viewvc: CVE-2012-4533: XSS bug in diff view

Debian Bug report logs - #691062
viewvc: CVE-2012-4533: XSS bug in diff view

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nicolás Alvarez <nicolas.alvarez@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: viewvc: XSS bug in diff view

Date: Sat, 20 Oct 2012 17:54:18 -0300

[Message part 1 (text/plain, inline)]

Package: viewvc
Version: 1.1.5-1.3
Severity: important
Tags: security

There is an XSS bug in the diff view, exploitable by people with commit
access to the repository. The "function name" lines returned by diff (in
the diff lines starting with @@) are not HTML-escaped.

Here's an example. Add this file to a SVN repository:

blah
x <script>alert("XSS!");</script>
one context
two context
three context
trigger

Commit it. Next, change the line labeled 'trigger', and commit again.
The diff produced by the second commit is:

@@ -3,4 +3,4 @@ x <script>alert("XSS!");</script>
 one context
 two context
 three context
-trigger
+trigger X

When telling ViewVC to show the diff of that file for the last commit,
it doesn't HTML-escape the <script>, so it gets executed.

I'm attaching a patch that should fix this bug.

I don't have a CVE number. I haven't reported this upstream. I quickly
glanced at the upstream bug list and dev list archives and it didn't
seem to be already reported, but I didn't search carefully.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages viewvc depends on:
ii  cvs                2:1.12.13+real-9
ii  python             2.7.3~rc2-1
ii  python-subversion  1.6.17dfsg-4
ii  python-support     1.0.15
ii  rcs                5.8.1-1
ii  subversion         1.6.17dfsg-4

Versions of packages viewvc recommends:
pn  apache2 | httpd-cgi  <none>
ii  python-pygments      1.5+dfsg-1

Versions of packages viewvc suggests:
pn  cvsgraph               <none>
pn  libapache2-mod-python  <none>
ii  mime-support           3.52-1
pn  python-tk              <none>
pn  viewvc-query           <none>

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/lib/viewvc/lib/vclib/svn/svn_repos.py (from viewvc package)
         (this is my personal workaround for bug #683188)

[diff-xss.patch (text/x-diff, attachment)]

Message #10 received at 691062@bugs.debian.org (full text, mbox, reply):

From: Nicolás Alvarez <nicolas.alvarez@gmail.com>

To: 691062@bugs.debian.org

Cc: control <control@bugs.debian.org>

Subject: Re: Bug#691062: viewvc: XSS bug in diff view

Date: Sat, 20 Oct 2012 19:39:17 -0300

found 691062 0.9.4+svn20060318-1
thanks

I tested every version in snapshot.debian.org and they are all
affected, if the hr_funout setting (show function names in diffs) is
enabled. Although only 1.1.5+ seem to have it enabled by default.

Message #17 received at 691062@bugs.debian.org (full text, mbox, reply):

From: Nicolás Alvarez <nicolas.alvarez@gmail.com>

To: 691062@bugs.debian.org

Subject: Re: Bug#691062: viewvc: XSS bug in diff view

Date: Sun, 21 Oct 2012 03:00:56 -0300

Kurt Seifried from Redhat has assigned the identifier CVE-2012-4533 to
this issue (thanks!).

-- 
Nicolás

Message #32 received at 691062-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 691062-close@bugs.debian.org

Subject: Bug#691062: fixed in viewvc 1.1.5-1.1+squeeze2

Date: Sat, 27 Oct 2012 15:47:04 +0000

Source: viewvc
Source-Version: 1.1.5-1.1+squeeze2

We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 691062@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated viewvc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Oct 2012 10:30:11 +0200
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.1.5-1.1+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 viewvc     - web interface for CVS and/or Subversion repositories
 viewvc-query - utility to query CVS and Subversion commit database
Closes: 691062
Changes: 
 viewvc (1.1.5-1.1+squeeze2) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2012-4533: Fix XSS in commit message view. Found and patch provided
     by Nicolás Alvarez (closes: #691062).
Checksums-Sha1: 
 4b63ac2b16d58ad65d795c884c0532875394a34e 1498 viewvc_1.1.5-1.1+squeeze2.dsc
 2ff95957c9d650e9156d0d7ff9010c7573bade0c 30847 viewvc_1.1.5-1.1+squeeze2.diff.gz
 5fc000e9e2175990e133fb42f8f848dc7c5b9aec 606602 viewvc_1.1.5-1.1+squeeze2_all.deb
 8517a8b9384a5b26914b534aa3810f96b74b5e75 12106 viewvc-query_1.1.5-1.1+squeeze2_all.deb
Checksums-Sha256: 
 c2176b068dc9312f37b639fad4bf74cc949adb0383de730fa6c1e0d65721f84c 1498 viewvc_1.1.5-1.1+squeeze2.dsc
 37b8d113dbfe42a11987de84b1ff51656a421e34ce3f74fe9e4c7e1bd5316683 30847 viewvc_1.1.5-1.1+squeeze2.diff.gz
 53221057abfd44ea20f343db42e8e2a73dc97d4454f3edba9155025a3960ca70 606602 viewvc_1.1.5-1.1+squeeze2_all.deb
 ceee4940a415d603dbaa27b83cdfc52ddc39813e7560a07fcf51308b98239822 12106 viewvc-query_1.1.5-1.1+squeeze2_all.deb
Files: 
 bfd16d0860b1a29f168dcfdde0a510f4 1498 vcs optional viewvc_1.1.5-1.1+squeeze2.dsc
 e27b66217e2a5808e78ca2dd51140457 30847 vcs optional viewvc_1.1.5-1.1+squeeze2.diff.gz
 d9b38a72a010da32318fcd86f71719f9 606602 vcs optional viewvc_1.1.5-1.1+squeeze2_all.deb
 b36d5b643daec51d5ace861b3b201d30 12106 vcs optional viewvc-query_1.1.5-1.1+squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJQhlhRAAoJEFb2GnlAHawEAWUH/1UCHmWCKTuLTD5jeNgsMcKP
HTNDDL8Zh0UDMOV07IDFADliUr7Oe9FgDQKF3efX74AT1Iw2hoakoR5UIQyy6ZHM
nvmWv+KCHcgjsgEyrh+Hdyz3l4WgMiOE4wCkdypxNBTK/WXWyLoJg6kgI+yLaskf
puYU3fih0JBkzdb0ffrY3hjcoYPGrkbNrNBjoy1R9INfqhpve1giyEPQ5c7CDWD5
6qkE+G/ZF3qj4Uq6vQNy2GQBiiilU7alRk+jE9fvA2z01W8W87aKw8IVRO7ifxB9
sx0D+tRkT6eEoA7VRgJ+zNoC+XUNhvCD2MBbwEzTd4sRsKzFjAMEmy11O30z93Y=
=Oq12
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.