Debian Bug report logs - #671482
CVE-2009-5024: Possible excessive resource use when commit database feature enabled

version graph

Package: viewvc; Maintainer for viewvc is David Martínez Moreno <ender@debian.org>; Source for viewvc is src:viewvc.

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Fri, 4 May 2012 12:57:01 UTC

Severity: important

Tags: security

Fixed in versions viewvc/1.1.5-1.3, viewvc/1.1.5-1.1+squeeze1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#671482; Package viewvc. (Fri, 04 May 2012 12:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, David Martínez Moreno <ender@debian.org>. (Fri, 04 May 2012 12:57:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-5024
Date: Fri, 04 May 2012 14:55:29 +0200
Package: viewvc
Severity: grave
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-5024 for details.

Fixed in 1.1.11

Cheers,
        Moritz




Severity set to 'important' from 'grave' Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sat, 12 May 2012 23:06:02 GMT) Full text and rfc822 format available.

Changed Bug title to 'CVE-2009-5024: Possible excessive resource use when commit database feature enabled' from 'CVE-2009-5024' Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sat, 12 May 2012 23:09:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#671482; Package viewvc. (Sat, 12 May 2012 23:18:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>. (Sat, 12 May 2012 23:18:07 GMT) Full text and rfc822 format available.

Message #14 received at 671482@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 671482@bugs.debian.org
Subject: CVE-2009-5024: Possible excessive resource use when commit database feature enabled
Date: Sun, 13 May 2012 00:16:03 +0100
[Message part 1 (text/plain, inline)]
I've downgraded this because it does not affect the default
configuration.  It only affects installations which use the optional
feature to use a MySQL database of commits.

I'm attaching a debdiff for the changes in case if anyone thinks they
should be applied in isolation (perhaps as a stable-security update).
The ordinary functionality still works after these changes, but the
database feature is sufficiently complex to set up that I gave up on
trying to test it.

Ben.

-- 
Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.
[viewvc_1.1.5-1.2.debdiff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sun, 14 Oct 2012 21:03:09 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sun, 14 Oct 2012 21:03:10 GMT) Full text and rfc822 format available.

Message #19 received at 671482-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 671482-close@bugs.debian.org
Subject: Bug#671482: fixed in viewvc 1.1.5-1.3
Date: Sun, 14 Oct 2012 21:01:37 +0000
Source: viewvc
Source-Version: 1.1.5-1.3

We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 671482@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated viewvc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 14 Oct 2012 20:12:07 +0000
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.1.5-1.3
Distribution: unstable
Urgency: low
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 viewvc     - web interface for CVS and/or Subversion repositories
 viewvc-query - utility to query CVS and Subversion commit database
Closes: 671482 679069
Changes: 
 viewvc (1.1.5-1.3) unstable; urgency=low
 .
   * Non-maintainer upload.
 .
   [ gregor herrmann ]
   * [SECURITY] Fix "CVE-2012-3356 / CVE-2012-3357":
     - CVE-2012-3356: * security fix: complete authz support for remote SVN views
     - CVE-2012-3357: * security fix: log msg leak in SVN revision view with
                      unreadable copy source
     Add patches "CVE-2012-3356" and "CVE-2012-3357", taken from upstream svn.
     (Closes: #679069)
 .
   [ Ben Hutchings ]
   * view_query: No longer allow an undocumented URL parameter to
     override the admin-declared SQL row limit, which could result
     in excessive CPU usage and memory consumption (CVE-2009-5024)
     (Closes: #671482)
Checksums-Sha1: 
 e8f722eefbd046db5cccc86ea358d7efb9122765 1462 viewvc_1.1.5-1.3.dsc
 0408927320d2c8683ce9562d677f9c3bdf2243ee 29835 viewvc_1.1.5-1.3.diff.gz
 f8196929e603705c989753737d5ef4e26bf523e6 606516 viewvc_1.1.5-1.3_all.deb
 e334694ab1bd10908665c91ddafbdc72a9fd0c2f 12114 viewvc-query_1.1.5-1.3_all.deb
Checksums-Sha256: 
 411e3a36179603b5a097cbb6570a52b659ea131fd63d3b0406cecf04c8926eba 1462 viewvc_1.1.5-1.3.dsc
 76e0f4201958c59f262c9b02a32ab7932f45a420e53536668b0b10d6116501e7 29835 viewvc_1.1.5-1.3.diff.gz
 7dbe4d488d0e4c9bc8d6a53e7ed0e6586dca6a526ecf4873a26b399adbfc415c 606516 viewvc_1.1.5-1.3_all.deb
 834d341965ffe1029e78a913b373de0a39de40eea6a84d87645da26b64f7ff68 12114 viewvc-query_1.1.5-1.3_all.deb
Files: 
 3cdd704b2a03a593a04c08c86733ddc0 1462 vcs optional viewvc_1.1.5-1.3.dsc
 aa2e3704af494f107351a7a0a2662200 29835 vcs optional viewvc_1.1.5-1.3.diff.gz
 6604f55ee46ad534b98f12caa37d0f84 606516 vcs optional viewvc_1.1.5-1.3_all.deb
 78df85ec268919b90f9ab845ec434d98 12114 vcs optional viewvc-query_1.1.5-1.3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJQex37AAoJEFb2GnlAHawEZFwH/22cGocgU2vTgoD4OAdILy6U
MFhaS+r6D1WR/NQ+i7odr+5vczdfFZwDrAnDgarXnQbb4BQwhGxxtOQmwpc32bBM
/Zv6MiXFblD77JbUZCbhbYm2N+dWId4b1zU+GAaxdaN0tOCwOF2K4ZhfC5q0BbRa
0ZS6L+g5HbCdW63YuLap3kJkzNrwzxLNZwDdVOmk86Lp/zFThBdYqv4aYkMFHDh5
fXGj9YknStYiQF7scNEOG9C6l9yZxWyM0Gheh6ybcAk8bC2das+R/rFTFl3aIp4O
3UsgQFkJ9Al4MHewb8dZM0b/Dtvum45DUd0nsLEXqUiutRCkfAI8t1uSi9Ju4as=
=UJzW
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 27 Oct 2012 15:51:11 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sat, 27 Oct 2012 15:51:11 GMT) Full text and rfc822 format available.

