Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-4533 viewvc: lib/viewvc.py XSS|
|Product:||[Other] Security Response||Reporter:||Kurt Seifried <kseifried>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||bjohnson, bojan, jlieskov, nicolas.alvarez|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-12-11 04:21:53 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||868608, 868609|
Description Kurt Seifried 2012-10-21 01:41:18 EDT
From Nicolás Alvarez <firstname.lastname@example.org>: Package: viewvc Version: 1.1.5-1.3 Severity: important Tags: security There is an XSS bug in the diff view, exploitable by people with commit access to the repository. The "function name" lines returned by diff (in the diff lines starting with @@) are not HTML-escaped. Here's an example. Add this file to a SVN repository: blah x <script>alert("XSS!");</script> one context two context three context trigger Commit it. Next, change the line labeled 'trigger', and commit again. The diff produced by the second commit is: @@ -3,4 +3,4 @@ x <script>alert("XSS!");</script> one context two context three context -trigger +trigger X When telling ViewVC to show the diff of that file for the last commit, it doesn't HTML-escape the <script>, so it gets executed. I'm attaching a patch that should fix this bug. I don't have a CVE number. I haven't reported this upstream. I quickly glanced at the upstream bug list and dev list archives and it didn't seem to be already reported, but I didn't search carefully.
Comment 1 Kurt Seifried 2012-10-21 01:42:28 EDT
Created attachment 630786 [details] viewvc-CVE-2012-4533-xss.patch
Comment 2 Kurt Seifried 2012-10-21 01:43:10 EDT
Created viewvc tracking bugs for this issue Affects: fedora-all [bug 868608]
Comment 3 Kurt Seifried 2012-10-21 01:43:50 EDT
Created viewvc tracking bugs for this issue Affects: epel-all [bug 868609]
Comment 4 Bojan Smojver 2012-10-21 05:49:00 EDT
Did you mean 1.1.15 here?
Comment 5 Nicolás Alvarez 2012-10-21 20:46:50 EDT
(In reply to comment #4) > Did you mean 1.1.15 here? No, I didn't. 1.1.5 is what Debian has and that's where I found the bug. I didn't even know upstream had newer versions not yet in Debian.
Comment 6 Bojan Smojver 2012-10-21 20:52:29 EDT
(In reply to comment #5) > No, I didn't. 1.1.5 is what Debian has and that's where I found the bug. I > didn't even know upstream had newer versions not yet in Debian. Similar code appears in 1.1.15 as well, just on a different line. So, I'm guessing that needs to be patched too. I will prepare packages.
Comment 7 Tomas Hoger 2012-10-23 05:11:19 EDT
(In reply to comment #0) > From Nicolás Alvarez: > > Package: viewvc > Version: 1.1.5-1.3 > Severity: important > Tags: security The report is quoted from Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062 Upstream bug report: http://viewvc.tigris.org/issues/show_bug.cgi?id=515
Comment 8 Jan Lieskovsky 2012-11-19 09:42:09 EST
Comment 9 Fedora Update System 2012-11-23 03:05:20 EST
viewvc-1.1.17-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.