Debian Bug report logs -
#918849
gitolite3: CVE-2018-20683: security issue in optional bundle helper ("rsync" command)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 9 Jan 2019 21:45:25 UTC
Severity: important
Tags: patch, security, upstream
Found in version gitolite3/3.6.9-1
Fixed in versions gitolite3/3.6.11-1, gitolite3/3.6.11-2
Done: David Bremner <bremner@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, David Bremner <bremner@debian.org>:
Bug#918849; Package src:gitolite3.
(Wed, 09 Jan 2019 21:45:27 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, David Bremner <bremner@debian.org>.
(Wed, 09 Jan 2019 21:45:28 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gitolite3
Version: 3.6.9-1
Severity: important
Tags: patch security upstream
From https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae
> Nick Cleaton (nick@cleaton.net) found and reported a security issue
> caused by trusting the remote rsync too much. It appears that rsync
> cannot -- without special precautions -- be used in any "restricted"
> environment.
>
> Gitolite ships with a "bundle helper" called "rsync" (disabled
> by default; more details below). This fix tightens up this
> helper to close this hole.
>
> TLDR for administrators and packagers:
>
> 1. Am I affected?
>
> Look in ~/.gitolite.rc for "rsync"; if it is there, you are
> affected.
>
> This is NOT an essential program, and it is not enabled by
> default. You (or a previous administrator of your site)
> would have to have explicitly enabled it for you to be
> affected.
>
> 2. What's the quick fix?
>
> Comment out the "rsync" line in ~/.gitolite.rc IMMEDIATELY.
>
> DO NOT LEAVE IT ENABLED IF YOU ARE UNABLE TO UPGRADE IMMEDIATELY!
> Uncomment it only after you have upgraded or patched.
>
> 3. That bad, huh?
>
> Sadly, yes :(
>
> DETAILS:
>
> This program is not a core program. Despite the name, it will not
> function as a generic "rsync".
>
> This is *only* meant to help out people who are on flaky connections,
> trying to clone a large repo.
>
> Because git clone is not resumable, one common technique is to have
> someone create a "bundle", then download the bundle to seed the local
> repo, then "git fetch" to finish off. Since the bundle is a single
> file, you can use resumable mechanisms (like rsync) to download it.
>
> What this command does is allow that kind of bundling to happen
> automatically, if an administrator enables it.
>
> The user simply rsyncs a bundle file using his gitolite
> credentials. As a result, the rsync helper command that ships
> with gitolite is executed. This program manages the creation
> and expiry of bundle files, then passes control to the *real*
> rsync program to perform the actual data transfer.
>
> It is this last step that requires special care when used in a
> restricted environment, resulting in the need for this patch.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, David Bremner <bremner@debian.org>:
Bug#918849; Package src:gitolite3.
(Thu, 10 Jan 2019 05:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to David Bremner <bremner@debian.org>.
(Thu, 10 Jan 2019 05:21:03 GMT) (full text, mbox, link).
Message #10 received at 918849@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 gitolite3: CVE-2018-20683: security issue in optional bundle helper ("rsync" command)
On Wed, Jan 09, 2019 at 10:44:51PM +0100, Salvatore Bonaccorso wrote:
> Source: gitolite3
> Version: 3.6.9-1
> Severity: important
> Tags: patch security upstream
>
> From https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae
>
> > Nick Cleaton (nick@cleaton.net) found and reported a security issue
> > caused by trusting the remote rsync too much. It appears that rsync
> > cannot -- without special precautions -- be used in any "restricted"
> > environment.
[...]
This issue has been assigned CVE-2018-20683.
Regards,
Salvatore
Changed Bug title to 'gitolite3: CVE-2018-20683: security issue in optional bundle helper ("rsync" command)' from 'gitolite3: security issue in optional bundle helper ("rsync" command)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 918849-submit@bugs.debian.org.
(Thu, 10 Jan 2019 05:21:03 GMT) (full text, mbox, link).
Reply sent
to David Bremner <bremner@debian.org>:
You have taken responsibility.
