Bug 26628 - viewvc new security issue CVE-2020-5283
Summary: viewvc new security issue CVE-2020-5283
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-05-15 20:13 CEST by David Walser
Modified: 2020-05-24 20:06 CEST (History)
7 users (show)

See Also:
Source RPM: viewvc-1.1.26-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-05-15 20:13:51 CEST
Fedora has issued an advisory today (May 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/

The issue is fixed upstream in 1.1.28.

This package uses Python 2, so should be dropped in Cauldron.

It should be updated in Mageia 7.
David Walser 2020-05-15 20:14:14 CEST

Status comment: (none) => Fixed upstream in 1.1.28
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-05-15 20:33:45 CEST
No obvious maintainer for this SRPM, so assigning globally; CC JoséJ as the registered maintainer, in case.

Assignee: bugsquad => pkg-bugs
CC: (none) => lists.jjorge
Version: Cauldron => 7

David Walser 2020-05-15 20:45:26 CEST

Version: 7 => Cauldron

Comment 2 David Walser 2020-05-15 20:55:20 CEST
Jani informs me that there will be Python 3 support eventually, but it will require viewvc 1.3.x and subversion 1.14.x or newer.  Probably best to drop it for now and bring it back later.

https://github.com/viewvc/viewvc/issues/138#issuecomment-606623207
Comment 3 Shlomi Fish 2020-05-16 19:29:11 CEST
Hi!

I have built viewvc-1.1.28 for mageia 7: http://pkgsubmit.mageia.org/ . Please test.

CC: (none) => shlomif

Comment 4 David Walser 2020-05-16 19:39:54 CEST
Jani is working on updating to a 1.3.0 snapshot for Cauldron.

Saving the advisory for this update.

Advisory:
========================

Updated viewvc package fixes security vulnerability:

ViewVC before versions 1.1.28 has an XSS vulnerability in CVS
show_subdir_lastmod support. The impact of this vulnerability is mitigated by
the need for an attacker to have commit privileges to a CVS repository exposed
by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod`
feature enabled. The attack vector involves files with unsafe names (names
that, when embedded into an HTML stream, would cause the browser to run
unwanted code), which themselves can be challenging to create (CVE-2020-5283).

The viewvc package has been updated to version 1.1.28, fixing this issue and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5283
https://github.com/viewvc/viewvc/security/advisories/GHSA-xpxf-fvqv-7mfg
https://github.com/viewvc/viewvc/releases/tag/1.1.27
https://github.com/viewvc/viewvc/releases/tag/1.1.28
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2Q2STF2MKT24HXZ3YZIU7CN6F6QM67I5/
========================

Updated packages in core/updates_testing:
========================
viewvc-1.1.28-1.mga7

from viewvc-1.1.28-1.mga7.src.rpm

Status comment: Fixed upstream in 1.1.28 => (none)

Comment 5 David Walser 2020-05-17 03:18:06 CEST
Jani's Cauldron update is done.

See Comment 4 for the Mageia 7 update details.

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 6 Herman Viaene 2020-05-17 15:09:05 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Found previous bug 20262 for testing Comment 3 and got a page from localhost which displayed some script:
#!/usr/bin/python2
# -*-python-*-
#
# Copyright (C) 1999-2020 The ViewCVS Group. All Rights Reserved.
#
# By using this file, you agree to the terms and conditions set forth in
# the LICENSE.html file which can be found at the top level of the ViewVC
# distribution or at http://viewvc.org/license-1.html.
#
# For more information, visit http://viewvc.org/
#
# -----------------------------------------------------------------------
#
# viewvc: View CVS/SVN repositories via a web browser
#
# -----------------------------------------------------------------------
#
# This is a teeny stub to launch the main ViewVC app. It checks the load
# average, then loads the (precompiled) viewvc.py file and runs it.
#
# -----------------------------------------------------------------------
#

#########################################################################
#
# INSTALL-TIME CONFIGURATION
#
# These values will be set during the installation process. During
# development, they will remain None.
#

LIBRARY_DIR = r"/usr/share/viewvc/lib"
CONF_PATHNAME = r"/etc/viewvc/viewvc.conf"

#########################################################################
#

etc......
If that is the result that was expected, then it is OK for me, but I'm not sure if that is the expected result.
Found also bug 7896, but that's not my terrain.

