Summary: | www-apps/viewcvs: CAN-2004-1062 XSS issue | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | minor | CC: | web-apps | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Whiteboard: | B4 [glsa] koon | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | |||||||||
Bug Blocks: | 72461 | ||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2004-12-08 01:39:49 UTC
It's a XSS issue in the ViewCVSException handling of 404 Not Found pages. Example : lynx -source 'http://yourserverhere/viewcvs.cgi/<script>alert("BOO"+document.cookie)</script>' | grep BOO http://www.gentoo.org/cgi-bin/viewcvs.cgi is not affected, but others on the net (including 1.0-dev) are (?!) Found by Michael Krax from RedHat, waiting for a disclosure date (and hopefully patches) from him. Created attachment 46129 [details, diff]
viewcvs-CAN-2004-1062.patch
Here is the patch, it's still unclear on diclosure policy though. Keeping it
private for the time being.
This is now public. web-apps, could you quickly bump viewcvs with the provided patch, so that we can issue a grouped GLSA with bug 72461. Created attachment 46541 [details, diff]
New viewcvs-CAN-2004-1062.patch
This one (from SuSE) applies more cleanly.
web-apps/Stuart : please apply latest patch and bump. I checked that this one applies cleanly, and it's a very minor patch. Patch applied, and in Portage. New package is viewcvs-0.9.2_p20041207-r1. Keywords are ~x86 and ~ppc. Needs marking stable on both arches. I can't test it (don't have a CVS repository setup myself atm), but the patch itself looks very safe. Best regards, Stu x86,ppc : please mark stable stable on ppc stable on x86 by Stuart GLSA 200412-26 |