CVE-2010-0132: XSS via user-provided 'search_re' input

Debian Bug report logs - #576307
CVE-2010-0132: XSS via user-provided 'search_re' input

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-0132: XSS via user-provided 'search_re' input

Date: Fri, 02 Apr 2010 22:49:37 +0200

Package: viewvc
Severity: grave
Tags: security

The following was reported to oss-security:

Just received an announcement stating ViewVC 1.1.5 and 1.0.11 were
released today (right on the heels of 1.1.4 and 1.0.10, for which I
still haven't received a CVE). Looks like they fix an XSS that needs
a CVE assigned.

"security fix: escape user-provided search_re input to avoid XSS
attack"

http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342&r2=2359&pathrev=HEAD

Here's the patch for the XSS:
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2344

"""
There were too many ways to do something as simple as HTML escaping in
the ViewVC codebase.  Simplify, conjoin, remove, etc.

* lib/sapi.py
  (escape): New function.  *The* preferred HTML-escaping mechanism.
  (Server.escape): New common Server object escape mechanism (which
    uses the aforementioned escape(), of course).
  (CgiServer.escape, WsgiServer.escape, AspServer.escape,
   ModPythonServer.escape): Lose as unnecessary.

* lib/viewvc.py
  (Request.get_form): Escape hidden form variable names and values.
  (htmlify): Remove.
  (): Replace all uses of cgi.escape() and htmlify() with (directly or
    indirectly) sapi.escape().

* lib/query.py
  (main): Use server.escape() instead of cgi.escape().

* lib/blame.py
  (HTMLBlameSource.__getitem__): Use sapi.escape() instead of
    cgi.escape().

* lib/idiff.py
  (_mdiff_split, _differ_split): Use sapi.escape() instead of
    cgi.escape().
"""

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages viewvc depends on:
ii  debconf [debconf-2.0]     1.5.30         Debian configuration management sy
ii  gawk                      1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  mime-support              3.48-1         MIME files 'mime.types' & 'mailcap
ii  python                    2.5.4-9        An interactive high-level object-o
pn  python-subversion         <none>         (no description available)
ii  python-support            1.0.7          automated rebuilding support for P
pn  rcs                       <none>         (no description available)
ii  subversion                1.6.9dfsg-1    Advanced version control system

Versions of packages viewvc recommends:
pn  apache | httpd                <none>     (no description available)
pn  enscript                      <none>     (no description available)

Versions of packages viewvc suggests:
pn  cvsgraph                      <none>     (no description available)
pn  viewvc-query                  <none>     (no description available)

Message #12 received at 576307-close@bugs.debian.org (full text, mbox, reply):

From: David Martínez Moreno <ender@debian.org>

To: 576307-close@bugs.debian.org

Subject: Bug#576307: fixed in viewvc 1.1.5-1

Date: Fri, 02 Jul 2010 00:32:40 +0000

Source: viewvc
Source-Version: 1.1.5-1

We believe that the bug you reported is fixed in the latest version of
viewvc, which is due to be installed in the Debian FTP archive:

