Bug 868606 (CVE-2012-4533)

Summary: CVE-2012-4533 viewvc: lib/viewvc.py XSS
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bjohnson, bojan, jlieskov, nicolas.alvarez
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121010,reported=20121010,source=debian,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,fedora-all/viewvc=affected,epel-all/viewvc=affected,cwe=CWE-79[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-11 04:21:53 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 868608, 868609    
Bug Blocks:    
Attachments:
Description Flags
viewvc-CVE-2012-4533-xss.patch none

Description Kurt Seifried 2012-10-21 01:41:18 EDT
From  Nicolás Alvarez <nicolas.alvarez@gmail.com>:

Package: viewvc
Version: 1.1.5-1.3
Severity: important
Tags: security

There is an XSS bug in the diff view, exploitable by people with commit
access to the repository. The "function name" lines returned by diff (in
the diff lines starting with @@) are not HTML-escaped.

Here's an example. Add this file to a SVN repository:

blah
x <script>alert("XSS!");</script>
one context
two context
three context
trigger

Commit it. Next, change the line labeled 'trigger', and commit again.
The diff produced by the second commit is:

@@ -3,4 +3,4 @@ x <script>alert("XSS!");</script>
 one context
 two context
 three context
-trigger
+trigger X

When telling ViewVC to show the diff of that file for the last commit,
it doesn't HTML-escape the <script>, so it gets executed.

I'm attaching a patch that should fix this bug.

I don't have a CVE number. I haven't reported this upstream. I quickly
glanced at the upstream bug list and dev list archives and it didn't
seem to be already reported, but I didn't search carefully.
Comment 1 Kurt Seifried 2012-10-21 01:42:28 EDT
Created attachment 630786 [details]
viewvc-CVE-2012-4533-xss.patch
Comment 2 Kurt Seifried 2012-10-21 01:43:10 EDT
Created viewvc tracking bugs for this issue

Affects: fedora-all [bug 868608]
Comment 3 Kurt Seifried 2012-10-21 01:43:50 EDT
Created viewvc tracking bugs for this issue

Affects: epel-all [bug 868609]
Comment 4 Bojan Smojver 2012-10-21 05:49:00 EDT
Did you mean 1.1.15 here?
Comment 5 Nicolás Alvarez 2012-10-21 20:46:50 EDT
(In reply to comment #4)
> Did you mean 1.1.15 here?

No, I didn't. 1.1.5 is what Debian has and that's where I found the bug. I didn't even know upstream had newer versions not yet in Debian.
Comment 6 Bojan Smojver 2012-10-21 20:52:29 EDT
(In reply to comment #5)
 
> No, I didn't. 1.1.5 is what Debian has and that's where I found the bug. I
> didn't even know upstream had newer versions not yet in Debian.

Similar code appears in 1.1.15 as well, just on a different line. So, I'm guessing that needs to be patched too.

I will prepare packages.
Comment 7 Tomas Hoger 2012-10-23 05:11:19 EDT
(In reply to comment #0)
> From  Nicolás Alvarez:
> 
> Package: viewvc
> Version: 1.1.5-1.3
> Severity: important
> Tags: security

The report is quoted from Debian bug:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062

Upstream bug report:
  http://viewvc.tigris.org/issues/show_bug.cgi?id=515
Comment 9 Fedora Update System 2012-11-23 03:05:20 EST
viewvc-1.1.17-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.