Debian Bug report logs - #691062
viewvc: CVE-2012-4533: XSS bug in diff view

version graph

Package: viewvc; Maintainer for viewvc is David Martínez Moreno <ender@debian.org>; Source for viewvc is src:viewvc.

Reported by: Nicolás Alvarez <nicolas.alvarez@gmail.com>

Date: Sat, 20 Oct 2012 20:57:01 UTC

Severity: important

Tags: security

Found in versions viewvc/1.1.5-1.3, viewvc/0.9.4+svn20060318-1

Fixed in versions viewvc/1.1.5-1.4, viewvc/1.1.5-1.1+squeeze2

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://viewvc.tigris.org/issues/show_bug.cgi?id=515

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, nicolas.alvarez@gmail.com, David Martínez Moreno <ender@debian.org>:
Bug#691062; Package viewvc. (Sat, 20 Oct 2012 20:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolás Alvarez <nicolas.alvarez@gmail.com>:
New Bug report received and forwarded. Copy sent to nicolas.alvarez@gmail.com, David Martínez Moreno <ender@debian.org>. (Sat, 20 Oct 2012 20:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nicolás Alvarez <nicolas.alvarez@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: viewvc: XSS bug in diff view
Date: Sat, 20 Oct 2012 17:54:18 -0300
[Message part 1 (text/plain, inline)]
Package: viewvc
Version: 1.1.5-1.3
Severity: important
Tags: security

There is an XSS bug in the diff view, exploitable by people with commit
access to the repository. The "function name" lines returned by diff (in
the diff lines starting with @@) are not HTML-escaped.

Here's an example. Add this file to a SVN repository:

blah
x <script>alert("XSS!");</script>
one context
two context
three context
trigger

Commit it. Next, change the line labeled 'trigger', and commit again.
The diff produced by the second commit is:

@@ -3,4 +3,4 @@ x <script>alert("XSS!");</script>
 one context
 two context
 three context
-trigger
+trigger X

When telling ViewVC to show the diff of that file for the last commit,
it doesn't HTML-escape the <script>, so it gets executed.

I'm attaching a patch that should fix this bug.

I don't have a CVE number. I haven't reported this upstream. I quickly
glanced at the upstream bug list and dev list archives and it didn't
seem to be already reported, but I didn't search carefully.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages viewvc depends on:
ii  cvs                2:1.12.13+real-9
ii  python             2.7.3~rc2-1
ii  python-subversion  1.6.17dfsg-4
ii  python-support     1.0.15
ii  rcs                5.8.1-1
ii  subversion         1.6.17dfsg-4

Versions of packages viewvc recommends:
pn  apache2 | httpd-cgi  <none>
ii  python-pygments      1.5+dfsg-1

Versions of packages viewvc suggests:
pn  cvsgraph               <none>
pn  libapache2-mod-python  <none>
ii  mime-support           3.52-1
pn  python-tk              <none>
pn  viewvc-query           <none>

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/lib/viewvc/lib/vclib/svn/svn_repos.py (from viewvc package)
         (this is my personal workaround for bug #683188)
[diff-xss.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#691062; Package viewvc. (Sat, 20 Oct 2012 22:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolás Alvarez <nicolas.alvarez@gmail.com>:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>. (Sat, 20 Oct 2012 22:42:03 GMT) Full text and rfc822 format available.

Message #10 received at 691062@bugs.debian.org (full text, mbox):

From: Nicolás Alvarez <nicolas.alvarez@gmail.com>
To: 691062@bugs.debian.org
Cc: control <control@bugs.debian.org>
Subject: Re: Bug#691062: viewvc: XSS bug in diff view
Date: Sat, 20 Oct 2012 19:39:17 -0300
found 691062 0.9.4+svn20060318-1
thanks

I tested every version in snapshot.debian.org and they are all
affected, if the hr_funout setting (show function names in diffs) is
enabled. Although only 1.1.5+ seem to have it enabled by default.



Marked as found in versions viewvc/0.9.4+svn20060318-1. Request was from Nicolás Alvarez <nicolas.alvarez@gmail.com> to control@bugs.debian.org. (Sat, 20 Oct 2012 22:42:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#691062; Package viewvc. (Sun, 21 Oct 2012 06:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolás Alvarez <nicolas.alvarez@gmail.com>:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>. (Sun, 21 Oct 2012 06:03:03 GMT) Full text and rfc822 format available.

Message #17 received at 691062@bugs.debian.org (full text, mbox):

From: Nicolás Alvarez <nicolas.alvarez@gmail.com>
To: 691062@bugs.debian.org
Subject: Re: Bug#691062: viewvc: XSS bug in diff view
Date: Sun, 21 Oct 2012 03:00:56 -0300
Kurt Seifried from Redhat has assigned the identifier CVE-2012-4533 to
this issue (thanks!).

