[Secure-testing-team] Bug#576307: CVE-2010-0132: XSS via user-provided 'search_re' input

Fri Apr 2 20:49:37 UTC 2010

Package: viewvc
Severity: grave
Tags: security

The following was reported to oss-security:

Just received an announcement stating ViewVC 1.1.5 and 1.0.11 were
released today (right on the heels of 1.1.4 and 1.0.10, for which I
still haven't received a CVE). Looks like they fix an XSS that needs
a CVE assigned.

"security fix: escape user-provided search_re input to avoid XSS
attack"

http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342&r2=2359&pathrev=HEAD

Here's the patch for the XSS:
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2344

"""
There were too many ways to do something as simple as HTML escaping in
the ViewVC codebase.  Simplify, conjoin, remove, etc.

* lib/sapi.py
  (escape): New function.  *The* preferred HTML-escaping mechanism.
  (Server.escape): New common Server object escape mechanism (which
    uses the aforementioned escape(), of course).
  (CgiServer.escape, WsgiServer.escape, AspServer.escape,
   ModPythonServer.escape): Lose as unnecessary.

* lib/viewvc.py
  (Request.get_form): Escape hidden form variable names and values.
  (htmlify): Remove.
  (): Replace all uses of cgi.escape() and htmlify() with (directly or
    indirectly) sapi.escape().

* lib/query.py
  (main): Use server.escape() instead of cgi.escape().

* lib/blame.py
  (HTMLBlameSource.__getitem__): Use sapi.escape() instead of
    cgi.escape().

* lib/idiff.py
  (_mdiff_split, _differ_split): Use sapi.escape() instead of
    cgi.escape().
"""

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages viewvc depends on:
ii  debconf [debconf-2.0]     1.5.30         Debian configuration management sy
ii  gawk                      1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  mime-support              3.48-1         MIME files 'mime.types' & 'mailcap
ii  python                    2.5.4-9        An interactive high-level object-o
pn  python-subversion         <none>         (no description available)
ii  python-support            1.0.7          automated rebuilding support for P
pn  rcs                       <none>         (no description available)
ii  subversion                1.6.9dfsg-1    Advanced version control system

Versions of packages viewvc recommends:
pn  apache | httpd                <none>     (no description available)
pn  enscript                      <none>     (no description available)

Versions of packages viewvc suggests:
pn  cvsgraph                      <none>     (no description available)
pn  viewvc-query                  <none>     (no description available)