Bug 868606 (CVE-2012-4533) - CVE-2012-4533 viewvc: lib/viewvc.py XSS
Summary: CVE-2012-4533 viewvc: lib/viewvc.py XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4533
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 868608 868609
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-21 05:41 UTC by Kurt Seifried
Modified: 2019-09-29 12:56 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-12-11 09:21:53 UTC
Embargoed:

Attachments (Terms of Use)
viewvc-CVE-2012-4533-xss.patch (592 bytes, patch)
2012-10-21 05:42 UTC, Kurt Seifried 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 691062 0 None None None 2012-10-23 09:11:19 UTC

Description Kurt Seifried 2012-10-21 05:41:18 UTC 
From  Nicolás Alvarez <nicolas.alvarez>:

Package: viewvc
Version: 1.1.5-1.3
Severity: important
Tags: security

There is an XSS bug in the diff view, exploitable by people with commit
access to the repository. The "function name" lines returned by diff (in
the diff lines starting with @@) are not HTML-escaped.

Here's an example. Add this file to a SVN repository:

blah
x <script>alert("XSS!");</script>
one context
two context
three context
trigger

Commit it. Next, change the line labeled 'trigger', and commit again.
The diff produced by the second commit is:

@@ -3,4 +3,4 @@ x <script>alert("XSS!");</script>
 one context
 two context
 three context
-trigger
+trigger X

When telling ViewVC to show the diff of that file for the last commit,
it doesn't HTML-escape the <script>, so it gets executed.

I'm attaching a patch that should fix this bug.

I don't have a CVE number. I haven't reported this upstream. I quickly
glanced at the upstream bug list and dev list archives and it didn't
seem to be already reported, but I didn't search carefully.
Comment 1 Kurt Seifried 2012-10-21 05:42:28 UTC 
Created attachment 630786 [details]
viewvc-CVE-2012-4533-xss.patch
Comment 2 Kurt Seifried 2012-10-21 05:43:10 UTC 
Created viewvc tracking bugs for this issue

Affects: fedora-all [bug 868608]
Comment 3 Kurt Seifried 2012-10-21 05:43:50 UTC 
Created viewvc tracking bugs for this issue

Affects: epel-all [bug 868609]
Comment 4 Bojan Smojver 2012-10-21 09:49:00 UTC 
Did you mean 1.1.15 here?
Comment 5 Nicolás Alvarez 2012-10-22 00:46:50 UTC 
(In reply to comment #4)
> Did you mean 1.1.15 here?

No, I didn't. 1.1.5 is what Debian has and that's where I found the bug. I didn't even know upstream had newer versions not yet in Debian.
Comment 6 Bojan Smojver 2012-10-22 00:52:29 UTC 
(In reply to comment #5)
 
> No, I didn't. 1.1.5 is what Debian has and that's where I found the bug. I
> didn't even know upstream had newer versions not yet in Debian.

Similar code appears in 1.1.15 as well, just on a different line. So, I'm guessing that needs to be patched too.

I will prepare packages.
Comment 7 Tomas Hoger 2012-10-23 09:11:19 UTC 
(In reply to comment #0)
> From  Nicolás Alvarez:
> 
> Package: viewvc
> Version: 1.1.5-1.3
> Severity: important
> Tags: security

The report is quoted from Debian bug:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062

Upstream bug report:
  http://viewvc.tigris.org/issues/show_bug.cgi?id=515
Comment 8 Jan Lieskovsky 2012-11-19 14:42:09 UTC 
Upstream patches:
  http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2792
  http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2794
Comment 9 Fedora Update System 2012-11-23 08:05:20 UTC 
viewvc-1.1.17-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.