Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC

Bug 212288 (CVE-2008-1290)

Summary: www-apps/viewvc < 1.0.5 Multiple issues (CVE-2008-{1290,1291,1292})
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-04 15:34:05 UTC
Some security issues have been reported in ViewVC, which can be exploited by malicious people to bypass certain security restrictions.

1) An error can be exploited to list CVS or SVN commits on "all-forbidden" files via a ViewVC query.

2) An error can be exploited to directly access hidden CVSROOT folders via custom URLs.

3) An error can be exploited to expose restricted content via the revision view, the log history, or the diff view.

The security issues are reported in versions prior to 1.0.5.

Update to version 1.0.5.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-04 15:35:12 UTC
Web-apps, please bump as needed.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2008-03-07 10:02:57 UTC
in cvs, please stabilize
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-07 16:33:26 UTC
x86 stable
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2008-03-07 17:12:19 UTC
Sparc stable.  Christian, I am adding you in CC because one of us got the wrong version.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-08 08:38:49 UTC
Thanks Ferris, I really did the wrong version.  Fixed it.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-09 06:44:49 UTC
ppc stable
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2008-03-10 14:06:01 UTC
amd64 stable
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2008-03-10 15:44:12 UTC
Fixed in release snapshot.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-11 17:21:13 UTC
Ready for vote.

I vote YES.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 22:06:51 UTC
yes too, request filed.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-19 23:02:57 UTC
GLSA 200803-29