Bug 31417 - viewvc new security issues CVE-2023-22456 and CVE-2023-22464
Summary: viewvc new security issues CVE-2023-22456 and CVE-2023-22464
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
: 33187 (view as bug list)
Depends on:
Blocks:
 
Reported: 2023-01-17 18:59 CET by David Walser
Modified: 2024-05-30 15:06 CEST (History)
6 users (show)

See Also:
Source RPM: viewvc-1.3.0-0.dev20200516.1.mga8.src.rpm
CVE: CVE-2023-22456, CVE-2023-22464
Status comment:


Attachments

Description David Walser 2023-01-17 18:59:39 CET
Debian-LTS has issued an advisory on January 11:
https://www.debian.org/lts/security/2023/dla-3266

The issues are fixed upstream in 1.2.3.

Mageia 8 is also affected.
David Walser 2023-01-17 18:59:51 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-01-17 19:46:16 CET
No choice but to assign this one globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-01-18 12:07:30 CET
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

ViewVC is vulnerable to cross-site scripting. The impact of these vulnerabilities is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. (CVE-2023-22456, CVE-2023-22464)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22464
https://www.debian.org/lts/security/2023/dla-3266
========================

Updated package in core/updates_testing:
========================
viewvc-1.3.0-0.dev20200516.1.1.mga8

from SRPM:
viewvc-1.3.0-0.dev20200516.1.1.mga8.src.rpm

Source RPM: viewvc-1.3.0-0.dev20200516.1.mga9.src.rpm => viewvc-1.3.0-0.dev20200516.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 8
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2023-22456, CVE-2023-22464
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2023-01-19 12:03:37 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Found simple test in bug 20262 Comment 3, so
$ /usr/share/viewvc/bin/standalone.py
server ready at http://localhost:49152/viewvc
and then pointed browser at http://localhost:49152/viewvc. That doesn't show much, but at least there is an installed help link and using that and a few steps further gave me feedbacks on the CLI:
127.0.0.1 - - [19/Jan/2023 11:50:48] "GET /viewvc HTTP/1.1" 200 -
127.0.0.1 - - [19/Jan/2023 11:50:48] ViewVC exited ok
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 60226)
ValueError: I/O operation on closed file.
----------------------------------------
127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/styles.css HTTP/1.1" 200 -
127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok
127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/scripts.js HTTP/1.1" 200 -
127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok
127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /viewvc/*docroot*/images/viewvc-logo.png HTTP/1.1" 200 -
127.0.0.1 - - [19/Jan/2023 11:50:49] ViewVC exited ok
127.0.0.1 - - [19/Jan/2023 11:50:49] code 404, message Not Found
127.0.0.1 - - [19/Jan/2023 11:50:49] "GET /favicon.ico HTTP/1.1" 404 -
127.0.0.1 - - [19/Jan/2023 11:51:04] "GET /viewvc HTTP/1.1" 200 -
127.0.0.1 - - [19/Jan/2023 11:51:04] ViewVC exited ok
Interpretation ?????
Setting up a real subversion server is beyond me. But the link Thomas provided in bug 26628 Comment 11 displays nicely and allows navigation, so as on this bug, I OK this update.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-01-19 13:58:55 CET
Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-01-24 02:10:24 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-01-24 09:00:40 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0019.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 6 David Walser 2024-05-30 15:06:49 CEST
*** Bug 33187 has been marked as a duplicate of this bug. ***

CC: (none) => smelror


Note You need to log in before you can comment on or make changes to this bug.