CC: (none) => herman.viaene

Comment 7 Len Lawrence 2020-05-20 16:33:30 CEST
Following Herman's lead here I had to give up after a couple of hours trying to figure out the details of the landscape.  Without an induction course it is not going to be possible for QA to tackle this.

Started with the CVE and managed to produce the test file in a local CVS repository.  The assumption was that iv ViewVC could be started this file could be reached via the browser interface.  Found the main configuration file at /etc/viewvc and modified a couple of entries.  It looks like there needs to be another configuration file somewhere to establish a link with apache...
Restarted httpd at some point and started the ViewVC server:
$ /usr/share/viewvc/bin/standalone.py
server ready at http://localhost:49152/viewvc


Copied the python script shown in comment 6 after retreading the same path.  Executing that generates an html file which can be passed to the browser.  That shows a pages  with these contents:

Content-Type: text/html; charset=UTF-8
/ 	
                                                         ViewVC logotype
Repository Listing
Name
_________________________________________________________________________
  	ViewVC Help
Powered by ViewVC 1.1.26 	 

The ViewVC labels are all working links but the help file cannot be found.  ViewVC 1.1.26 points to viewvc.tigris.org which is due for decommissioning.

The / link allows local navigation.  Clicked on that and found /data/qa/cvs/ which displayed
CVSROOT 	18/08/2017 	18:12:10 BST
cvs_summary     6 KB 	18/08/2017 	18:00:12 BST
launch.py       2 KB 	20/05/2020 	13:16:42 BST
viewvc.html     2 KB 	20/05/2020 	13:19:46 BST

CVSROOT contains a number of hidden files and file pairs like this:
checkoutlist    1 KB 	18/08/2017 	17:59:18 BST
checkoutlist,v  1 KB 	18/08/2017 	17:29:26 BST

and the Emptydir where the PoC file was placed:
new-module/             20/05/2020 	11:28:20 BST
taginfo,v       3 KB 	20/05/2020 	11:25:28 BST

new-module contains the PoC file:
'<img src="#" onerror="alert(1)">.txt,v'

That is as far as I can take this.

Updated ViewVC.
Restarted the ViewVC server, restarted apache then emptied the Emptydir.
$ mkdir new-module
$ cp ../notify .
$ cp ../notify,v .
$ cp 'notify,v' 'new-module/<img src="#" onerror="alert(1)">.txt,v'
$ ls new-module
'<img src="#" onerror="alert(1)">.txt,v'

Launched the ViewVC page in the browser and navigated to the Emptydir/new-module directory.
Could not see any difference from the pre-update view.  Had no idea what to expect anyway.

Unable to make any judgements on this bug but ViewVC appears to be doing something and no obvious regressions so we shall give it the OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 8 Len Lawrence 2020-05-20 16:52:02 CEST
Had a look at bug 7896.  Edited the viewvc.conf file but could not create an SVN project.  'svnadmin' command not found.
$ locate svnadmin
/usr/share/bash-completion/completions/_svnadmin
Comment 9 David Walser 2020-05-20 18:03:06 CEST
Viewvc is a web interface to a subversion server, so you need one of those installed and running too.
Comment 10 Len Lawrence 2020-05-20 18:17:22 CEST
Thanks David - have to pass on that.  Have never encountered a subversion server.
Len Lawrence 2020-05-20 18:29:28 CEST

Whiteboard: MGA7-64-OK => (none)

Comment 11 Thomas Backlund 2020-05-20 18:35:47 CEST
Installed this on Mageia infra:
https://svnweb.mageia.org/


Seems to still work...

CC: (none) => tmb

Comment 12 Len Lawrence 2020-05-20 18:38:27 CEST
Right, thanks Thomas.  Replacing the OK.

Whiteboard: (none) => MGA7-64-OK

Comment 13 Thomas Andrews 2020-05-21 14:03:25 CEST
Thank you, Gentlemen. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-05-24 17:52:44 CEST

Keywords: (none) => advisory

Comment 14 Mageia Robot 2020-05-24 20:06:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0221.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.