Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 426690 (CVE-2012-3356)

Summary: <www-apps/viewvc-1.1.17: two security flaws fixed in 1.1.15 (CVE-2012-{3356,3357})
Product: Gentoo Security Reporter: the_eccentric
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://viewvc.tigris.org/issues/show_bug.cgi?id=353
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 440774    
Bug Blocks:    

Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-07-23 19:20:22 UTC 
CVE-2012-3357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3357):
  The SVN revision view (lib/vclib/svn/svn_repos.py) in ViewVC before 1.1.15
  does not properly handle log messages when a readable path is copied from an
  unreadable path, which allows remote attackers to obtain sensitive
  information, related to a "log msg leak."

CVE-2012-3356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3356):
  The remote SVN views functionality (lib/vclib/svn/svn_ra.py) in ViewVC
  before 1.1.15 does not properly perform authorization, which allows remote
  attackers to bypass intended access restrictions via unspecified vectors.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-10 19:53:12 UTC 
web-apps: ping

Please bump for this bug and bug 440774.
Comment 3 Anthony Basile gentoo-dev 2012-11-11 01:47:35 UTC 
Bumped to viewvc-1.1.17.  This should also take care of bug 440774.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-11 13:41:40 UTC 
(In reply to comment #3)
> Bumped to viewvc-1.1.17.  This should also take care of bug 440774.

Thanks, Anthony.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-12 22:16:15 UTC 
GLSA vote: no.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-12-11 17:33:53 UTC 
GLSA Vote: no, too. Closing noglsa.