Debian Bug report logs - #500779
CVE-2008-4325: misinterpretation of content-type

version graph

Package: viewvc; Maintainer for viewvc is David Martínez Moreno <ender@debian.org>; Source for viewvc is src:viewvc.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Wed, 1 Oct 2008 11:39:02 UTC

Severity: normal

Tags: patch, security

Fixed in version viewvc/1.0.9-1

Done: David Martínez Moreno <ender@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#500779; Package viewvc. (Wed, 01 Oct 2008 11:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to David Martínez Moreno <ender@debian.org>. (Wed, 01 Oct 2008 11:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-4325: misinterpretation of content-type
Date: Wed, 01 Oct 2008 21:28:46 +1000
Package: viewvc
Severity: normal
Tags: patch, security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for viewvc.

CVE-2008-4325[0]:
| lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the
| HTTP request for the Content-Type header in the HTTP response, which
| allows remote attackers to cause content to be misinterpreted by the
| browser via a content-type parameter that is inconsistent with the
| requested object.  NOTE: this issue might not be a vulnerability, since
| it requires attacker access to the repository that is being viewed.

The upstream bugreport[1] contains an explanation and also a patch[2].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

I don't think it is really exploitable or a serious issue, but nonetheless,
I thought you'd like to know.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4325
    http://security-tracker.debian.net/tracker/CVE-2008-4325
[1] http://viewvc.tigris.org/issues/show_bug.cgi?id=354
[2] http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011&r1=1968&r2=1978




Information forwarded to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#500779; Package viewvc. (Fri, 27 Feb 2009 22:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sylvain Beucler <beuc@beuc.net>:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>. (Fri, 27 Feb 2009 22:06:02 GMT) Full text and rfc822 format available.

Message #10 received at 500779@bugs.debian.org (full text, mbox):

From: Sylvain Beucler <beuc@beuc.net>
To: 500779@bugs.debian.org
Subject: Re: CVE-2008-4325: misinterpretation of content-type
Date: Fri, 27 Feb 2009 23:04:56 +0100
Hello David,

> CVE-2008-4325[0]:
> | lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the
> | HTTP request for the Content-Type header in the HTTP response, which
> | allows remote attackers to cause content to be misinterpreted by the
> | browser via a content-type parameter that is inconsistent with the
> | requested object.  NOTE: this issue might not be a vulnerability, since
> | it requires attacker access to the repository that is being viewed.

Can you tell if you intend to fix this security issue?

-- 
Sylvain




Added tag(s) pending. Request was from David Martínez Moreno <ender@debian.org> to control@bugs.debian.org. (Mon, 28 Sep 2009 03:30:04 GMT) Full text and rfc822 format available.

Reply sent to David Martínez Moreno <ender@debian.org>:
You have taken responsibility. (Sun, 11 Oct 2009 00:30:08 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sun, 11 Oct 2009 00:30:08 GMT) Full text and rfc822 format available.

Message #17 received at 500779-close@bugs.debian.org (full text, mbox):

From: David Martínez Moreno <ender@debian.org>
To: 500779-close@bugs.debian.org
Subject: Bug#500779: fixed in viewvc 1.0.9-1
Date: Sun, 11 Oct 2009 00:17:30 +0000
Source: viewvc
Source-Version: 1.0.9-1

We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive:

