Bugzilla – Bug 787072
VUL-1: CVE-2012-4533: viewvc: Cross-Site Scripting (XSS) in lib/viewvc.py
Last modified: 2013-07-25 13:58:15 UTC
Original posting on oss-security [1]: ----------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062 From: Nicolás Alvarez <nicolas.alvarez@gmail.com> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: viewvc: XSS bug in diff view Date: Sat, 20 Oct 2012 17:54:18 -0300 [Message part 1 (text/plain, inline)] Package: viewvc Version: 1.1.5-1.3 Severity: important Tags: security There is an XSS bug in the diff view, exploitable by people with commit access to the repository. The "function name" lines returned by diff (in the diff lines starting with @@) are not HTML-escaped. Here's an example. Add this file to a SVN repository: blah x <script>alert("XSS!");</script> one context two context three context trigger Commit it. Next, change the line labeled 'trigger', and commit again. The diff produced by the second commit is: @@ -3,4 +3,4 @@ x <script>alert("XSS!");</script> one context two context three context - -trigger +trigger X When telling ViewVC to show the diff of that file for the last commit, it doesn't HTML-escape the <script>, so it gets executed. I'm attaching a patch that should fix this bug. I don't have a CVE number. I haven't reported this upstream. I quickly glanced at the upstream bug list and dev list archives and it didn't seem to be already reported, but I didn't search carefully. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQg4XvAAoJEBYNRVNeJnmT5UoP/jqudbbsiLS5VWhYw6Idvj9U IAu9RP6vMtUvJWERf7WyKfP8JACWSLpBNnJQrFUNLZXgF2yCUiVOKfR+DdyWx/n0 CXADXFUeS2AJF2/ZKOu4C/E7SeI/AiQ7yy+eN94LoUpflYK3lQPrs+nz1UYLL+pE /4m5koWvsuUPSNhSv8J1x9D/mMNAi5Pc3zZgw7IDsoOGjxVFEDGya3G0fRfGQamn mQSY8LCDITxREAIazsVF6VXNTqaDoqIXMTQG3p8DF7XLq8baleFvJuOuiR9eaUgb 3rTOsQR9AncZ8c6cGvAoezBcW137CeLambi7HUWIJyjj7DOHmdCIzUXV2+PVtZnK Dso1mNNHhn/jSSytYsPlI+j7B7Y/wM0qf5TFGfz9QzCyaewslvrmD5k6nSYyeR0m xVhaCKF9uTrKGtmleDN9/ykVSCVG6cXaN0gsViUhbRb7wlF+izYMhk7dgIjmvypF 0M0pmCzbS2Si4Q4fX32v8mg9L7OaJIe0YCaZ2aRZJHhGEqV9QEjnMpouAUI6tl1s lE7jaWEdgx6Mt5leFkbPgc4jryHRrtyIDUYCOnnyTf09z0ajbNVnANowbsVB+y0+ 2GqZh7E1/ltvrU8I8j/9iW2Cz8c3+bqEb4D2BxN8E8BLUSHEaenmCfwbr2PlnJ+k zM28/QZ8NYjGc6bsay+1 =kcnn -----END PGP SIGNATURE----- ----------------------------------------------------------------------- [1] http://seclists.org/oss-sec/2012/q4/121
Note: openSUSE only. No SLE affected.
Already submitted to openSUSE:Factory. Let me know if you want maintenance updates submitted as well.
I personally wouldn't release updates for this for openSUSE, but I will need to discuss with the team. I will discuss today and update this bug accordingly. Thanks.
This is an autogenerated message for OBS integration: This bug (787072) was mentioned in https://build.opensuse.org/request/show/140197 Factory / viewvc
is fixed in factory and 12.3 , so close.