Gentoo Bug 212288 - www-apps/viewvc < 1.0.5 Multiple issues (CVE-2008-{1290,1291,1292})

First Last Prev Next No search results available Search page Enter new bug

Bug#:	212288
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Pierre-Yves Rofes <py@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 212288 depends on:			Show dependency tree
Bug 212288 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-03-04 15:34 0000

Some security issues have been reported in ViewVC, which can be exploited by
malicious people to bypass certain security restrictions.

1) An error can be exploited to list CVS or SVN commits on "all-forbidden"
files via a ViewVC query.

2) An error can be exploited to directly access hidden CVSROOT folders via
custom URLs.

3) An error can be exploited to expose restricted content via the revision
view, the log history, or the diff view.

The security issues are reported in versions prior to 1.0.5.

Solution:
Update to version 1.0.5.

------- Comment #1 From Pierre-Yves Rofes 2008-03-04 15:35:12 0000 -------

Web-apps, please bump as needed.

------- Comment #2 From Benedikt Böhm 2008-03-07 10:02:57 0000 -------

in cvs, please stabilize

------- Comment #3 From Christian Faulhammer 2008-03-07 16:33:26 0000 -------

x86 stable

------- Comment #4 From Ferris McCormick 2008-03-07 17:12:19 0000 -------

Sparc stable.  Christian, I am adding you in CC because one of us got the wrong
version.

------- Comment #5 From Christian Faulhammer 2008-03-08 08:38:49 0000 -------

Thanks Ferris, I really did the wrong version.  Fixed it.

------- Comment #6 From Tobias Scherbaum 2008-03-09 06:44:49 0000 -------

ppc stable

------- Comment #7 From Steve Dibb 2008-03-10 14:06:01 0000 -------

amd64 stable

------- Comment #8 From Peter Volkov 2008-03-10 15:44:12 0000 -------

Fixed in release snapshot.

------- Comment #9 From Tobias Heinlein 2008-03-11 17:21:13 0000 -------

Ready for vote.

I vote YES.

------- Comment #10 From Pierre-Yves Rofes 2008-03-11 22:06:51 0000 -------

yes too, request filed.

------- Comment #11 From Tobias Heinlein 2008-03-19 23:02:57 0000 -------

GLSA 200803-29

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 212288

www-apps/viewvc < 1.0.5 Multiple issues (CVE-2008-{1290,1291,1292})

Last modified: 2008-08-17 17:59:42 0000