Bug 868606 - (CVE-2012-4533) CVE-2012-4533 viewvc: lib/viewvc.py XSS
CVE-2012-4533 viewvc: lib/viewvc.py XSS
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121010,repor...
: Security
Depends On: 868608 868609
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-21 01:41 EDT by Kurt Seifried
Modified: 2016-03-04 06:59 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-11 04:21:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
viewvc-CVE-2012-4533-xss.patch (592 bytes, patch)
2012-10-21 01:42 EDT, Kurt Seifried
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 691062 None None None 2012-10-23 05:11:19 EDT

  None (edit)
Description Kurt Seifried 2012-10-21 01:41:18 EDT
From  Nicolás Alvarez <nicolas.alvarez@gmail.com>:

Package: viewvc
Version: 1.1.5-1.3
Severity: important
Tags: security

There is an XSS bug in the diff view, exploitable by people with commit
access to the repository. The "function name" lines returned by diff (in
the diff lines starting with @@) are not HTML-escaped.

Here's an example. Add this file to a SVN repository:

blah
x <script>alert("XSS!");</script>
one context
two context
three context
trigger

Commit it. Next, change the line labeled 'trigger', and commit again.
The diff produced by the second commit is:

@@ -3,4 +3,4 @@ x <script>alert("XSS!");</script>
 one context
 two context
 three context
-trigger
+trigger X

When telling ViewVC to show the diff of that file for the last commit,
it doesn't HTML-escape the <script>, so it gets executed.

I'm attaching a patch that should fix this bug.

I don't have a CVE number. I haven't reported this upstream. I quickly
glanced at the upstream bug list and dev list archives and it didn't
seem to be already reported, but I didn't search carefully.
Comment 1 Kurt Seifried 2012-10-21 01:42:28 EDT
Created attachment 630786 [details]
viewvc-CVE-2012-4533-xss.patch
Comment 2 Kurt Seifried 2012-10-21 01:43:10 EDT
Created viewvc tracking bugs for this issue

Affects: fedora-all [bug 868608]
Comment 3 Kurt Seifried 2012-10-21 01:43:50 EDT
Created viewvc tracking bugs for this issue

Affects: epel-all [bug 868609]
Comment 4 Bojan Smojver 2012-10-21 05:49:00 EDT
Did you mean 1.1.15 here?
Comment 5 Nicolás Alvarez 2012-10-21 20:46:50 EDT
(In reply to comment #4)
> Did you mean 1.1.15 here?

No, I didn't. 1.1.5 is what Debian has and that's where I found the bug. I didn't even know upstream had newer versions not yet in Debian.
Comment 6 Bojan Smojver 2012-10-21 20:52:29 EDT
(In reply to comment #5)
 
> No, I didn't. 1.1.5 is what Debian has and that's where I found the bug. I
> didn't even know upstream had newer versions not yet in Debian.

Similar code appears in 1.1.15 as well, just on a different line. So, I'm guessing that needs to be patched too.

I will prepare packages.
Comment 7 Tomas Hoger 2012-10-23 05:11:19 EDT
(In reply to comment #0)
> From  Nicolás Alvarez:
> 
> Package: viewvc
> Version: 1.1.5-1.3
> Severity: important
> Tags: security

The report is quoted from Debian bug:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062

Upstream bug report:
  http://viewvc.tigris.org/issues/show_bug.cgi?id=515
Comment 9 Fedora Update System 2012-11-23 03:05:20 EST
viewvc-1.1.17-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.