Bug 7896 - viewvc new security issue CVE-2012-4533
: viewvc new security issue CVE-2012-4533
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/520971/
: MGA1TOO MGA2-32-OK has_procedure MGA1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-24 20:57 CEST by David Walser
Modified: 2012-10-29 17:54 CET (History)
3 users (show)

See Also:
Source RPM: viewvc-1.1.15-1.mga2.src.rpm
CVE:


Attachments
Testing procedure for viewvc (1.25 KB, text/plain)
2012-10-27 01:09 CEST, Dave Hodgins
Details

Description David Walser 2012-10-24 20:57:33 CEST
Debian has issued an advisory on October 23:
http://www.debian.org/security/2012/dsa-2563

Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated viewvc package fixes security vulnerability:

"function name" lines returned by diff are not properly escaped, allowing
attackers with commit access to perform cross site scripting (CVE-2012-4533).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4533
http://www.debian.org/security/2012/dsa-2563
========================

Updated packages in core/updates_testing:
========================
viewvc-1.1.15-1.1.mga1
viewvc-1.1.15-1.1.mga2

from SRPMS:
viewvc-1.1.15-1.1.mga1.src.rpm
viewvc-1.1.15-1.1.mga2.src.rpm
Comment 1 David Walser 2012-10-24 21:08:20 CEST
More info about this is here:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4533
Comment 2 Dave Hodgins 2012-10-26 05:20:27 CEST
Found some info at http://unspecified.wordpress.com/2008/06/10/viewvc/

Also, seems to need apache-mod_python installed.

I have it to the point where http://127.0.0.1/cgi-bin/viewvc will load
in Mageia 2 i586, but on Mageia 1, it's returning a 400 http status
code.  I'll dig into it more tomorrow.
Comment 3 Dave Hodgins 2012-10-27 01:09:23 CEST
Created attachment 2991 [details]
Testing procedure for viewvc

On Mageia 2 i586, with the viewvc from viewvc-1.1.15-1.1.mga2.src.rpm
installed, I'm still getting the pop-up showing XSS!, so it seems
that the update is not fixing the problem.

I'm attaching the testing procedure I used.
Comment 4 David Walser 2012-10-27 01:11:52 CEST
Try restarting the web server just in case, but if it persists, I'll try upgrading it to 1.1.17 next week and see if that fixes it (and if not, will have to report upstream).  Thanks for testing.
Comment 5 Dave Hodgins 2012-10-27 05:41:54 CEST
Testing complete on Mageia 2 i586.

I had restarted the web server, but it turns out I also had to clear
the web browsers cache (I'm using opera).

Still have to figure out why Mageia 1 is returning a 400 status code.
Comment 6 Dave Hodgins 2012-10-29 02:10:33 CET
Testing complete on Mageia 1 x86-64.

My 400 status code problem was caused by the updates testing version of drupal.
Comment 7 Dave Hodgins 2012-10-29 02:19:46 CET
Testing complete on Mageia 1 i586.
Comment 8 Dave Hodgins 2012-10-29 02:30:51 CET
Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpm
viewvc-1.1.15-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
viewvc-1.1.15-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated viewvc package fixes security vulnerability:

"function name" lines returned by diff are not properly escaped, allowing
attackers with commit access to perform cross site scripting (CVE-2012-4533).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4533
http://www.debian.org/security/2012/dsa-2563

https://bugs.mageia.org/show_bug.cgi?id=7896
Comment 9 Thomas Backlund 2012-10-29 17:54:50 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0313

Note You need to log in before you can comment on or make changes to this bug.