Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 298127 (CVE-2010-0004) - <www-apps/viewvc-1.1.3: Security vulnerabilities (CVE-2010-{0004,0005})
Summary: <www-apps/viewvc-1.1.3: Security vulnerabilities (CVE-2010-{0004,0005})
Status: RESOLVED FIXED
Alias: CVE-2010-0004
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor
Assignee: Gentoo Security
URL: http://viewvc.tigris.org/source/brows...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-23 18:51 UTC by Arfrever Frehtes Taifersar Arahesis (RETIRED)
Modified: 2010-03-06 16:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-12-23 18:51:42 UTC 
<www-apps/viewvc-1.1.3 has some minor security vulnerabilities.

CHANGES file contains:
  * security fix: add root listing support of per-root authz config
  * security fix: query.py requires 'forbidden' authorizer (or none) in config
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-12-23 18:53:23 UTC 
Stabilize www-apps/viewvc-1.1.3.
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2009-12-26 11:53:21 UTC 
sparc/x86 stable
Comment 3 Markus Meier gentoo-dev 2009-12-31 18:17:51 UTC 
amd64 stable
Comment 4 Joe Jezak (RETIRED) gentoo-dev 2010-01-07 15:59:54 UTC 
Marked ppc stable.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 12:25:53 UTC 
CVE-2010-0004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0004):
  ViewVC before 1.1.3 composes the root listing view without using the
  authorizer for each root, which might allow remote attackers to
  discover private root names by reading this view.
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 12:26:37 UTC 
All arches done, I vote NO.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 12:28:02 UTC 
CVE-2010-0005 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0005):
  query.py in the query interface in ViewVC before 1.1.3 does not
  reject configurations that specify an unsupported authorizer for a
  root, which might allow remote attackers to bypass intended access
  restrictions via a query.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:19:15 UTC 
NO, too. Closing noglsa.