Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 877355 (CVE-2022-42968)

Summary: <www-apps/gitea-1.17.3: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 877707    
Bug Blocks: 880669    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-16 23:26:31 UTC
From 1.17.3 release notes:

SECURITY

    Sanitize and Escape refs in git backend (#21464) (#21463)
    Bump golang.org/x/text (#21412) (#21413)
    Update bluemonday (#21281) (#21287)
Comment 1 Larry the Git Cow gentoo-dev 2022-10-16 23:41:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e14361d484b8a44e6f399d8b7476373838f23cc

commit 3e14361d484b8a44e6f399d8b7476373838f23cc
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-16 23:28:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-16 23:28:08 +0000

    www-apps/gitea: add 1.17.3
    
    Bug: https://bugs.gentoo.org/877355
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/gitea/Manifest            |   1 +
 www-apps/gitea/gitea-1.17.3.ebuild | 125 +++++++++++++++++++++++++++++++++++++
 2 files changed, 126 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 14:39:02 UTC
(In reply to Sam James from comment #0)
> From 1.17.3 release notes:
> 
> SECURITY
> 
>     Sanitize and Escape refs in git backend (#21464) (#21463)

This one's CVE-2022-42968.

>     Bump golang.org/x/text (#21412) (#21413)

CVE-2022-32149.

>     Update bluemonday (#21281) (#21287)
Comment 3 Larry the Git Cow gentoo-dev 2022-10-20 15:42:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad8a8d9d0e4116301239865429f04cc368c265d1

commit ad8a8d9d0e4116301239865429f04cc368c265d1
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-10-20 15:41:25 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-20 15:41:25 +0000

    www-apps/gitea: drop 1.17.2
    
    Bug: https://bugs.gentoo.org/877355
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 www-apps/gitea/Manifest            |   1 -
 www-apps/gitea/gitea-1.17.2.ebuild | 125 -------------------------------------
 2 files changed, 126 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:27:14 UTC
GLSA request filed.
Comment 5 Larry the Git Cow gentoo-dev 2022-10-31 01:41:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89

commit 3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:10:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-14 ] Gitea: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/848465
    Bug: https://bugs.gentoo.org/857819
    Bug: https://bugs.gentoo.org/868996
    Bug: https://bugs.gentoo.org/877355
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-14.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:19:00 UTC
GLSA released, all done!