Fedora has issued an advisory today (May 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/ The issue is fixed upstream in 1.1.28. This package uses Python 2, so should be dropped in Cauldron. It should be updated in Mageia 7.
Status comment: (none) => Fixed upstream in 1.1.28Whiteboard: (none) => MGA7TOO
No obvious maintainer for this SRPM, so assigning globally; CC JoséJ as the registered maintainer, in case.
Assignee: bugsquad => pkg-bugsCC: (none) => lists.jjorgeVersion: Cauldron => 7
Version: 7 => Cauldron
Jani informs me that there will be Python 3 support eventually, but it will require viewvc 1.3.x and subversion 1.14.x or newer. Probably best to drop it for now and bring it back later. https://github.com/viewvc/viewvc/issues/138#issuecomment-606623207
Hi! I have built viewvc-1.1.28 for mageia 7: http://pkgsubmit.mageia.org/ . Please test.
CC: (none) => shlomif
Jani is working on updating to a 1.3.0 snapshot for Cauldron. Saving the advisory for this update. Advisory: ======================== Updated viewvc package fixes security vulnerability: ViewVC before versions 1.1.28 has an XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create (CVE-2020-5283). The viewvc package has been updated to version 1.1.28, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5283 https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg https://github.com/viewvc/viewvc/releases/tag/1.1.27 https://github.com/viewvc/viewvc/releases/tag/1.1.28 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/ ======================== Updated packages in core/updates_testing: ======================== viewvc-1.1.28-1.mga7 from viewvc-1.1.28-1.mga7.src.rpm
Status comment: Fixed upstream in 1.1.28 => (none)
Jani's Cauldron update is done. See Comment 4 for the Mageia 7 update details.
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
MGA7-64 Plasma on Lenovo B50 No installation issues. Found previous bug 20262 for testing Comment 3 and got a page from localhost which displayed some script: #!/usr/bin/python2 # -*-python-*- # # Copyright (C) 1999-2020 The ViewCVS Group. All Rights Reserved. # # By using this file, you agree to the terms and conditions set forth in # the LICENSE.html file which can be found at the top level of the ViewVC # distribution or at http://viewvc.org/license-1.html. # # For more information, visit http://viewvc.org/ # # ----------------------------------------------------------------------- # # viewvc: View CVS/SVN repositories via a web browser # # ----------------------------------------------------------------------- # # This is a teeny stub to launch the main ViewVC app. It checks the load # average, then loads the (precompiled) viewvc.py file and runs it. # # ----------------------------------------------------------------------- # ######################################################################### # # INSTALL-TIME CONFIGURATION # # These values will be set during the installation process. During # development, they will remain None. # LIBRARY_DIR = r"/usr/share/viewvc/lib" CONF_PATHNAME = r"/etc/viewvc/viewvc.conf" ######################################################################### # etc...... If that is the result that was expected, then it is OK for me, but I'm not sure if that is the expected result. Found also bug 7896, but that's not my terrain.
CC: (none) => herman.viaene
Following Herman's lead here I had to give up after a couple of hours trying to figure out the details of the landscape. Without an induction course it is not going to be possible for QA to tackle this. Started with the CVE and managed to produce the test file in a local CVS repository. The assumption was that iv ViewVC could be started this file could be reached via the browser interface. Found the main configuration file at /etc/viewvc and modified a couple of entries. It looks like there needs to be another configuration file somewhere to establish a link with apache... Restarted httpd at some point and started the ViewVC server: $ /usr/share/viewvc/bin/standalone.py server ready at http://localhost:49152/viewvc Copied the python script shown in comment 6 after retreading the same path. Executing that generates an html file which can be passed to the browser. That shows a pages with these contents: Content-Type: text/html; charset=UTF-8 / ViewVC logotype Repository Listing Name _________________________________________________________________________ ViewVC Help Powered by ViewVC 1.1.26 The ViewVC labels are all working links but the help file cannot be found. ViewVC 1.1.26 points to viewvc.tigris.org which is due for decommissioning. The / link allows local navigation. Clicked on that and found /data/qa/cvs/ which displayed CVSROOT 18/08/2017 18:12:10 BST cvs_summary 6 KB 18/08/2017 18:00:12 BST launch.py 2 KB 20/05/2020 13:16:42 BST viewvc.html 2 KB 20/05/2020 13:19:46 BST CVSROOT contains a number of hidden files and file pairs like this: checkoutlist 1 KB 18/08/2017 17:59:18 BST checkoutlist,v 1 KB 18/08/2017 17:29:26 BST and the Emptydir where the PoC file was placed: new-module/ 20/05/2020 11:28:20 BST taginfo,v 3 KB 20/05/2020 11:25:28 BST new-module contains the PoC file: '<img src="#" onerror="alert(1)">.txt,v' That is as far as I can take this. Updated ViewVC. Restarted the ViewVC server, restarted apache then emptied the Emptydir. $ mkdir new-module $ cp ../notify . $ cp ../notify,v . $ cp 'notify,v' 'new-module/<img src="#" onerror="alert(1)">.txt,v' $ ls new-module '<img src="#" onerror="alert(1)">.txt,v' Launched the ViewVC page in the browser and navigated to the Emptydir/new-module directory. Could not see any difference from the pre-update view. Had no idea what to expect anyway. Unable to make any judgements on this bug but ViewVC appears to be doing something and no obvious regressions so we shall give it the OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Had a look at bug 7896. Edited the viewvc.conf file but could not create an SVN project. 'svnadmin' command not found. $ locate svnadmin /usr/share/bash-completion/completions/_svnadmin
Viewvc is a web interface to a subversion server, so you need one of those installed and running too.
Thanks David - have to pass on that. Have never encountered a subversion server.
Whiteboard: MGA7-64-OK => (none)
Installed this on Mageia infra: https://svnweb.mageia.org/ Seems to still work...
CC: (none) => tmb
Right, thanks Thomas. Replacing the OK.
Whiteboard: (none) => MGA7-64-OK
Thank you, Gentlemen. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0221.html
Status: NEW => RESOLVEDResolution: (none) => FIXED