viewvc: Multiple security issues

Debian Bug report logs - #471380
viewvc: Multiple security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: viewvc: Multiple security issues

Date: Mon, 17 Mar 2008 21:52:51 +0100

Package: viewvc
Severity: grave
Tags: security
Justification: user security hole

Viewvc 1.0.5 fixes several security issues:

  * security fix: omit commits of all-forbidden files from query results
  * security fix: disallow direct URL navigation to hidden CVSROOT folder
  * security fix: strip forbidden paths from revision view
  * security fix: don't traverse log history thru forbidden locations
  * security fix: honor forbiddenness via diff view path parameters

Please mention the following CVE IDs when fixing this:

CVE-2008-1290 - list CVS or SVN commits on "all-forbidden"
files

CVE-2008-1291 - directly access hidden CVSROOT folders

CVE-2008-1292 - expose restricted content via the revision
view, the log history, or the diff view

Cheers,
        Moritz

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Message #10 received at 471380@bugs.debian.org (full text, mbox, reply):

From: John Zaitseff <J.Zaitseff@zap.org.au>

To: Debian Bug 471380 <471380@bugs.debian.org>

Subject: Debian patch available for viewvc 1.0.5

Date: Wed, 26 Mar 2008 15:44:30 +1100

[Message part 1 (text/plain, inline)]

Dear David et. al,

I am affected by bug #471380 regarding the viewvc package.  I have
therefore created a patch that will help you update the debian
subdirectory for this package.  I am successfully using this patch
on my machine at www.zap.org.au.

The patch updates the quilt files in debian/patches (and drops the
04_forbidden_files as it does not seem to be needed now).  It also
installs the (new) docs subdirectory into /usr/share/doc/viewvc and
the (new) templates-contrib subdirectory into
/usr/share/doc/viewvc/examples.

Please apply this patch (or your own variant) as quickly as
possible; alternatively, could someone with Debian developer
privileges do an appropriate NMU?

Yours truly,

John Zaitseff

-- 
John Zaitseff                    ,--_|\    The ZAP Group
Phone:  +61 2 9643 7737         /      \   Sydney, Australia
E-mail: J.Zaitseff@zap.org.au   \_,--._*   http://www.zap.org.au/
                                      v

[viewvc-1.0.5-0.1zg1.diff (text/x-diff, attachment)]

Message #15 received at 471380@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: viewvc@packages.debian.org, debian-i18n@lists.debian.org, 471380@bugs.debian.org

Subject: Intent to NMU viewvc to fix pending po-debconf l10n and security bugs

Date: Fri, 28 Mar 2008 23:55:05 +0100

[Message part 1 (text/plain, inline)]

Dear Debian maintainer,

The viewvc Debian package, which you are the maintainer of, has
pending bug report(s) which include translation updates or fixes
for po-debconf, namely bug number 426876 (and maybe other similar bugs).

Even if we're still far from the release of the next Debian version,
letting such bugs sleep in the BTS  is simply lowering
the chances that your package interaction with its users may be done
in something else than the English language. It is also not
encouraging for translators.

I have the intention, as part of a more general action of the Debian
i18n Task Force to build and possibly upload a non-maintainer upload
for viewvc in order to fix this as well as all pending translations
for the debconf templates.

I will also, while doing that, package the 1.0.5 upstream version that
fixes several security issues.

Of course, an upload made by you would even be better...:-)

Such changes are always harmless, which explains why I safely consider
building NMU's for such issues even though they're obviously non critical.

The schedule for the NMU (in case it happens, that is if you agree with it
or if I don't receive any answer in 14 days) is roughly the following:

 Friday, March 28, 2008   : send this notice
 Saturday, April 12, 2008       : post a NMU announcement to debian-i18n with you
                 (maintainer) CC'ed
 Tuesday, April 22, 2008       : deadline for receiving translation updates
 Wednesday, April 23, 2008       : build the package and upload it to DELAYED/2-day
                 send the NMU patch to the BTS
 Friday, April 25, 2008       : NMU reaches incoming

If you intent to upload yourself, please notify me so that I interrupt
the process on my side.

In case I upload an NMU, I will subscribe to the Package Tracking System for
viewvc and follow its life for 60 days after my NMU in order to fix
any issue potentially introduced by my upload.

Let me know, as soon as possible, if you have any kind of objection to this
process.

If you'd rather do the fix yourself, I will of course leave the package
alone. Same if you have reasons not to do the update now.

