<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200412-26"> <title>ViewCVS: Information leak and XSS vulnerabilities</title> <synopsis> ViewCVS is vulnerable to an information leak and to cross-site scripting (XSS) issues. </synopsis> <product type="ebuild">ViewCVS</product> <announced>December 28, 2004</announced> <revised>December 28, 2004: 01</revised> <bug>72461</bug> <bug>73772</bug> <access>remote</access> <affected> <package name="www-apps/viewcvs" auto="yes" arch="*"> <unaffected range="ge">0.9.2_p20041207-r1</unaffected> <vulnerable range="le">0.9.2_p20041207</vulnerable> </package> </affected> <background> <p> ViewCVS is a browser interface for viewing CVS and Subversion version control repositories through a web browser. </p> </background> <description> <p> The tar export functions in ViewCVS bypass the 'hide_cvsroot' and 'forbidden' settings and therefore expose information that should be kept secret (CAN-2004-0915). Furthermore, some error messages in ViewCVS do not filter user-provided information, making it vulnerable to a cross-site scripting attack (CAN-2004-1062). </p> </description> <impact type="low"> <p> By using the tar export functions, a remote attacker could access information that is configured as restricted. Through the use of a malicious request, an attacker could also inject and execute malicious script code, potentially compromising another user's browser. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> All ViewCVS users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/viewcvs-0.9.2_p20041207-r1"</code> </resolution> <references> <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0915">CAN-2004-0915</uri> <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1062">CAN-2004-1062</uri> </references> <metadata tag="submitter" timestamp="Tue, 21 Dec 2004 15:31:38 +0000"> koon </metadata> <metadata tag="bugReady" timestamp="Tue, 28 Dec 2004 14:23:36 +0000"> koon </metadata> </glsa>