viewvc-query_1.0.9-1_all.deb
  to pool/main/v/viewvc/viewvc-query_1.0.9-1_all.deb
viewvc_1.0.9-1.diff.gz
  to pool/main/v/viewvc/viewvc_1.0.9-1.diff.gz
viewvc_1.0.9-1.dsc
  to pool/main/v/viewvc/viewvc_1.0.9-1.dsc
viewvc_1.0.9-1_all.deb
  to pool/main/v/viewvc/viewvc_1.0.9-1_all.deb
viewvc_1.0.9.orig.tar.gz
  to pool/main/v/viewvc/viewvc_1.0.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 500779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Martínez Moreno <ender@debian.org> (supplier of updated viewvc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 28 Sep 2009 05:24:27 +0200
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.0.9-1
Distribution: unstable
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: David Martínez Moreno <ender@debian.org>
Description: 
 viewvc     - view CVS/SVN repositories via HTTP
 viewvc-query - utility to query CVS commit database
Closes: 440188 482323 485187 500779 502257 545779
Changes: 
 viewvc (1.0.9-1) unstable; urgency=high
 .
   * New upstream release (closes: #502257):
     - Ignore arbitrary user-provided MIME types (closes: #500779).
     - Fixed bug in regexp searches.
     - Fixed bug in handling of certain 'co' output.
     - Fixed annotate code syntax error.
     - Fixed mod_python import cycle.
     - Fixed directory view sorting UI.
     - Tolerate malformed Accept-Language headers.
     - Fixed directory log views in revision-less Subversion repositories.
     - Fixed exception in rev-sorted remote Subversion directory views.
     - Security fixes: validate the 'view' parameter to avoid XSS attack
       and avoid printing illegal parameter names and values (closes:
       #545779).
   * debian/control:
     - Moved docbook-to-man from B-D-I to B-D, as it is in build target
       (closes: #440188).
     - Added B-D on quilt (>= 0.46-7) in order to have dh_quilt_*.
     - Upgraded Standards-Version to 3.8.3.
     - Added ${misc:Depends} to viewvc and viewvc-query.
     - Bumped dependency on debhelper to >=6.
     - Added Homepage.
   * debian/rules:
     - Moved patch targets into the XXI century: removed lots of old lines
       by a couple of calls to dh_quilt_* helpers.
   * debian/patches:
     - Refreshed everything to get rid of errors and removed additional
       options like -p0 (closes: #485187).
     - 04_tarball_permission_fix: Added to series, closes: #482323.
   * debian/viewvc.config: Removed prepended path to debconf-show.
   * debian/compat: Upgraded to v6.
   * debian/viewvc.postinst: Added set -e to catch up errors.
Checksums-Sha1: 
 f618627d1aba16561743201141c69d4dc102fa78 1152 viewvc_1.0.9-1.dsc
 a985496ad577e2c4c75bac915eb203da790d7f3e 522905 viewvc_1.0.9.orig.tar.gz
 933dcf44cf9117ef829143eaf79c65e1dabbf569 41961 viewvc_1.0.9-1.diff.gz
 7403570e842a4783ca1c7551810ddc578b52309c 518312 viewvc_1.0.9-1_all.deb
 3e9186a2bf5142204637ac0e5209111e729320b7 23630 viewvc-query_1.0.9-1_all.deb
Checksums-Sha256: 
 13496713e173c27322f97e904a6e6220d54a62c81426bbb46e8821948b948cdc 1152 viewvc_1.0.9-1.dsc
 399f2813d89457c1dcd9056af2db8c693bfe4ebf801b4c8bb2e4928667b4e322 522905 viewvc_1.0.9.orig.tar.gz
 50cac0328b542bcde99ff3f6aace2cdfe5c3be6e58b0f685c715b082fabd69e5 41961 viewvc_1.0.9-1.diff.gz
 0098967cfa5f3b30d3d58f43a57ebf9f00f4046a310bce3ff4b42a5f2e080902 518312 viewvc_1.0.9-1_all.deb
 ddd2a77974b7a39ab0eb103c556a780fe397b426bc910c8a0f314899a5f9b9c8 23630 viewvc-query_1.0.9-1_all.deb
Files: 
 b9c947f9fc813bc5d71e6a42b7b15fe0 1152 devel optional viewvc_1.0.9-1.dsc
 5aa48bb866f65bfcf32aa0cd581bf7d3 522905 devel optional viewvc_1.0.9.orig.tar.gz
 352f4d83751db575358b642b3f7559dd 41961 devel optional viewvc_1.0.9-1.diff.gz
 d3d68d0935d755bc6cab733281c9792f 518312 devel optional viewvc_1.0.9-1_all.deb
 7b0a599c94de3d4d22de5b041dfe6923 23630 devel optional viewvc-query_1.0.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrBQoUACgkQWs/EhA1iABtnzACgnaaLIMlfk1OVteW6o8J6WFT2
dsgAoM1Fbvph3QEmH2/j2LD98HBLqLlk
=sKeZ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 18 Dec 2009 07:35:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 05:45:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.