Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 72461 - www-apps/viewcvs: tar export abuse (CAN-2004-0915)
Summary: www-apps/viewcvs: tar export abuse (CAN-2004-0915)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsablocked] koon
Depends on: 73772
  Show dependency tree
Reported: 2004-11-25 06:27 UTC by Thierry Carrez (RETIRED)
Modified: 2004-12-28 06:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

patch.CAN-2004-0915.viewcvs.0.9.2 (patch.CAN-2004-0915.viewcvs.0.9.2,1.26 KB, patch)
2004-11-25 06:28 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-11-25 06:27:21 UTC
From vendor-sec, to be kept confidential :

Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility
for viewing CVS and Subversion repositories via HTTP.  In both cases
the program doesn't honour the settings enough to hide certain
directories from the tar export.

Problem 1: hide_cvsroot doesn't work when a tar file is exported

Problem 2: forbidden is ignored when a tar file is exported

The attached patches patches for both version 0.9 and 1.0 which have
different code but are both vulnerable to these problems seem to fix
those.  Upstream is unresponsive unfortunately.

This is most probably not that critical since many CVS repositories
are available via anonymous CVS anyway and that one does support
neither of these options.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-11-25 06:28:29 UTC
Created attachment 44712 [details, diff]

Patch for 0.9.x viewcvs
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-25 13:42:14 UTC
Renat this is a restricted bug, please prepare a fixed ebuild and have it ready when a disclosure date is agreed with vendor-sec.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-02 09:09:52 UTC
Ccing Stuart as rl03 seems inactive
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2004-12-02 12:27:48 UTC
Can we commit this patch into portage, or do we have to wait until vendor-sec declassify the bug?

Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-12-03 00:49:01 UTC
We still have to wait before pushing any of this in a public repository.

You can attach the ebuild (or a tarball with the ebuild and files) to this bug, so that we can push them for early stable testing to selected devs.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-06 04:23:41 UTC
This is public now. 

Stuart please commit the patch.
Comment 7 Stuart Herbert (RETIRED) gentoo-dev 2004-12-07 07:02:22 UTC
viewcvs-0.9.2_p20041207.ebuild has been added, and marked stable on x86.  Needs marking stable on ppc.

Please note: I've done minimal testing on this package.

Best regards,

Comment 8 Luke Macken (RETIRED) gentoo-dev 2004-12-07 07:06:02 UTC
ppc, please mark viewcvs-0.9.2_p20041207 stable.
Comment 9 Jochen Maes (RETIRED) gentoo-dev 2004-12-08 00:24:31 UTC
stable on ppc
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-08 00:44:19 UTC
Security please vote on GLSA on this one.
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-08 01:06:30 UTC
I would vote for a GLSA

Debian published a DSA already btw.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-12-08 04:47:37 UTC
Yes, GLSA needed.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-12-20 06:11:22 UTC
I'll handle this together with bug 73772
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 06:30:29 UTC
GLSA 200412-26