diff --git a/gitea-tea.changes b/gitea-tea.changes index 5d98100..24dd79b 100644 --- a/gitea-tea.changes +++ b/gitea-tea.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Nov 28 09:35:29 UTC 2025 - Michal Suchanek + +- Do not make config file group-readable. + * remove-config-file-group-readwrite-permission-856.patch + ------------------------------------------------------------------- Sat Nov 8 12:34:56 UTC 2025 - olaf@aepfle.de diff --git a/gitea-tea.spec b/gitea-tea.spec index 041be81..a64804a 100644 --- a/gitea-tea.spec +++ b/gitea-tea.spec @@ -26,6 +26,7 @@ Source0: %{name}-%{version}.tar.gz Source1: vendor.tar.gz Patch0: fix-CVE-2025-58190.patch Patch1: fix-CVE-2025-47911.patch +Patch3: remove-config-file-group-readwrite-permission-856.patch BuildRequires: golang(API) >= 1.24 Conflicts: tea diff --git a/remove-config-file-group-readwrite-permission-856.patch b/remove-config-file-group-readwrite-permission-856.patch new file mode 100644 index 0000000..afe0c00 --- /dev/null +++ b/remove-config-file-group-readwrite-permission-856.patch @@ -0,0 +1,28 @@ +From f6d4b5fa4fdf4ebb777cc465f9c3ec30c8024548 Mon Sep 17 00:00:00 2001 +From: TheFox0x7 +Date: Thu, 27 Nov 2025 22:45:25 +0000 +Subject: [PATCH] remove group readwrite permission (#856) + +closes: https://gitea.com/gitea/tea/issues/855 +Reviewed-on: https://gitea.com/gitea/tea/pulls/856 +Reviewed-by: Lunny Xiao +Co-authored-by: TheFox0x7 +Co-committed-by: TheFox0x7 +--- + modules/config/config.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/config/config.go b/modules/config/config.go +index 70443ca..30b59f3 100644 +--- a/modules/config/config.go ++++ b/modules/config/config.go +@@ -104,5 +104,5 @@ func saveConfig() error { + if err != nil { + return err + } +- return os.WriteFile(ymlPath, bs, 0o660) ++ return os.WriteFile(ymlPath, bs, 0o600) + } +-- +2.51.0 +