Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 857819 (CVE-2022-38183) - <www-apps/gitea-1.16.9: multiple vulnerabilities
Summary: <www-apps/gitea-1.16.9: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-38183
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/go-gitea/gitea/rel...
Whiteboard: B4 [glsa+]
Keywords: PullRequest
: 858803 (view as bug list)
Depends on: 861944
Blocks:
  Show dependency tree
 
Reported: 2022-07-12 21:54 UTC by John Helmert III
Modified: 2022-10-31 02:18 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-12 21:54:12 UTC
"* SECURITY
  * Add write check for creating Commit status (https://github.com/go-gitea/gitea/pull/20332) (https://github.com/go-gitea/gitea/pull/20334)
  * Check for permission when fetching user controlled issues (https://github.com/go-gitea/gitea/pull/20133) (https://github.com/go-gitea/gitea/pull/20196)"

Please bump to 1.16.9.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-18 16:12:01 UTC
*** Bug 858803 has been marked as a duplicate of this bug. ***
Comment 2 Larry the Git Cow gentoo-dev 2022-07-23 09:13:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79c2317ae6ecfb838ebcaafc5783ad66aac32d3c

commit 79c2317ae6ecfb838ebcaafc5783ad66aac32d3c
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-07-22 10:56:19 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-07-23 09:13:32 +0000

    www-apps/gitea: security bump to 1.16.9, drop vulnerable
    
    Bug: https://bugs.gentoo.org/857819
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/26516
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/gitea/Manifest                                     | 2 +-
 www-apps/gitea/{gitea-1.16.8.ebuild => gitea-1.16.9.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-23 17:06:34 UTC
Thanks! Please stable when ready
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-13 03:53:32 UTC
(In reply to John Helmert III from comment #0)
> "* SECURITY
>   * Add write check for creating Commit status
> (https://github.com/go-gitea/gitea/pull/20332)
> (https://github.com/go-gitea/gitea/pull/20334)
>   * Check for permission when fetching user controlled issues
> (https://github.com/go-gitea/gitea/pull/20133)
> (https://github.com/go-gitea/gitea/pull/20196)"
> 
> Please bump to 1.16.9.

The second issue seems to have been assigned CVE-2022-38183.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-13 03:58:10 UTC
Minimal impact, no glsa.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:24:32 UTC
We've got a bunch of Gitea bugs so we'll GLSA them all together.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 17:27:29 UTC
GLSA request filed.
Comment 8 Larry the Git Cow gentoo-dev 2022-10-31 01:42:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89

commit 3f72d6f5794d0d3c914ffacdf4c915fd8aac8d89
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:10:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-14 ] Gitea: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/848465
    Bug: https://bugs.gentoo.org/857819
    Bug: https://bugs.gentoo.org/868996
    Bug: https://bugs.gentoo.org/877355
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-14.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:58 UTC
GLSA released, all done!