Re: ViewCVS vulnerability

To: HIRAMATSU Yoshifumi <hiramatu%boreas.dti.ne.jp@localhost>
Subject: Re: ViewCVS vulnerability
From: Adrian Portelli <adrianp%stindustries.net@localhost>
Date: Sat, 06 Aug 2005 02:09:35 +0100 See http://spamassassin.org/tag/ for more details. Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=200001 0.0 SF_CHICKENPOX_PERIOD BODY: Text interparsed with . 0.0 SF_CHICKENPOX_SLASH BODY: Text interparsed with / 0.0 SF_CHICKENPOX_MINUS BODY: Text interparsed with - 0.0 SF_CHICKENPOX_UNDERSCORE BODY: Text interparsed with _ 0.0 SF_CHICKENPOX_EQUAL BODY: Text interparsed with = 0.0 SF_CHICKENPOX_AT BODY: Text interparsed with @ 0.0 SF_CHICKENPOX_QUESTION BODY: Text interparsed with ? 0.0 SF_CHICKENPOX_APOSTROPHE BODY: Text interparsed with ' -0.0 AWL AWL: From: address is in the auto white-list

HIRAMATSU Yoshifumi wrote:
> Thanks for clarification. According to CHANGES file, ViewCVS 0.9.3
> has three security fixes. Does this solve any of TODO entries?
> 
> 
> Version 0.9.3 (released 17-May-2005)
> 
>   * security fix: disallow bad "content-type" input [CAN-2004-1062]
>   * security fix: disallow bad "sortby" and "cvsroot" input [CAN-2002-0771]
>   * security fix: omit forbidden/hidden modules from tarballs [CAN-2002-0771]
> 

Ok,

http://archives.neohapsis.com/archives/bugtraq/2002-05/0161.html is in
fact CAN-2002-0771, so this looks to have been addressed.

http://xforce.iss.net/xforce/xfdb/18718 is in fact CAN-2004-1062, so
this looks to have been addressed as well.

Which leaves this one which I'm not sure about:
http://xforce.iss.net/xforce/xfdb/18369

The CAN reference states "viewcvs before 0.9.2" so that indicates that
it was fixed in 0.9.2 but I can't see anything in the CHANGELOG to
verify this.  The secunia advisory states "Secunia is currently not
aware of a fixed version."

http://secunia.com/advisories/13375/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0915

Debian and Gentoo did release SAs for this:

http://www.niscc.gov.uk/niscc/docs/br-20041207-00886.html?lang=en
http://bugs.gentoo.org/show_bug.cgi?id=72461

And I've had a look at the patches but unfortunately they are against
0.92 and it _looks_ like a different fix has been implement in 0.93 but
I do not know the code enough to comment on this.

When I was looking into this I also found this one as well:

http://secunia.com/advisories/13703/

"The vulnerability has reportedly been fixed in the CVS repository of
the current development version."

So in other words an upgrade to 0.93 would be a good start then it's
just a matter of sorting out these other two issues :-/

HTH

adrian.

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
pkgsrc-wip-discuss mailing list
pkgsrc-wip-discuss%lists.sourceforge.net@localhost
https://lists.sourceforge.net/lists/listinfo/pkgsrc-wip-discuss

References:
- ViewCVS vulnerability
  - From: HIRAMATSU Yoshifumi
- Re: ViewCVS vulnerability
  - From: Adrian Portelli
- Re: ViewCVS vulnerability
  - From: HIRAMATSU Yoshifumi

Prev by Date: Re: jdk14 checksum mismatch
Next by Date: modular Xorg (was Re: CVS commit: wip/bigreqsproto)
Previous by Thread: Re: ViewCVS vulnerability
Next by Thread: Review request for some new packages in WIP
Indexes:

Home | Main Index | Thread Index | Old Index