Bug 6551 - viewvc 1.1.15 fixes minor security issues (CVE-2012-3356 CVE-2012-3357)
: viewvc 1.1.15 fixes minor security issues (CVE-2012-3356 CVE-2012-3357)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/505119/
: MGA1TOO mga1-64-OK mga2-64-OK MGA1-32...
: validated_update
: 2317 6714
:
  Show dependency treegraph
 
Reported: 2012-06-24 04:23 CEST by David Walser
Modified: 2012-07-21 12:12 CEST (History)
5 users (show)

See Also:
Source RPM: viewvc-1.1.14-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2012-06-24 04:23:53 CEST
ViewVC 1.1.15 fixes two security issues:
  * security fix: complete authz support for remote SVN views (issue #353)
  * security fix: log msg leak in SVN revision view with unreadable copy source

We could consider updating this for Mageia 1 and Mageia 2.
Comment 1 David Walser 2012-07-04 19:34:26 CEST
Updated in Cauldron by Damien.  Thanks.

Damien, could you provide an update for Mageia 1 and Mageia 2?
Comment 2 David Walser 2012-07-05 01:08:36 CEST
OpenSuSE has an issued advisory for this today (July 4):
http://lists.opensuse.org/opensuse-updates/2012-07/msg00011.html

They have updated to 1.1.15.

Also, CVEs have been issued for the security issues (CVE-2012-3356 and CVE-2012-3357).
Comment 3 David Walser 2012-07-10 20:04:34 CEST
Updated packages uploaded.

Also added a suggests on python-svn, so it might require linking.

Advisory:
========================

Updated viewvc packages fix security vulnerabilities:

- complete authz support for remote SVN views (CVE-2012-3356)

- log msg leak in SVN revision view with unreadable copy source
  (CVE-2012-3357)

Several other bugs were fixed as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3357
http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD
http://lists.opensuse.org/opensuse-updates/2012-07/msg00011.html
========================

Updated packages in core/updates_testing:
========================
viewvc-1.1.15-1.mga1
viewvc-1.1.15-1.mga2

from SRPMS:
viewvc-1.1.15-1.mga1.src.rpm
viewvc-1.1.15-1.mga2.src.rpm
Comment 4 Dave Hodgins 2012-07-14 01:26:15 CEST
I've added a depends on bug 6714.  Since python-svn will be in updates when
that is pushed it won't need linking.

Other then viewing  http://127.0.0.1/viewvc/help_dirview.html (There should
be an index.html in the directory, I think), I'm not clear on how this
package is used.

Any ideas for a test procedure?
Comment 5 David Walser 2012-07-14 01:30:18 CEST
http://svnweb.mageia.org/ for an example of what this can give you.

You could set up a local SVN repository and point viewvc at it, look at it through your web browser and see how it looks.

What to use for your local SVN repository?  Anything really I guess, but maybe you could use rsvndump to clone a small piece of the Mageia repository.  Just an idea.
Comment 6 claire robinson 2012-07-17 17:04:19 CEST
Testing complete mga1 64

Installed subversion and subversion-tools

Followed the procedure here to create an svn repository called test with something in it, checked it out and committed back to add a version.
http://www.guyrutenberg.com/2007/10/29/creating-local-svn-repository-home-repository/

You need to add a trailing / on the trunk when importing or it renames the file to trunk and if you check it out it complains that it is a file and not a directory.

Edited /etc/viewvc/viewvc.conf and set svn_roots = test: /home/me/svnrep/test

Installed python-svn

Browsing to http://localhost/cgi-bin/viewvc.cgi shows the test repository. I can browse it and see diff's of the changes I made earlier.

Testing mga2 64 too in a moment
Comment 7 claire robinson 2012-07-17 17:46:03 CEST
Testing complete mga2 64

Found that it's not just a trailing / that's needed, if importing a file you have to name the destination file too.
Comment 8 Dave Hodgins 2012-07-20 03:58:59 CEST
Thanks for the procedure Claire!

Testing complete on Mageia 1 i586.

I'll test Mageia 2 i586 shortly.
Comment 9 Dave Hodgins 2012-07-20 04:35:10 CEST
Testing complete on Mageia 2 i586.

If the Mageia 2 64 bit testing for bug 6714 can be completed tomorrow (later
today for most of you :-), this bug should be validated and pushed right after
it.

If it will take longer, then this bug should be validated and python-svn
should be linked from Core Release to Core Updates for Mageia 2.

python-svn is already in updates in Mageia 1.
Comment 10 David Walser 2012-07-20 04:42:33 CEST
(In reply to comment #9)
> Testing complete on Mageia 2 i586.
> 
> If the Mageia 2 64 bit testing for bug 6714 can be completed tomorrow (later
> today for most of you :-), this bug should be validated and pushed right after
> it.
> 
> If it will take longer, then this bug should be validated and python-svn
> should be linked from Core Release to Core Updates for Mageia 2.
> 
> python-svn is already in updates in Mageia 1.

Theoretically it should at least be possible to test 6714 fairly quickly, as all that really needs to be done is what you did here:
https://bugs.mageia.org/show_bug.cgi?id=6678#c16
Comment 11 claire robinson 2012-07-20 13:43:40 CEST
python-svn isn't actually a require of viewvc as there are various ways of configuring it, so shouldn't need linking.

These do though..

----------------------------------------
Running checks for "viewvc" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is viewvc-1.1.13-1.mga2
Latest version found in "Core Updates Testing" is viewvc-1.1.15-1.mga2
----------------------------------------
The following packages will require linking:

lib64neon0.27-0.29.6-1.mga2 (Core Release)
----------------------------------------
Done.

----------------------------------------
Running checks for "viewvc" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is viewvc-1.1.11-1.mga1
Latest version found in "Core Updates Testing" is viewvc-1.1.15-1.mga1
----------------------------------------
The following packages will require linking:

lib64neon0.27-0.29.5-2.mga1 (Core Release)
lib64serf0-0.7.0-4.mga1 (Core Release)
----------------------------------------
Done.
Comment 12 claire robinson 2012-07-20 13:46:39 CEST
Validating & adding depends on bug 2317.

Could sysadmin please push from core/updates_testing to core/updates and make the links in comment 11. Could you please push this after pushing the apache modules in bug 6714.

Advisory:
========================

Updated viewvc packages fix security vulnerabilities:

- complete authz support for remote SVN views (CVE-2012-3356)

- log msg leak in SVN revision view with unreadable copy source
  (CVE-2012-3357)

Several other bugs were fixed as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3357
http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD
http://lists.opensuse.org/opensuse-updates/2012-07/msg00011.html
========================

SRPMS:
viewvc-1.1.15-1.mga1.src.rpm
viewvc-1.1.15-1.mga2.src.rpm

Thanks!
Comment 13 Thomas Backlund 2012-07-21 12:12:57 CEST
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0175

Note You need to log in before you can comment on or make changes to this bug.