April 12, 2022 version git v2.35.2 was released and addresses a security issue CVE-2022-24765. It was backported to 2.30.3, v2.31.2, v2.32.1, v2.33.2, and v2.34.2 and published by distributions such as Debian GNU/Linux, Alpine.
If Gitea runs as user
foo, calls a patched Git version and a parent directory of the git repositories is owned by a user other than
foo, it will fail with a message such as:
Failed to open repository: Git/Data Error: exit status 128 - fatal: unsafe repository ('/data/git/repositories/git/data.git' is owned by someone else)
This started to show in the past two weeks to users running the Gitea binary on Windows who also independently installed git v2.36. And then to people running Gitea from snap, on a Synology NAS and then people running from Gitea docker images which is based on Alpine.
Since the root cause of the problem does not come from Gitea, it requires manual intervention to:
- Change the ownership of all repository directories to belong to the same user as Gitea
- Ensure Gitea does not run as root
Below are specific instructions depending on how Gitea was installed.
Gitea was installed from docker images greater or equal to 1.16.6
If you installed Gitea using Docker Basic or manually via the Docker CLI, you can modify the permissions of all files with:
docker exec gitea chown -R 1000 /data/git/repositories
Gitea docker images greater or equal to 1.16.6 contain git version greater or equal to 2.30.3 which include the security patch. Previous docker images for Gitea have a lower version of git (for instance 1.16.5 has 2.30.2) and are not impacted.
If it is not possible for some reasons, there are workarounds. Be advised that applying these workarounds exposes the host to security risks as described in CVE-2022-24765:
- If using Gitea docker images:
- do not upgrade to 1.16.6 or above
- downgrade from 1.16.6 or 1.16.7 to 1.16.5 (do not downgrade from 1.17.x, it may corrupt your the Gitea database)
- If the Gitea binary was installed independently of git, upgrade git to a version that is greater or equal to 2.36 and disable the security check entirely with:
git config --system --replace-all safe.directory '*'