Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 309195 - <www-apps/viewvc-1.1.4: XSS attack (CVE-2010-0736)
Summary: <www-apps/viewvc-1.1.4: XSS attack (CVE-2010-0736)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-12 22:20 UTC by Jeremy Olexa (darkside) (RETIRED)
Modified: 2010-08-11 20:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-03-12 22:20:18 UTC 
Not sure if you guys want this or not, but I spotted something in the ChangeLog that caught my eye :)

Version 1.1.4 (released 10-Mar-2010)

  * security fix: escape user-provided query form input to avoid XSS attack
  * fix standalone.py failure (when per-root options aren't used) (issue #445)
  * fix annotate failure caused by ignored svn_config_dir (issue #447)
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-03-24 16:06:16 UTC 
@webapps-team: I committed this ebuild because it works for me and there is no change except for it now installs templates-contrib/ too.

+*viewvc-1.1.4 (24 Mar 2010)
+
+  24 Mar 2010; Jeremy Olexa <darkside@gentoo.org> +viewvc-1.1.4.ebuild:
+  Version bump for bug 309195, fixes possible XSS security attack and now
+  installs templates-contrib as well
+

@security team, please advise on urgency of the "security fix" - Thanks.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-24 17:29:26 UTC 
Jeremy, thanks for the report and the bump.

Arches, please test and mark stable:
=www-apps/viewvc-1.1.4
Target keywords : "amd64 ppc sparc x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-24 19:05:25 UTC 
x86 stable
Comment 4 Markus Meier gentoo-dev 2010-03-29 21:54:04 UTC 
amd64 stable
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-30 18:40:47 UTC 
There's been discovered another vulnerability and another version has been released. Remaining arches, please go for bug #312165 instead, thanks.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-06 04:04:34 UTC 
CVE-2010-0736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0736):
  Cross-site scripting (XSS) vulnerability in the view_queryform
  function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before
  1.1.4, allows remote attackers to inject arbitrary web script or HTML
  via "user-provided input."
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:02:13 UTC 
CVE-2010-0736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0736):
  Cross-site scripting (XSS) vulnerability in the view_queryform
  function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before
  1.1.4, allows remote attackers to inject arbitrary web script or HTML
  via "user-provided input."
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-11 20:40:53 UTC 
XSS → noglsa.