Bug#1091383: marked as done (pagure: CVE-2024-47515 CVE-2024-47516 CVE-2024-4981 CVE-2024-4982)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 20 Jan 2025 08:41:20 +0000
with message-id <E1tZnLU-00FHON-QR@fasolo.debian.org>
and subject line Bug#1091383: fixed in pagure 5.14.1+dfsg-1
has caused the Debian Bug report #1091383,
regarding pagure: CVE-2024-47515 CVE-2024-47516 CVE-2024-4981 CVE-2024-4982
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1091383: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091383
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: pagure: CVE-2024-47515
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 25 Dec 2024 08:09:28 +0100
• Message-id: <173511056837.3418383.1622382420726660508.reportbug@eldamar.lan>

Source: pagure
Version: 5.11.3+dfsg-4
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 5.11.3+dfsg-2.1
Control: found -1 5.11.3+dfsg-1

Hi,

The following vulnerability was published for pagure.

CVE-2024-47515[0]:
| A vulnerability was found in Pagure. Support of symbolic links
| during repository archiving of repositories allows the disclosure of
| local files. This flaw allows a malicious user to take advantage of
| the Pagure instance.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-47515
    https://www.cve.org/CVERecord?id=CVE-2024-47515
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2315806
[2] https://pagure.io/pagure/c/9b715170008bdc1dd273f7c28debe782a8f7969e

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1091383-close@bugs.debian.org
• Subject: Bug#1091383: fixed in pagure 5.14.1+dfsg-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 20 Jan 2025 08:41:20 +0000
• Message-id: <E1tZnLU-00FHON-QR@fasolo.debian.org>
• Reply-to: rebecca_palmer@zoho.com (Rebecca N. Palmer)

Source: pagure
Source-Version: 5.14.1+dfsg-1
Done: Rebecca N. Palmer <rebecca_palmer@zoho.com>

