212288 – (CVE-2008-1290) www-apps/viewvc < 1.0.5 Multiple issues (CVE-2008-{1290,1291,1292})

Bug 212288 (CVE-2008-1290) - www-apps/viewvc < 1.0.5 Multiple issues (CVE-2008-{1290,1291,1292})

Summary: www-apps/viewvc < 1.0.5 Multiple issues (CVE-2008-{1290,1291,1292})

Status:	RESOLVED FIXED

Alias:	CVE-2008-1290

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/29176/
Whiteboard:	B4 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-03-04 15:34 UTC by Pierre-Yves Rofes (RETIRED)
Modified:	2008-08-17 17:59 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-04 15:34:05 UTC

Some security issues have been reported in ViewVC, which can be exploited by malicious people to bypass certain security restrictions.

1) An error can be exploited to list CVS or SVN commits on "all-forbidden" files via a ViewVC query.

2) An error can be exploited to directly access hidden CVSROOT folders via custom URLs.

3) An error can be exploited to expose restricted content via the revision view, the log history, or the diff view.

The security issues are reported in versions prior to 1.0.5.

Solution:
Update to version 1.0.5.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-04 15:35:12 UTC

Web-apps, please bump as needed.

Comment 2 Benedikt Böhm (RETIRED) gentoo-dev

2008-03-07 10:02:57 UTC

in cvs, please stabilize

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2008-03-07 16:33:26 UTC

x86 stable

Comment 4 Ferris McCormick (RETIRED) gentoo-dev

2008-03-07 17:12:19 UTC

Sparc stable.  Christian, I am adding you in CC because one of us got the wrong version.

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2008-03-08 08:38:49 UTC

Thanks Ferris, I really did the wrong version.  Fixed it.

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2008-03-09 06:44:49 UTC

ppc stable

Comment 7 Steve Dibb (RETIRED) gentoo-dev

2008-03-10 14:06:01 UTC

amd64 stable

Comment 8 Peter Volkov (RETIRED) gentoo-dev

2008-03-10 15:44:12 UTC

Fixed in release snapshot.

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2008-03-11 17:21:13 UTC

Ready for vote.

I vote YES.

Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-11 22:06:51 UTC

yes too, request filed.

Comment 11 Tobias Heinlein (RETIRED) gentoo-dev

2008-03-19 23:02:57 UTC

GLSA 200803-29