-- 

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 471380-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 471380-close@bugs.debian.org

Subject: Bug#471380: fixed in viewvc 1.0.5-0.1

Date: Thu, 24 Apr 2008 21:02:26 +0000

Source: viewvc
Source-Version: 1.0.5-0.1

We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive:

viewcvs_1.0.5-0.1_all.deb
  to pool/main/v/viewvc/viewcvs_1.0.5-0.1_all.deb
viewvc-query_1.0.5-0.1_all.deb
  to pool/main/v/viewvc/viewvc-query_1.0.5-0.1_all.deb
viewvc_1.0.5-0.1.diff.gz
  to pool/main/v/viewvc/viewvc_1.0.5-0.1.diff.gz
viewvc_1.0.5-0.1.dsc
  to pool/main/v/viewvc/viewvc_1.0.5-0.1.dsc
viewvc_1.0.5-0.1_all.deb
  to pool/main/v/viewvc/viewvc_1.0.5-0.1_all.deb
viewvc_1.0.5.orig.tar.gz
  to pool/main/v/viewvc/viewvc_1.0.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 471380@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated viewvc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 31 Mar 2008 08:42:29 +0200
Source: viewvc
Binary: viewvc viewcvs viewvc-query
Architecture: source all
Version: 1.0.5-0.1
Distribution: unstable
Urgency: medium
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 viewcvs    - dummy package to migrate to ViewVC
 viewvc     - view CVS/SVN repositories via HTTP
 viewvc-query - utility to query CVS commit database
Closes: 426876 463195 471380 473466 476172
Changes: 
 viewvc (1.0.5-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload to fix security, and pending l10n, issues
 .
   [ John Zaitseff ]
   * New upstream release, originally packaged by the ZAP Group
     (Closes: #471380, #463195).  Thanks to John Zaitseff for the patch
     Fixed:
     - CVE-2008-1290 - list CVS or SVN commits on "all-forbidden"
       files
     - CVE-2008-1291 - directly access hidden CVSROOT folders
     - CVE-2008-1292 - expose restricted content via the revision
       view, the log history, or the diff view
   * Updated the following files in the debian/patches subdirectory:
       series
       02_py2html_activation
       101_viewvc-install_Debian_paths
       102_viewvc.conf_Debian_customization
   * Updated debian/rules to install documentation in the docs directory
     and example templates in templates-contrib.
 .
   [ Christian Perrier ]
   * Debconf translations:
     - Vietnamese. Closes: #426876
   * [Lintian] Fix syntax in NEWS.Debian
   * [Lintian] Replace obsolete ${Source-Version} variable by
     ${source:Version}
   * Finnish. Closes: #473466
   * Basque. Closes: #476172
Checksums-Sha1: 
 bbc5a5ada8538e5bd002c11d2469700052ddcb06 1122 viewvc_1.0.5-0.1.dsc
 dccda7e35881a90662f638694f37b0aa2ecb1998 522323 viewvc_1.0.5.orig.tar.gz
 150587def80a3121b8ea096cf9575944ed6cf006 38214 viewvc_1.0.5-0.1.diff.gz
 da42e485ea022e4bb739827daf12e2e540ed6fc7 517036 viewvc_1.0.5-0.1_all.deb
 6db16de50cf0329a0205a70ce0efa0fb39faf0c7 17064 viewcvs_1.0.5-0.1_all.deb
 688cb1c188616484815a5dbb5c8c8867ab6a0c1f 22740 viewvc-query_1.0.5-0.1_all.deb
Checksums-Sha256: 
 80020428f7522db36c15833c94fc6bea60e3df1d342f087812a8114fd7f3caa4 1122 viewvc_1.0.5-0.1.dsc
 0caf17fa0137231c0a78a5c57e758da73475212516d4758fe521def007a8fddd 522323 viewvc_1.0.5.orig.tar.gz
 c0dec5a9591a9cab938f35dbf935488217d4c96a5fa40088fba2d65219420bc9 38214 viewvc_1.0.5-0.1.diff.gz
 533011d1c1aa260f9a4ef19165a1678b75f174f024d415394c49e37b903a8578 517036 viewvc_1.0.5-0.1_all.deb
 61fa4ced5011198398236aad9f8ef739d384839618b9a081665ba0efa3ea0cc8 17064 viewcvs_1.0.5-0.1_all.deb
 2ff8ff46069b58432b028574761d6711abf611c54b828068e38c15c122385ba9 22740 viewvc-query_1.0.5-0.1_all.deb
Files: 
 75413d5c721493e86730596b62651898 1122 devel optional viewvc_1.0.5-0.1.dsc
 8fc8107f937b9da481b14333a7fdb29d 522323 devel optional viewvc_1.0.5.orig.tar.gz
 1822958436d46696f77f04171d58f6d1 38214 devel optional viewvc_1.0.5-0.1.diff.gz
 bb7a253d043f5c526192287c31ba9073 517036 devel optional viewvc_1.0.5-0.1_all.deb
 258aeef6bda4aaf0d906ac9cc6e5604a 17064 devel optional viewcvs_1.0.5-0.1_all.deb
 9aba62d06808513242449f55d984db22 22740 devel optional viewvc-query_1.0.5-0.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIDtar1OXtrMAUPS0RAi12AJ9/l7wemWyXcKsc+38OcKwGFPTAogCaA+uo
yPTMgpp6F3L8mR3cHdAIE5E=
=TN62
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.