We believe that the bug you reported is fixed in the latest version of
pagure, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1091383@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rebecca N. Palmer <rebecca_palmer@zoho.com> (supplier of updated pagure package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 14 Jan 2025 23:14:24 +0000
Source: pagure
Architecture: source
Version: 5.14.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Rebecca N. Palmer <rebecca_palmer@zoho.com>
Changed-By: Rebecca N. Palmer <rebecca_palmer@zoho.com>
Closes: 1073117 1091383
Changes:
 pagure (5.14.1+dfsg-1) unstable; urgency=medium
 .
   * New upstream release.  Includes security fixes (Closes: #1091383):
     - Do not allow reading or writing files outside the repository
       via .. or symlink:
       - view_issue_raw_file()
         https://bugzilla.redhat.com/show_bug.cgi?id=2280726
       - generate_archive() CVE-2024-47515
       - _update_file_in_git()
         https://bugzilla.redhat.com/show_bug.cgi?id=2280723
     - Do not interpret filenames starting with - as git options
       in log() / view_history_file().
       https://bugzilla.redhat.com/show_bug.cgi?id=2315805
   * Drop / refresh patches.
   * Fix additional security issues:
     - Javascript prototype pollution (probably non-exploitable).
     - Quote non-escaping in HTML diffs.
   * Adapt to newer versions of dependencies:
     - Don't crash (many places).
     - Keep markdown alignment, keep reporting empty commits as empty.
     - Still possibly broken: plugins, dump and reload.
   * Tests:
     - Re-enable the build-time tests, using pytest.
     - Enable Salsa CI and autopkgtest, default to a subset for speed.
     - Don't crash when a test has no display name.
     - Accept changed error messages.
     - Skip code style checks.
     - Don't assume being in the source repo (e.g. find templates).
     - Clean up afterwards.
   * Javascript:
     - Minify with terser, copy if minification fails.
     - Actually install the minified version (and fix symlinks).
     - Switch back to Debian packaged libjs-jquery-atwho.
     - Add missing licenses to d/copyright.
   * d/watch: fix version duplication.
   * Fix spelling and grammar.
   * Bump Standards-Version to 4.7.0 (no changes needed).
   * Set Rules-Requires-Root: no.
   * New maintainer.  (Closes: #1073117)
Checksums-Sha1:
 fa90eaaf1b34af72634af5e6d034801a87d4bea6 3677 pagure_5.14.1+dfsg-1.dsc
 7d4c152c1d5b0285c48139d24b267246ea588294 3903712 pagure_5.14.1+dfsg.orig.tar.xz
 2d100bd1205d5fc6428a0e75d2721857e4fc3ec8 61620 pagure_5.14.1+dfsg-1.debian.tar.xz
 b364ab85a470216a6aa9a21358e094c53766e931 7497 pagure_5.14.1+dfsg-1_source.buildinfo
Checksums-Sha256:
 5c9a7f0090bd35bbc7beb44ec4da0fa33cfbb89c2a00ba2d7cd8cab772df2dc3 3677 pagure_5.14.1+dfsg-1.dsc
 236341d456b0ce2a3fb74542a6d841f51ca6a956a7ec9f47e7495bd834b25ce2 3903712 pagure_5.14.1+dfsg.orig.tar.xz
 4317077c94b76d60190605e895167cebc529682af0486cdac5ad0d040c10dc93 61620 pagure_5.14.1+dfsg-1.debian.tar.xz
 c328e2fb1eb9faf713ecd0accda18f4d6a7e4d6b8571182023fda32c03b21c59 7497 pagure_5.14.1+dfsg-1_source.buildinfo
Files:
 66bafdeff090c5ff9bb2aae3e4403094 3677 net optional pagure_5.14.1+dfsg-1.dsc
 8923943d4ac25c514f9b38734952f589 3903712 net optional pagure_5.14.1+dfsg.orig.tar.xz
 1f5880e9f274ec026edad52b6c475ece 61620 net optional pagure_5.14.1+dfsg-1.debian.tar.xz
 12c262df2ec0aafaa1d7e860aa490cb3 7497 net optional pagure_5.14.1+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCgA2FiEEZ8sxEAXE7b4yF1MI3uUNDVZ+omYFAmeOBC0YHHJlYmVjY2Ff
cGFsbWVyQHpvaG8uY29tAAoJEN7lDQ1WfqJmx8QQAInXewY5qV1wUeXWaEyPO1+W
W3BcckLS9FCip+K6WjY5mmrWD0vnz0ozumR7vwwZq8NdL8MJUgBatY6Ry6fhFI9F
ITkp3APkq0RSMv+Zxf4hhu3rXm7gtXbkuvgGE6nRkynJFqJH+IqeGfw8gme7L0YU
eMISIqpSyQwpxhG2KlrFHjIXiIQcKJr1q8keqDgugRzIo0dlOHrS20iDMATQQJSp
Iv0igrgjQQ2MUAf0klmY6dTToU45auvex2bzbmm/R9G2tUQbFqwTp7+rdf7HhELg
sAG9QwUHj9MyUheNPxGGZsSs5PUnezNhk1eSLoYqztYxvguROxToL7PB8yO7qbAk
YnjjxDiLOK2rcHBI/XS0idKvEGw27vFy+6GjLQy34nJ0oz1ViEqd3E8dCjxIE/lb
jvNepMAAwh8b8Wdcq7PHg6XLsMo4XRs8FvwoKIz3nl4YL2muRTXu9zf08KmJpylI
1+4bGWQ7BrfEHZ29k8/SIrBa7b6iri5pIKnT8jIMIUASUObe7SDoh2W01v/B4Y7B
gYf9nKUSgaI3qcmZ6nsaTH566iSMCAf5sGuxriBASKnoBIlxpLpcVE/q+SJ6VgvI
moRnBFDE+TgQKeW10zbQafPETqAGZJzxP/k8+83/YHvLoReWJQLs7ypDfD1PY4RE
eQarsYKmMuE44dfzA5H/
=mY/N
-----END PGP SIGNATURE-----

Attachment: pgpy5pk_Mj2fE.pgp
Description: PGP signature

--- End Message ---