Package: viewvc Severity: grave Tags: security The following was reported to oss-security:
Just received an announcement stating ViewVC 1.1.5 and 1.0.11 were released today (right on the heels of 1.1.4 and 1.0.10, for which I still haven't received a CVE). Looks like they fix an XSS that needs a CVE assigned. "security fix: escape user-provided search_re input to avoid XSS attack" http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342&r2=2359&pathrev=HEAD Here's the patch for the XSS: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2344 """ There were too many ways to do something as simple as HTML escaping in the ViewVC codebase. Simplify, conjoin, remove, etc. * lib/sapi.py (escape): New function. *The* preferred HTML-escaping mechanism. (Server.escape): New common Server object escape mechanism (which uses the aforementioned escape(), of course). (CgiServer.escape, WsgiServer.escape, AspServer.escape, ModPythonServer.escape): Lose as unnecessary. * lib/viewvc.py (Request.get_form): Escape hidden form variable names and values. (htmlify): Remove. (): Replace all uses of cgi.escape() and htmlify() with (directly or indirectly) sapi.escape(). * lib/query.py (main): Use server.escape() instead of cgi.escape(). * lib/blame.py (HTMLBlameSource.__getitem__): Use sapi.escape() instead of cgi.escape(). * lib/idiff.py (_mdiff_split, _differ_split): Use sapi.escape() instead of cgi.escape(). """ -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages viewvc depends on: ii debconf [debconf-2.0] 1.5.30 Debian configuration management sy ii gawk 1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap ii python 2.5.4-9 An interactive high-level object-o pn python-subversion <none> (no description available) ii python-support 1.0.7 automated rebuilding support for P pn rcs <none> (no description available) ii subversion 1.6.9dfsg-1 Advanced version control system Versions of packages viewvc recommends: pn apache | httpd <none> (no description available) pn enscript <none> (no description available) Versions of packages viewvc suggests: pn cvsgraph <none> (no description available) pn viewvc-query <none> (no description available) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