Message #24 received at 671482-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 671482-close@bugs.debian.org
Subject: Bug#671482: fixed in viewvc 1.1.5-1.1+squeeze1
Date: Sat, 27 Oct 2012 15:47:04 +0000
Source: viewvc
Source-Version: 1.1.5-1.1+squeeze1

We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 671482@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated viewvc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 14 Oct 2012 20:12:07 +0000
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.1.5-1.1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 viewvc     - web interface for CVS and/or Subversion repositories
 viewvc-query - utility to query CVS and Subversion commit database
Closes: 636805 671482 679069
Changes: 
 viewvc (1.1.5-1.1+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload.
 .
   [ gregor herrmann ]
   * [SECURITY] Fix "CVE-2012-3356 / CVE-2012-3357":
     - CVE-2012-3356: * security fix: complete authz support for remote SVN views
     - CVE-2012-3357: * security fix: log msg leak in SVN revision view with
                      unreadable copy source
     Add patches "CVE-2012-3356" and "CVE-2012-3357", taken from upstream svn.
     (Closes: #679069)
   * Fix "viewvc runs extremely slowly (~15s per page)":
     backport upstream commit r2471 as new patch compression-content-length:
     don't set Content-Length when compression is used.
     (Closes: #636805)
 .
   [ Ben Hutchings ]
   * view_query: No longer allow an undocumented URL parameter to
     override the admin-declared SQL row limit, which could result
     in excessive CPU usage and memory consumption (CVE-2009-5024)
     (Closes: #671482)
Checksums-Sha1: 
 2ad3542ad175bebc67ed1ccc718bb6de4951b47b 1498 viewvc_1.1.5-1.1+squeeze1.dsc
 988d7b9e13af194696db9cba5446510367720b91 593630 viewvc_1.1.5.orig.tar.gz
 00089765d74a8995aa0c4b2eb43b94db1334454c 30479 viewvc_1.1.5-1.1+squeeze1.diff.gz
 6a017148e51668ecd475c3c38d1b79355b9c8fdd 606544 viewvc_1.1.5-1.1+squeeze1_all.deb
 13228ddbc7a83a7aa59ca0e90f0eb8afc6c58911 12106 viewvc-query_1.1.5-1.1+squeeze1_all.deb
Checksums-Sha256: 
 f72ff0183658afa35fab6f22b3f5d3a6469a8a6579e65b14944d1b058547c6d0 1498 viewvc_1.1.5-1.1+squeeze1.dsc
 32ce717330fc780e9c2341cca800079078e9935581d4dfd526e4a15fc1d94919 593630 viewvc_1.1.5.orig.tar.gz
 92bc4267c140a91eaf89443b4b1b889362401379a9f448aa6a61530a495d1e60 30479 viewvc_1.1.5-1.1+squeeze1.diff.gz
 6d4a7909659e4f9f3e8c049342a123d7e13d4ffb7a74a984df0a8b8ff0c7f168 606544 viewvc_1.1.5-1.1+squeeze1_all.deb
 0c03412641438cefc30086b0b999bc0e3271b95aabc9550fa2cfc76dc150446b 12106 viewvc-query_1.1.5-1.1+squeeze1_all.deb
Files: 
 39095cfbd30229eccd9468da19a60ba5 1498 vcs optional viewvc_1.1.5-1.1+squeeze1.dsc
 da7bbcf6800383ebb23405a064c6faf8 593630 vcs optional viewvc_1.1.5.orig.tar.gz
 d67c265da2ac4bbb4b776498290550dd 30479 vcs optional viewvc_1.1.5-1.1+squeeze1.diff.gz
 a22095492d9f05f7e553d513fe39b15c 606544 vcs optional viewvc_1.1.5-1.1+squeeze1_all.deb
 3cc471934f2c28693c09c034b94c8699 12106 vcs optional viewvc-query_1.1.5-1.1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJQgWM6AAoJEFb2GnlAHawEt/kH/jaY5/RqOoHFDFETHJbEKgEP
vgDYFVjpUMwQYhXiWhHeCYJ4H/k+xE9e1HqXWuNlieLad70Nb5yCtfVYrHn4nZxp
7wag9bwbypJ5sR7HrGWIuLII9x0wkw21ggR572CZBXPRWFdtwrGPUlISom1/RqM5
VtPyupSBCjL0NIQ+h3FwelI2C+ozYYV8eJBgJttPXRysGS7B5de03q/1re0ACeN2
o85WOo419NcW4fKMWIYHGVaqnbo5RAs2wh2qwFukbhx7xUgmYzHdUvedM1hqjAW1
uG+9Wp4AdHtxSASZ6Sn3/yMbh4z+PEc2zJ+4oCTFJjwuV93ho/724rgeC7dcqJs=
=t0Q5
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 25 Nov 2012 07:29:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 04:08:04 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.