(Fri, 25 Jan 2019 12:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 25 Jan 2019 12:39:03 GMT) (full text, mbox, link).
Message #17 received at 918849-close@bugs.debian.org (full text, mbox, reply):
Source: gitolite3
Source-Version: 3.6.11-1
We believe that the bug you reported is fixed in the latest version of
gitolite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Bremner <bremner@debian.org> (supplier of updated gitolite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 25 Jan 2019 08:15:17 -0400
Source: gitolite3
Binary: gitolite3
Architecture: source
Version: 3.6.11-1
Distribution: unstable
Urgency: medium
Maintainer: David Bremner <bremner@debian.org>
Changed-By: David Bremner <bremner@debian.org>
Description:
gitolite3 - SSH-based gatekeeper for git repositories (version 3)
Closes: 918849
Changes:
gitolite3 (3.6.11-1) unstable; urgency=medium
.
* Bug fix: "CVE-2018-20683: security issue in optional bundle helper
('rsync' command)", thanks to Salvatore Bonaccorso
(Closes: #918849).
* Convert to source format 3.0 (quilt).
* Bump debhelper compat to 9
Checksums-Sha1:
67aebdf3d7db239df98edf7e83044b18651710e5 1831 gitolite3_3.6.11-1.dsc
0ccfa75ff9b94c140bfb9f068fd55a78225b8996 158116 gitolite3_3.6.11.orig.tar.xz
20d9d2902ad2b7e4bbb4d0f2bb7b09f975595c78 17592 gitolite3_3.6.11-1.debian.tar.xz
Checksums-Sha256:
cce5321c3b4a19df0a2d33890b79717120988f03be9efd170db525152fd3c787 1831 gitolite3_3.6.11-1.dsc
cb92a898fffac4329acd5354c5fc5265d2716931252db56b3fdb210c7ba7d36f 158116 gitolite3_3.6.11.orig.tar.xz
e107721ea85541f28657fb8861597e145727434861bd46b8b6f6b4bc049b11d0 17592 gitolite3_3.6.11-1.debian.tar.xz
Files:
607f900b5ccf0cf7d0bf5844262d58b4 1831 vcs optional gitolite3_3.6.11-1.dsc
14ad83df56ede9b8e773802a74574d52 158116 vcs optional gitolite3_3.6.11.orig.tar.xz
23187695a708d88ff7c35808b3a81be0 17592 vcs optional gitolite3_3.6.11-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCAAdFiEE3VS2dnyDRXKVCQCp8gKXHaSnniwFAlxK/vIACgkQ8gKXHaSn
niyBkgwAjURlhysBT0f3MFUn/lAPPpJMnR//lfCc5U/KJHdFhh4w5kDp7YI7WiMW
G6jzFHl3lUON92OE6U6gAiKeg7oLlK1Y3aUQKNkuXLvxUhvWEPZU4a2UUI2KDEA0
ytqEdeHJpZLP48CzPWidcs2mpVFPKzl8rEABRB+1Xa4PLFELUVx0yIMxpDUovOEW
MXpWL91+omKrRpDELMcwMlbExAZ/D69GHZweh9iRjd79w+fVSsEt783vAOfbg/I5
CvqycZBo5glEal0UKbcSTjiyn1JJF69vS8qp12pP0StrQQrfCLgBYyYkoTMr8tfn
Mgpq7cof+5DcEAAEHonjvlFPqOfnz9aT8gV/19lbjAKEkZdeljWFdVPGDzxXM+aB
PxB9/8eJcvib5jL0H4eLs4U2fc9NKhhCmOuJjDcOr3QvmRXGRBNw7IIHcFeT1VS1
G9RmMXImyNe9m9Oz4AthKzDqGO6t2DZ681X6eKQtMaqTbcAh4VTBrQJgIIbCNgze
Y4Up5jBF
=w7da
-----END PGP SIGNATURE-----
Reply sent
to David Bremner <bremner@debian.org>:
You have taken responsibility.
