Bugzilla – Bug 63989
VUL-0: CVE-2004-0915: Information leak in viewcvs
Last modified: 2021-10-04 10:24:29 UTC
We received the following report via vendor-sec. The issue is public. Sounds uncritical, we should probably include it if other security issues in subversion need to be fixed in the future. Date: Thu, 25 Nov 2004 12:32:25 +0100 From: Martin Schulze <joey@infodrom.org> To: vendor-sec@lst.de Subject: [vendor-sec] CAN-2004-0915: Information leak in viewcvs Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility for viewing CVS and Subversion repositories via HTTP. In both cases the program doesn't honour the settings enough to hide certain directories from the tar export. Problem 1: hide_cvsroot doesn't work when a tar file is exported Problem 2: forbidden is ignored when a tar file is exported The attached patches patches for both version 0.9 and 1.0 which have different code but are both vulnerable to these problems seem to fix those. Upstream is unresponsive unfortunately. This is most probably not that critical since many CVS repositories are available via anonymous CVS anyway and that one does support neither of these options. Regards, Joey -- A mathematician is a machine for converting coffee into theorems. Paul Erdös --- viewcvs.py.orig 2004-10-20 15:03:41.000000000 +0200 +++ viewcvs.py 2004-10-20 16:37:35.000000000 +0200 def generate_tarball(out, relative, directory, tag, stack=[]): subdirs = [ ] rcs_files = [ ] + if relative == 'CVSROOT' and cfg.options.hide_cvsroot: + return + for file, pathname, isdir in get_file_data(directory): if pathname == _UNREADABLE_MARKER: continue if isdir: + if file == 'CVSROOT' and relative.find('/') == -1 and cfg.options.hide_cvsroot: + continue + if relative.find('/') == -1 and cfg.is_forbidden(file): + continue subdirs.append(file) else: rcs_files.append(file) '</body></html>\n') return + if where == 'CVSROOT' and cfg.options.hide_cvsroot: + print "Status: 400" + http_header() + print ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n' + '<html><head>\n<title>400 Bad Request</title>\n' + '</head><body>\n' + '<H1>Bad Request</H1>\n Listing of CVSROOT is disallowed.<p>\n' + '</body></html>\n') + return + ### look for GZIP binary # if we have a directory and the request didn't end in "/", then redirect --- /usr/lib/python2.3/site-packages/viewcvs/viewcvs.py 2004-10-20 12:56:26.000000000 +0200 +++ viewcvs.py 2004-10-20 16:02:23.000000000 +0200 # exist at the front or end of the path. path_parts = filter(None, string.split(path_info, '/')) + if (len(path_parts) > 0 and path_parts[0] == 'CVSROOT' and cfg.options.hide_cvsroot): + raise debug.ViewCVSException('Access to "%s" is forbidden.' + % path_parts[0], '403 Forbidden') + if path_parts: # handle magic path prefixes if path_parts[0] == docroot_magic_path: def generate_tarball(out, request, tar_top, rep_top, reldir, options, stack=[]): cvs = request.roottype == 'cvs' - if cvs and (rep_top == '' and 0 < len(reldir) and - reldir[0] == 'CVSROOT' and cfg.options.hide_cvsroot): + if (0 < len(rep_top) and rep_top[0] == 'CVSROOT' and cfg.options.hide_cvsroot): + return + + if (0 < len(reldir) and reldir[0] == 'CVSROOT' and cfg.options.hide_cvsroot): return - if (rep_top == '' and cfg.is_forbidden(reldir[0])): + if (rep_top == [] and 0 < len(reldir) and cfg.is_forbidden(reldir[0])): return rep_path = rep_top + reldir rep_top = request.path_parts if len(rep_top): tar_top = rep_top[-1] + if cfg.is_forbidden(tar_top): + raise debug.ViewCVSException('Access to "%s" is forbidden.' + % tar_top, '403 Forbidden') else: tar_top = request.rootname
I cant find the string _UNREADABLE_MARKER in SLES9, 9.2 or the latest view-cvs HEAD branch.
CVSROOT is not available when serving svn repositories. Looks like this bug does not matter.
cvsroot, ok. What about the forbidden thing? The original report refers to subversion and cvs "In both cases".
It seems forbidden doesnt work at all, or I do something wrong. No matter what I put into forbidden=, all is visible in svn repositories, but it appears to work ok for cvs. So all we need is a patch to hide the download link: http://mac.suse.de/viewcvs/?root=klibc-cvsroot-cvs-2 mac:/srv/svn/bug48989 # diff viewcvs.conf /srv/viewcvs/viewcvs.conf 72c72,73 < ###cvs_roots = cvs: /home/cvsroot --- > cvs_roots = klibc-cvsroot-cvs-1: /srv/svn/bug48989/klibc-cvsroot-cvs-1, > klibc-cvsroot-cvs-2: /srv/svn/bug48989/klibc-cvsroot-cvs-2 81,82c82,83 < your_unnamed_project : /srv/svn/repos/<your_unnamed_project> , < another_project : /srv/svn/repos/<another_project> --- > klibc-cvsroot-svn-1 : /srv/svn/bug48989/klibc-cvsroot-svn-1, > klibc-cvsroot-svn-2 : /srv/svn/bug48989/klibc-cvsroot-svn-2 102c103 < default_root = your_unnamed_project --- > default_root = klibc-cvsroot-cvs-1 158c159 < forbidden = --- > forbidden = klibc* 323c324 < hide_attic = 1 --- > hide_attic = 0 459c460 < allow_tar = 0 --- > allow_tar = 1
forbidden doesnt work any better with the current cvs.
Created attachment 27420 [details] subversion.viewcvs.forbidden-hide_cvsroot.patch
Created attachment 27441 [details] subversion.viewcvs.forbidden-hide_cvsroot_CAN-2004-0915.patch sles9 version of the patch
fixed for 9.3
CVE-2004-0915: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)