Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440774 (CVE-2012-4533) - <www-apps/viewvc-1.1.17: lib/viewvc.py XSS (CVE-2012-4533)
Summary: <www-apps/viewvc-1.1.17: lib/viewvc.py XSS (CVE-2012-4533)
Status: RESOLVED FIXED
Alias: CVE-2012-4533
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2012-3356
  Show dependency tree
 
Reported: 2012-11-01 16:15 UTC by Agostino Sarubbo
Modified: 2012-11-20 00:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-01 16:15:15 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=868606 :

From  Nicolás Alvarez <nicolas.alvarez@gmail.com>:

Package: viewvc
Version: 1.1.5-1.3
Severity: important
Tags: security

There is an XSS bug in the diff view, exploitable by people with commit
access to the repository. The "function name" lines returned by diff (in
the diff lines starting with @@) are not HTML-escaped.

Here's an example. Add this file to a SVN repository:

blah
x <script>alert("XSS!");</script>
one context
two context
three context
trigger

Commit it. Next, change the line labeled 'trigger', and commit again.
The diff produced by the second commit is:

@@ -3,4 +3,4 @@ x <script>alert("XSS!");</script>
 one context
 two context
 three context
-trigger
+trigger X

When telling ViewVC to show the diff of that file for the last commit,
it doesn't HTML-escape the <script>, so it gets executed.
patch: https://bugzilla.redhat.com/attachment.cgi?id=630786
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-10 19:52:19 UTC
Fixed upstream:

Version 1.1.16 (released 24-Oct-2012)

  * security fix: escape "extra" diff info to avoid XSS attack (issue #515)
  * add 'binary_mime_types' configuration option and handling (issue #510)
  * fix 'select for diffs' persistence across log pages (issue #512)
  * remove lock status and filesize check on directories in remote SVN views
  * fix bogus 'Annotation of' page title for non-annotated view (issue #514)
Comment 2 Anthony Basile gentoo-dev 2012-11-11 01:47:47 UTC
Bumped to viewvc-1.1.17.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-11 13:43:07 UTC
(In reply to comment #2)
> Bumped to viewvc-1.1.17.

Arches, please test it and mark stable.
Comment 4 Agostino Sarubbo gentoo-dev 2012-11-11 14:03:58 UTC
amd64 stable
Comment 5 Andreas Schürch gentoo-dev 2012-11-12 18:47:15 UTC
x86 stable, last arch!
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-12 22:14:07 UTC
Thanks, everyone.

Closing noglsa for XSS only.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 00:38:25 UTC
CVE-2012-4533 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4533):
  Cross-site scripting (XSS) vulnerability in the "extra" details in the diff
  function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1..x before
  1.1.16 allows remote authenticated users with repository commit access to
  inject arbitrary web script or HTML via the "function name" line.