Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212288 (CVE-2008-1290) - www-apps/viewvc < 1.0.5 Multiple issues (CVE-2008-{1290,1291,1292})
Summary: www-apps/viewvc < 1.0.5 Multiple issues (CVE-2008-{1290,1291,1292})
Alias: CVE-2008-1290
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2008-03-04 15:34 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2008-08-17 17:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-04 15:34:05 UTC
Some security issues have been reported in ViewVC, which can be exploited by malicious people to bypass certain security restrictions.

1) An error can be exploited to list CVS or SVN commits on "all-forbidden" files via a ViewVC query.

2) An error can be exploited to directly access hidden CVSROOT folders via custom URLs.

3) An error can be exploited to expose restricted content via the revision view, the log history, or the diff view.

The security issues are reported in versions prior to 1.0.5.

Update to version 1.0.5.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-04 15:35:12 UTC
Web-apps, please bump as needed.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2008-03-07 10:02:57 UTC
in cvs, please stabilize
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-07 16:33:26 UTC
x86 stable
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2008-03-07 17:12:19 UTC
Sparc stable.  Christian, I am adding you in CC because one of us got the wrong version.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-08 08:38:49 UTC
Thanks Ferris, I really did the wrong version.  Fixed it.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-09 06:44:49 UTC
ppc stable
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2008-03-10 14:06:01 UTC
amd64 stable
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2008-03-10 15:44:12 UTC
Fixed in release snapshot.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-11 17:21:13 UTC
Ready for vote.

I vote YES.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 22:06:51 UTC
yes too, request filed.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-19 23:02:57 UTC
GLSA 200803-29