From https://bugzilla.redhat.com/show_bug.cgi?id=868606 : From Nicolás Alvarez <nicolas.alvarez@gmail.com>: Package: viewvc Version: 1.1.5-1.3 Severity: important Tags: security There is an XSS bug in the diff view, exploitable by people with commit access to the repository. The "function name" lines returned by diff (in the diff lines starting with @@) are not HTML-escaped. Here's an example. Add this file to a SVN repository: blah x <script>alert("XSS!");</script> one context two context three context trigger Commit it. Next, change the line labeled 'trigger', and commit again. The diff produced by the second commit is: @@ -3,4 +3,4 @@ x <script>alert("XSS!");</script> one context two context three context -trigger +trigger X When telling ViewVC to show the diff of that file for the last commit, it doesn't HTML-escape the <script>, so it gets executed. patch: https://bugzilla.redhat.com/attachment.cgi?id=630786
Fixed upstream: Version 1.1.16 (released 24-Oct-2012) * security fix: escape "extra" diff info to avoid XSS attack (issue #515) * add 'binary_mime_types' configuration option and handling (issue #510) * fix 'select for diffs' persistence across log pages (issue #512) * remove lock status and filesize check on directories in remote SVN views * fix bogus 'Annotation of' page title for non-annotated view (issue #514)
Bumped to viewvc-1.1.17.
(In reply to comment #2) > Bumped to viewvc-1.1.17. Arches, please test it and mark stable.
amd64 stable
x86 stable, last arch!
Thanks, everyone. Closing noglsa for XSS only.
CVE-2012-4533 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4533): Cross-site scripting (XSS) vulnerability in the "extra" details in the diff function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1..x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.