files changed, 108 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24f615c255e4c506150264ec23d7a596692c0d58

commit 24f615c255e4c506150264ec23d7a596692c0d58
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-03-11 20:05:42 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2022-03-12 17:24:47 +0000

    www-apps/gitea: security bump to 1.16.3
    
    Bug: https://bugs.gentoo.org/834982
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 www-apps/gitea/Manifest            |   1 +
 www-apps/gitea/gitea-1.16.3.ebuild | 107 +++++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)
Comment 2 Matthew Smith gentoo-dev 2022-03-12 21:53:07 UTC 
Apologies, please ignore the commits above. As hydrapolic pointed out in the comments of his pull request, 1.16.3 fixes a different vulnerability in the git backend (which does not have a CVE id or disclosure yet).
Comment 3 Larry the Git Cow gentoo-dev 2022-03-16 17:33:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3982d928f6a2e8301ca0b5d40f4e5e2e991088bd

commit 3982d928f6a2e8301ca0b5d40f4e5e2e991088bd
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-03-15 18:40:28 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-16 17:33:00 +0000

    www-apps/gitea: security bump to 1.16.4
    
    Bug: https://bugs.gentoo.org/834982
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/gitea/Manifest            |   1 +
 www-apps/gitea/gitea-1.16.4.ebuild | 107 +++++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-16 22:53:39 UTC 
Thanks, all done!