Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73772 - www-apps/viewcvs: CAN-2004-1062 XSS issue
Summary: www-apps/viewcvs: CAN-2004-1062 XSS issue
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa] koon
Depends on:
Blocks: 72461
  Show dependency tree
Reported: 2004-12-08 01:39 UTC by Sune Kloppenborg Jeppesen
Modified: 2004-12-28 06:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

viewcvs-CAN-2004-1062.patch (viewcvs-CAN-2004-1062.patch,362 bytes, patch)
2004-12-16 07:45 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
New viewcvs-CAN-2004-1062.patch (viewcvs-CAN-2004-1062.patch,341 bytes, patch)
2004-12-21 05:58 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2004-12-08 01:39:49 UTC
No details know, opening bug to keep track of the issue.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-09 02:21:08 UTC
It's a XSS issue in the ViewCVSException handling of 404 Not Found pages.
Example :

lynx -source 'http://yourserverhere/viewcvs.cgi/<script>alert("BOO"+document.cookie)</script>' | grep BOO is not affected, but others on the net (including 1.0-dev) are (?!)

Found by Michael Krax from RedHat, waiting for a disclosure date (and hopefully  patches) from him.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-16 07:45:58 UTC
Created attachment 46129 [details, diff]

Here is the patch, it's still unclear on diclosure policy though. Keeping it
private for the time being.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-20 01:38:32 UTC
This is now public.

web-apps, could you quickly bump viewcvs with the provided patch, so that we can issue a grouped GLSA with bug 72461.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 05:58:28 UTC
Created attachment 46541 [details, diff]
New viewcvs-CAN-2004-1062.patch

This one (from SuSE) applies more cleanly.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-12-23 02:39:40 UTC
web-apps/Stuart : please apply latest patch and bump. I checked that this one applies cleanly, and it's a very minor patch.
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-12-23 03:11:45 UTC
Patch applied, and in Portage.  New package is viewcvs-0.9.2_p20041207-r1.  Keywords are ~x86 and ~ppc.  Needs marking stable on both arches.  I can't test it (don't have a CVS repository setup myself atm), but the patch itself looks very safe.

Best regards,
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-12-23 04:48:53 UTC
x86,ppc : please mark stable
Comment 8 Jochen Maes (RETIRED) gentoo-dev 2004-12-23 11:08:17 UTC
stable on ppc
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 06:30:24 UTC
stable on x86 by Stuart
GLSA 200412-26