First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 73772
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
viewcvs-CAN-2004-1062.patch viewcvs-CAN-2004-1062.patch patch Thierry Carrez (RETIRED) 2004-12-16 07:45 0000 362 bytes Details | Diff
viewcvs-CAN-2004-1062.patch New viewcvs-CAN-2004-1062.patch patch Thierry Carrez (RETIRED) 2004-12-21 05:58 0000 341 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 73772 depends on: Show dependency tree
Bug 73772 blocks: 72461

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-12-08 01:39 0000 
No details know, opening bug to keep track of the issue.

------- Comment #1 From Thierry Carrez (RETIRED) 2004-12-09 02:21:08 0000 ------- 
It's a XSS issue in the ViewCVSException handling of 404 Not Found pages.
Example :

lynx -source 'http://yourserverhere/viewcvs.cgi/<script>alert("BOO"+document.cookie)</script>' | grep BOO

http://www.gentoo.org/cgi-bin/viewcvs.cgi is not affected, but others on the net (including 1.0-dev) are (?!)

Found by Michael Krax from RedHat, waiting for a disclosure date (and hopefully  patches) from him.

------- Comment #2 From Thierry Carrez (RETIRED) 2004-12-16 07:45:58 0000 ------- 
Created an attachment (id=46129) [details]
viewcvs-CAN-2004-1062.patch

Here is the patch, it's still unclear on diclosure policy though. Keeping it
private for the time being.

------- Comment #3 From Thierry Carrez (RETIRED) 2004-12-20 01:38:32 0000 ------- 
This is now public.

web-apps, could you quickly bump viewcvs with the provided patch, so that we can issue a grouped GLSA with bug 72461.

------- Comment #4 From Thierry Carrez (RETIRED) 2004-12-21 05:58:28 0000 ------- 
Created an attachment (id=46541) [details]
New viewcvs-CAN-2004-1062.patch

This one (from SuSE) applies more cleanly.

------- Comment #5 From Thierry Carrez (RETIRED) 2004-12-23 02:39:40 0000 ------- 
web-apps/Stuart : please apply latest patch and bump. I checked that this one
applies cleanly, and it's a very minor patch.

------- Comment #6 From Stuart Herbert (RETIRED) 2004-12-23 03:11:45 0000 ------- 
Patch applied, and in Portage.  New package is viewcvs-0.9.2_p20041207-r1. 
Keywords are ~x86 and ~ppc.  Needs marking stable on both arches.  I can't test
it (don't have a CVS repository setup myself atm), but the patch itself looks
very safe.

Best regards,
Stu

------- Comment #7 From Thierry Carrez (RETIRED) 2004-12-23 04:48:53 0000 ------- 
x86,ppc : please mark stable

------- Comment #8 From Jochen Maes (RETIRED) 2004-12-23 11:08:17 0000 ------- 
stable on ppc

------- Comment #9 From Thierry Carrez (RETIRED) 2004-12-28 06:30:24 0000 ------- 
stable on x86 by Stuart
GLSA 200412-26
First Last Prev Next    No search results available      Search page      Enter new bug