[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3
From:       cve-assign () mitre ! org
Date:       2013-12-23 20:30:43
Message-ID: 201312232030.rBNKUhbR007398 () linus ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> Brief description (main points of announcement): Fresh installs
>> between fa06a34 (approx Sep 3rd) and v3.5.3, inclusive, create a few
>> world writable files.

> gitolite previous to that commit also was vulnerable to a local
> filesystem information leak: Depending on the user umask running
> gitolite setup, he might create world readable files

Use CVE-2013-7203 for this issue that affects additional older
versions of gitolite that were not affected by CVE-2013-4451.

> altough different versions are affected, if I understand it correctly
> both fall under CWE-276

The different-versions observation is what makes it necessary to have
separate CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSuJzUAAoJEKllVAevmvmsdtAH/3E55EfasgiMgNGOmBM/n7PQ
3qJt1aQvx7jj+GkFJqAcZE3OT5QAmZWkUyVmshbS7SPzbYSTV35ZRM0wuE3G/Bhc
2GwirLWVXs1UNvQvSLHOvCyfHobQ/j3hfDK0ExQ+WkQo5xbYXqLpBBOAXaCZ03pZ
Zv/E/t4AOWJvuO7R8RE4aljTBiQ1f6I/bTNN+IjFp9csFOWZIoS3JNswXTqYPUWx
qXRyCI+P8ebiR25ZLDjL7HKE7Dea3yUda+RNjynovVC+IfnoAgnhu8w6cPzs+0a3
hGI4pYnTvqX3OS/u7Z5UPR4AZIaS61IzswujMYeIO+ZmzB8LCQyrEHkeaTecsRo=
=gpze
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]