viewvc-query_1.1.5-1_all.deb
  to main/v/viewvc/viewvc-query_1.1.5-1_all.deb
viewvc_1.1.5-1.diff.gz
  to main/v/viewvc/viewvc_1.1.5-1.diff.gz
viewvc_1.1.5-1.dsc
  to main/v/viewvc/viewvc_1.1.5-1.dsc
viewvc_1.1.5-1_all.deb
  to main/v/viewvc/viewvc_1.1.5-1_all.deb
viewvc_1.1.5.orig.tar.gz
  to main/v/viewvc/viewvc_1.1.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 576307@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Martínez Moreno <ender@debian.org> (supplier of updated viewvc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 Jul 2010 02:24:34 +0200
Source: viewvc
Binary: viewvc viewvc-query
Architecture: source all
Version: 1.1.5-1
Distribution: unstable
Urgency: medium
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: David Martínez Moreno <ender@debian.org>
Description: 
 viewvc     - web interface for CVS and/or Subversion repositories
 viewvc-query - utility to query CVS and Subversion commit database
Closes: 434301 532611 570573 575777 575787 576307 585366
Changes: 
 viewvc (1.1.5-1) unstable; urgency=medium
 .
   [ John Zaitseff ]
   * New upstream release (closes: #532611, #575777, #575787, #576307).  This
     solves CVE-2010-0004, CVE-2010-0005, CVE-2010-0736 and CVE-2010-0132.
   * Extensive rewrite of files in the debian directory.  Updated to Debian
     policy 3.8.4, updated all control files to Debhelper 7, rewrote
     debian/rules for clarity (and to use Debhelper 7).
   * Removed all references to Debconf, as previous versions of this
     package violated Debian policy (section 10.7.3): /etc/viewvc/viewvc.conf
     is a conffile, and maintainer scripts must NOT modify it at any time.
   * Reorganised the installation files in /usr/lib/viewvc.  The CGI
     programs are now links to files in /usr/lib/viewvc/cgi-bin.
   * Packaged the Apache mod-python modules for optional use (in
     /usr/lib/viewvc/mod-python).  See README.Debian for more information.
   * Moved the static help documentation ("docroot") from /usr/share/viewvc
     to /usr/share/viewvc/docroot, as per Webapps Policy, section 3.1.
   * Updated the debian/patches subdirectory to remove patches no longer
     relevant to ViewVC 1.1.x and to update those that still apply.
   * debian/control:
     - Removed the dependency on gawk, as that was only required for Debconf
       configuration.
     - Demoted the dependency on mime-support to "Suggests": ViewVC can use
       it, if appropriately configured, but does not require it.
     - Added a suggestion for the python-tk package: viewvc-standalone(1)
       uses this when passed the "--gui" flag.
     - Modified all dependencies as appropriate.  Depend on httpd-cgi, not
       httpd, since the viewvc package needs a CGI server.  In addition,
       python-egenix-mxdatetime is no longer needed (since ViewVC 1.0.x).
     - Updated the XS-Python-Version field to "all" (Closes: #570573).
     - ViewVC 1.1.x supports only python-pygments as a syntax highlighter,
       not enscript.  Adjusted dependencies as appropriate.
 .
   [ David Martínez Moreno ]
   * Changed history and added the CVE entry to the changelog for 1.0.9-1.
   * debian/control:
     - Moved Section to vcs in order to match the overrides.
     - Make python-dev dependency just python.
     - Removed dummy package viewcvs, it was already dummy in lenny.
   * debian/viewcvs.*: Removed.
   * debian/NEWS: Fixed version in John's entry and removed old news from 0.9.4.
   * debian/README.source: Added.
   * The new release also addresses in a different way how to show long
     annotation messages (closes: #434301).
   * Added debian/patches/92-no_strings_in_raise for fixing a couple of
     occurrences of string exceptions in the code, no longer valid in Python
     2.6, the default now (closes: #585366).
Checksums-Sha1: 
 9b2a0d8dd38c31b5bff9026cbc7b368611d885c4 1091 viewvc_1.1.5-1.dsc
 988d7b9e13af194696db9cba5446510367720b91 593630 viewvc_1.1.5.orig.tar.gz
 afa41c5ef57c55231c32eab33bbb69490739182e 18822 viewvc_1.1.5-1.diff.gz
 7e528278a26f9638f2d05974b2d8a4fc2d34f19f 604768 viewvc_1.1.5-1_all.deb
 d7df1604cf1069d397e9addf6df76ccf268b4eb3 12106 viewvc-query_1.1.5-1_all.deb
Checksums-Sha256: 
 ebfe960119a949b6126553b191508efa60b52ed0989dee1dae072b0cfa5a25c1 1091 viewvc_1.1.5-1.dsc
 32ce717330fc780e9c2341cca800079078e9935581d4dfd526e4a15fc1d94919 593630 viewvc_1.1.5.orig.tar.gz
 4633adb209af1f3cfee6dfe18715424d012ffd6dd4d95f8346b03f8500064a99 18822 viewvc_1.1.5-1.diff.gz
 84d4ee674ea54541d34311a627d9b32878edb92eaf525c05879922e2307c7b9f 604768 viewvc_1.1.5-1_all.deb
 73a8d31910e6593b2a5990910c3f05d5c8d0944866d29db3969986a9ec4aea14 12106 viewvc-query_1.1.5-1_all.deb
Files: 
 f0a4f1a48f610824c450687fb070aef4 1091 vcs optional viewvc_1.1.5-1.dsc
 da7bbcf6800383ebb23405a064c6faf8 593630 vcs optional viewvc_1.1.5.orig.tar.gz
 d16f09f30db18e696bef79adeac49b79 18822 vcs optional viewvc_1.1.5-1.diff.gz
 c4543a69d946e3bee8adb88c4cfde267 604768 vcs optional viewvc_1.1.5-1_all.deb
 fab0d4e50e1b09202654c6edfff8ebda 12106 vcs optional viewvc-query_1.1.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwtMlIACgkQWs/EhA1iABuLZQCg0L0h7eQF1I2AZbGlMsyD2tu1
7EIAoLn6D4g54q8+HDfRDdKxb6Njrepy
=URwR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.