Bugzilla Bug 72461

From vendor-sec, to be kept confidential :

---------------------------
Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility
for viewing CVS and Subversion repositories via HTTP.  In both cases
the program doesn't honour the settings enough to hide certain
directories from the tar export.

Problem 1: hide_cvsroot doesn't work when a tar file is exported

Problem 2: forbidden is ignored when a tar file is exported

The attached patches patches for both version 0.9 and 1.0 which have
different code but are both vulnerable to these problems seem to fix
those.  Upstream is unresponsive unfortunately.

This is most probably not that critical since many CVS repositories
are available via anonymous CVS anyway and that one does support
neither of these options.
---------------------------------------------

Created an attachment (id=44712) [details]
patch.CAN-2004-0915.viewcvs.0.9.2

Patch for 0.9.x viewcvs

Renat this is a restricted bug, please prepare a fixed ebuild and have it ready
when a disclosure date is agreed with vendor-sec.

Ccing Stuart as rl03 seems inactive

Can we commit this patch into portage, or do we have to wait until vendor-sec
declassify the bug?

Thanks,
Stu

We still have to wait before pushing any of this in a public repository.

You can attach the ebuild (or a tarball with the ebuild and files) to this bug, so that we can push them for early stable testing to selected devs.

This is public now. 

Stuart please commit the patch.

viewcvs-0.9.2_p20041207.ebuild has been added, and marked stable on x86.  Needs
marking stable on ppc.

Please note: I've done minimal testing on this package.

Best regards,
Stu

ppc, please mark viewcvs-0.9.2_p20041207 stable.

stable on ppc

Security please vote on GLSA on this one.

I would vote for a GLSA

Debian published a DSA already btw.

Yes, GLSA needed.

I'll handle this together with bug 73772

GLSA 200412-26