(Fri, 25 Jan 2019 12:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 25 Jan 2019 12:51:03 GMT) (full text, mbox, link).
Message #22 received at 918849-close@bugs.debian.org (full text, mbox, reply):
Source: gitolite3
Source-Version: 3.6.11-2
We believe that the bug you reported is fixed in the latest version of
gitolite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Bremner <bremner@debian.org> (supplier of updated gitolite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 25 Jan 2019 08:32:05 -0400
Source: gitolite3
Binary: gitolite3
Architecture: source
Version: 3.6.11-2
Distribution: unstable
Urgency: medium
Maintainer: David Bremner <bremner@debian.org>
Changed-By: David Bremner <bremner@debian.org>
Description:
gitolite3 - SSH-based gatekeeper for git repositories (version 3)
Closes: 918849
Changes:
gitolite3 (3.6.11-2) unstable; urgency=medium
.
* Point Vcs-* to salsa
.
gitolite3 (3.6.11-1) unstable; urgency=medium
.
* Bug fix: "CVE-2018-20683: security issue in optional bundle helper
('rsync' command)", thanks to Salvatore Bonaccorso
(Closes: #918849).
* Convert to source format 3.0 (quilt).
* Bump debhelper compat to 9
Checksums-Sha1:
57029e27a77f20d605e2c60b2f08dfa60efc6242 1862 gitolite3_3.6.11-2.dsc
a76270ac7a9414024cecabc8f8da1d01afe7eb49 17612 gitolite3_3.6.11-2.debian.tar.xz
0ccfa75ff9b94c140bfb9f068fd55a78225b8996 158116 gitolite3_3.6.11.orig.tar.xz
Checksums-Sha256:
c673e8891e34875179cda434a4c5d0e246c8e00e439487aca898c593d84a4870 1862 gitolite3_3.6.11-2.dsc
08dc5a366b3708d8b0ccf2069e0583d308d678caf1be215275c2eb5c33da1924 17612 gitolite3_3.6.11-2.debian.tar.xz
cb92a898fffac4329acd5354c5fc5265d2716931252db56b3fdb210c7ba7d36f 158116 gitolite3_3.6.11.orig.tar.xz
Files:
8fec32f965b2a07e03978fbc9b8eaa0c 1862 vcs optional gitolite3_3.6.11-2.dsc
916fc7b49fb43eafe31bc3f0d4b6dd5f 17612 vcs optional gitolite3_3.6.11-2.debian.tar.xz
14ad83df56ede9b8e773802a74574d52 158116 vcs optional gitolite3_3.6.11.orig.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCAAdFiEE3VS2dnyDRXKVCQCp8gKXHaSnniwFAlxLAkcACgkQ8gKXHaSn
niwhEQwAkbx+KMQUodD1muarDUsmvlo4wGPzVGhIqQlqsaKhNs7PfFX5Zi4+kygr
arQ0KOewc8J1hBa39FNqEmeZPVNhlMvjPwoVzIyrV2LrR4qbpnkWIKkKiVZF0s2s
zKkGiI0nQgjjBRabjTnODLuT6Nk1lOXQPXRdOy0AhK2klqNxDD45KnKyt4GEm83X
WTkld5sM4l+ssfwZ4lHRni0fV85BV3EE9CZVDm6lSOjzdunwslBZeDy/fVkAR5OW
r71+e8JWhY8Ij17k3sb0ZQkKWCwRH+x3P7NxRV73rYQDUTsWiokxSngd4LnaOubX
4oUHtePlmLoUli0n/AOXEvl1bLIqWivw7PWnt0BgenWDQYB3Mft5jLBbWlyQ3Lwb
Kk1t0HgSsIFdM2Kvx2egKYkyifzqzti4hMFecuRMkbZoS8IR+apUI3Mm65Wkxpzp
AbN6SarGCJUUV54P/ImzA0zIN+e1bTp8eT0zXFlQyrPLfJLU7TMjnwCTzhcMdlBx
eEDjAg7f
=nNGc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Feb 2019 07:28:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:15:07 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon