Debian Bug report logs -
#500779
CVE-2008-4325: misinterpretation of content-type
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 1 Oct 2008 11:39:02 UTC
Severity: normal
Tags: patch, security
Fixed in version viewvc/1.0.9-1
Done: David Martínez Moreno <ender@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#500779
; Package viewvc
.
(Wed, 01 Oct 2008 11:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to David Martínez Moreno <ender@debian.org>
.
(Wed, 01 Oct 2008 11:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: viewvc
Severity: normal
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for viewvc.
CVE-2008-4325[0]:
| lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the
| HTTP request for the Content-Type header in the HTTP response, which
| allows remote attackers to cause content to be misinterpreted by the
| browser via a content-type parameter that is inconsistent with the
| requested object. NOTE: this issue might not be a vulnerability, since
| it requires attacker access to the repository that is being viewed.
The upstream bugreport[1] contains an explanation and also a patch[2].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
I don't think it is really exploitable or a serious issue, but nonetheless,
I thought you'd like to know.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4325
http://security-tracker.debian.net/tracker/CVE-2008-4325
[1] http://viewvc.tigris.org/issues/show_bug.cgi?id=354
[2] http://viewvc.tigris.org/source/browse/viewvc/trunk/lib/viewvc.py?rev=2011&r1=1968&r2=1978
Information forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#500779
; Package viewvc
.
(Fri, 27 Feb 2009 22:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sylvain Beucler <beuc@beuc.net>
:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>
.
(Fri, 27 Feb 2009 22:06:02 GMT) (full text, mbox, link).
Message #10 received at 500779@bugs.debian.org (full text, mbox, reply):
Hello David,
> CVE-2008-4325[0]:
> | lib/viewvc.py in ViewVC 1.0.5 uses the content-type parameter in the
> | HTTP request for the Content-Type header in the HTTP response, which
> | allows remote attackers to cause content to be misinterpreted by the
> | browser via a content-type parameter that is inconsistent with the
> | requested object. NOTE: this issue might not be a vulnerability, since
> | it requires attacker access to the repository that is being viewed.
Can you tell if you intend to fix this security issue?
--
Sylvain
Added tag(s) pending.
Request was from David Martínez Moreno <ender@debian.org>
to control@bugs.debian.org
.
(Mon, 28 Sep 2009 03:30:04 GMT) (full text, mbox, link).
Reply sent
to David Martínez Moreno <ender@debian.org>
:
You have taken responsibility.
(Sun, 11 Oct 2009 00:30:08 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Sun, 11 Oct 2009 00:30:08 GMT) (full text, mbox, link).
Message #17 received at 500779-close@bugs.debian.org (full text, mbox, reply):
Source: viewvc
Source-Version: 1.0.9-1
We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive:
viewvc-query_1.0.9-1_all.deb
to pool/main/v/viewvc/viewvc-query_1.0.9-1_all.deb
viewvc_1.0.9-1.diff.gz
to pool/main/v/viewvc/viewvc_1.0.9-1.diff.gz
viewvc_1.0.9-1.dsc
to pool/main/v/viewvc/viewvc_1.0.9-1.dsc
viewvc_1.0.9-1_all.deb
to pool/main/v/viewvc/viewvc_1.0.9-1_all.deb
viewvc_1.0.9.orig.tar.gz
to pool/main/v/viewvc/viewvc_1.0.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 500779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Martínez Moreno <ender@debian.org> (supplier of updated viewvc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 28 Sep 2009 05:24:27 +0200
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.0.9-1
Distribution: unstable
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: David Martínez Moreno <ender@debian.org>
Description:
viewvc - view CVS/SVN repositories via HTTP
viewvc-query - utility to query CVS commit database
Closes: 440188 482323 485187 500779 502257 545779
Changes:
viewvc (1.0.9-1) unstable; urgency=high
.
* New upstream release (closes: #502257):
- Ignore arbitrary user-provided MIME types (closes: #500779).
- Fixed bug in regexp searches.
- Fixed bug in handling of certain 'co' output.
- Fixed annotate code syntax error.
- Fixed mod_python import cycle.
- Fixed directory view sorting UI.
- Tolerate malformed Accept-Language headers.
- Fixed directory log views in revision-less Subversion repositories.
- Fixed exception in rev-sorted remote Subversion directory views.
- Security fixes: validate the 'view' parameter to avoid XSS attack
and avoid printing illegal parameter names and values (closes:
#545779).
* debian/control:
- Moved docbook-to-man from B-D-I to B-D, as it is in build target
(closes: #440188).
- Added B-D on quilt (>= 0.46-7) in order to have dh_quilt_*.
- Upgraded Standards-Version to 3.8.3.
- Added ${misc:Depends} to viewvc and viewvc-query.
- Bumped dependency on debhelper to >=6.
- Added Homepage.
* debian/rules:
- Moved patch targets into the XXI century: removed lots of old lines
by a couple of calls to dh_quilt_* helpers.
* debian/patches:
- Refreshed everything to get rid of errors and removed additional
options like -p0 (closes: #485187).
- 04_tarball_permission_fix: Added to series, closes: #482323.
* debian/viewvc.config: Removed prepended path to debconf-show.
* debian/compat: Upgraded to v6.
* debian/viewvc.postinst: Added set -e to catch up errors.
Checksums-Sha1:
f618627d1aba16561743201141c69d4dc102fa78 1152 viewvc_1.0.9-1.dsc
a985496ad577e2c4c75bac915eb203da790d7f3e 522905 viewvc_1.0.9.orig.tar.gz
933dcf44cf9117ef829143eaf79c65e1dabbf569 41961 viewvc_1.0.9-1.diff.gz
7403570e842a4783ca1c7551810ddc578b52309c 518312 viewvc_1.0.9-1_all.deb
3e9186a2bf5142204637ac0e5209111e729320b7 23630 viewvc-query_1.0.9-1_all.deb
Checksums-Sha256:
13496713e173c27322f97e904a6e6220d54a62c81426bbb46e8821948b948cdc 1152 viewvc_1.0.9-1.dsc
399f2813d89457c1dcd9056af2db8c693bfe4ebf801b4c8bb2e4928667b4e322 522905 viewvc_1.0.9.orig.tar.gz
50cac0328b542bcde99ff3f6aace2cdfe5c3be6e58b0f685c715b082fabd69e5 41961 viewvc_1.0.9-1.diff.gz
0098967cfa5f3b30d3d58f43a57ebf9f00f4046a310bce3ff4b42a5f2e080902 518312 viewvc_1.0.9-1_all.deb
ddd2a77974b7a39ab0eb103c556a780fe397b426bc910c8a0f314899a5f9b9c8 23630 viewvc-query_1.0.9-1_all.deb
Files:
b9c947f9fc813bc5d71e6a42b7b15fe0 1152 devel optional viewvc_1.0.9-1.dsc
5aa48bb866f65bfcf32aa0cd581bf7d3 522905 devel optional viewvc_1.0.9.orig.tar.gz
352f4d83751db575358b642b3f7559dd 41961 devel optional viewvc_1.0.9-1.diff.gz
d3d68d0935d755bc6cab733281c9792f 518312 devel optional viewvc_1.0.9-1_all.deb
7b0a599c94de3d4d22de5b041dfe6923 23630 devel optional viewvc-query_1.0.9-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkrBQoUACgkQWs/EhA1iABtnzACgnaaLIMlfk1OVteW6o8J6WFT2
dsgAoM1Fbvph4QEmH2/j2LD98HBLqLlk
=sKeZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 18 Dec 2009 07:35:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:23:07 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.