-- 
Nicolás



Changed Bug title to 'viewvc: CVE-2012-4533: XSS bug in diff view' from 'viewvc: XSS bug in diff view' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Sun, 21 Oct 2012 18:27:05 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'http://viewvc.tigris.org/issues/show_bug.cgi?id=515'. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Tue, 23 Oct 2012 08:18:03 GMT) Full text and rfc822 format available.

Marked as fixed in versions viewvc/1.1.5-1.4. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Tue, 23 Oct 2012 09:09:10 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Tue, 23 Oct 2012 09:09:10 GMT) Full text and rfc822 format available.

Notification sent to Nicolás Alvarez <nicolas.alvarez@gmail.com>:
Bug acknowledged by developer. (Tue, 23 Oct 2012 09:09:11 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 27 Oct 2012 15:51:18 GMT) Full text and rfc822 format available.

Notification sent to Nicolás Alvarez <nicolas.alvarez@gmail.com>:
Bug acknowledged by developer. (Sat, 27 Oct 2012 15:51:18 GMT) Full text and rfc822 format available.

Message #32 received at 691062-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 691062-close@bugs.debian.org
Subject: Bug#691062: fixed in viewvc 1.1.5-1.1+squeeze2
Date: Sat, 27 Oct 2012 15:47:04 +0000
Source: viewvc
Source-Version: 1.1.5-1.1+squeeze2

We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 691062@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated viewvc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Oct 2012 10:30:11 +0200
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.1.5-1.1+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 viewvc     - web interface for CVS and/or Subversion repositories
 viewvc-query - utility to query CVS and Subversion commit database
Closes: 691062
Changes: 
 viewvc (1.1.5-1.1+squeeze2) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2012-4533: Fix XSS in commit message view. Found and patch provided
     by Nicolás Alvarez (closes: #691062).
Checksums-Sha1: 
 4b63ac2b16d58ad65d795c884c0532875394a34e 1498 viewvc_1.1.5-1.1+squeeze2.dsc
 2ff95957c9d650e9156d0d7ff9010c7573bade0c 30847 viewvc_1.1.5-1.1+squeeze2.diff.gz
 5fc000e9e2175990e133fb42f8f848dc7c5b9aec 606602 viewvc_1.1.5-1.1+squeeze2_all.deb
 8517a8b9384a5b26914b534aa3810f96b74b5e75 12106 viewvc-query_1.1.5-1.1+squeeze2_all.deb
Checksums-Sha256: 
 c2176b068dc9312f37b639fad4bf74cc949adb0383de730fa6c1e0d65721f84c 1498 viewvc_1.1.5-1.1+squeeze2.dsc
 37b8d113dbfe42a11987de84b1ff51656a421e34ce3f74fe9e4c7e1bd5316683 30847 viewvc_1.1.5-1.1+squeeze2.diff.gz
 53221057abfd44ea20f343db42e8e2a73dc97d4454f3edba9155025a3960ca70 606602 viewvc_1.1.5-1.1+squeeze2_all.deb
 ceee4940a415d603dbaa27b83cdfc52ddc39813e7560a07fcf51308b98239822 12106 viewvc-query_1.1.5-1.1+squeeze2_all.deb
Files: 
 bfd16d0860b1a29f168dcfdde0a510f4 1498 vcs optional viewvc_1.1.5-1.1+squeeze2.dsc
 e27b66217e2a5808e78ca2dd51140457 30847 vcs optional viewvc_1.1.5-1.1+squeeze2.diff.gz
 d9b38a72a010da32318fcd86f71719f9 606602 vcs optional viewvc_1.1.5-1.1+squeeze2_all.deb
 b36d5b643daec51d5ace861b3b201d30 12106 vcs optional viewvc-query_1.1.5-1.1+squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJQhlhRAAoJEFb2GnlAHawEAWUH/1UCHmWCKTuLTD5jeNgsMcKP
HTNDDL8Zh0UDMOV07IDFADliUr7Oe9FgDQKF3efX74AT1Iw2hoakoR5UIQyy6ZHM
nvmWv+KCHcgjsgEyrh+Hdyz3l4WgMiOE4wCkdypxNBTK/WXWyLoJg6kgI+yLaskf
puYU3fih0JBkzdb0ffrY3hjcoYPGrkbNrNBjoy1R9INfqhpve1giyEPQ5c7CDWD5
6qkE+G/ZF3qj4Uq6vQNy2GQBiiilU7alRk+jE9fvA2z01W8W87aKw8IVRO7ifxB9
sx0D+tRkT6eEoA7VRgJ+zNoC+XUNhvCD2MBbwEzTd4sRsKzFjAMEmy11O30z93Y=
=Oq12
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 25 Nov 2012 07:28:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:35:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.