Bug#363972: viewcvs: does not escape URIs correctly in parameters for diff
David Martínez Moreno schrieb: So I suppose this package is not being maintained any longer (last 'unstable' ChangeLog Thu, 21 Jul 2005) and I haven't found any 'viewvc' package. No, you are wrong. I am maintaining it, but the switch to viewvc is not yet done. I am spending time making the changes. I hope to have it in a couple of weeks. Thanks Ender! That's great to hear! So if I understand this correctly: http://www.debian.org/devel/testing once the Sid/unstable package is done, people could start test it. Of course that would be people who actually have svn/cvs repositories with apache(2) and viewvc/viewcvs and are willing to got through all the trouble of setting this up on a spare Sid/unstable system. If that package has fewer release critical bugs than the previous version then after 10 days it would propagate to Etch/testing. (Unless there are build failures for some archs that it used to build for or it breaks other packages due to dependency issues. Yet it seems that the only package that depends on viewcvs is viewcvs-query.) Since viewcvs depends on a few packages that probably have newer versions in Etch/testing compared to Sarge/stable, I would suppose one would need to backport to Sarge for a stable production system like gna.org since this is not a security issue and seems to be a larger upgrade and therefor won't be part of the standard Sarge/stable distribution. Would you, Ender, also maintain a backport for Sarge/stable on http://www.backports.org/ or do you know someone who would? And Mathieu, would you consider using this upgrade if it became available on http://www.backports.org/ or rather resolve this issue locally? Cheers, David
Bug#363972: viewcvs: does not escape URIs correctly in parameters for diff
Package: viewcvs Severity: normal Note that the system this is being reported from is not the system on which the issue has been noted, infact viewcvs is not installed. Reference: http://gna.org/support/?func=detailitemitem_id=1058 The link generated for 'diff' is partially missing the URI escaping. As an example, the following link: http://svn.gna.org/viewcvs/gnustep?rev=22800view=rev includes the 'diff to previous) link: http://svn.gna.org/viewcvs/gnustep/libs/gui/trunk/Source/NSBitmapImageRep%2BJPEG.m?rev=22800view=diffr1=22800r2=22799p1=libs/gui/trunk/Source/NSBitmapImageRep+JPEG.mp2=/libs/gui/trunk/Source/NSBitmapImageRep+JPEG.m which results in an Invalid path(s) or revision(s) passed to diff Exception. If you hand edit the URI replacing the '+' with '%2B' in the parameters to read: http://svn.gna.org/viewcvs/gnustep/libs/gui/trunk/Source/NSBitmapImageRep%2BJPEG.m?rev=22800view=diffr1=22800r2=22799p1=libs/gui/trunk/Source/NSBitmapImageRep%2BJPEG.mp2=/libs/gui/trunk/Source/NSBitmapImageRep%2BJPEG.m the expected results are presented. Note that this has probably been resolved upstream and the issue tracker contains a patch (yet I don't know whether that's the patch that solved the issue upstream): http://viewvc.tigris.org/issues/show_bug.cgi?id=99 So the question is, does this bug have security implications that would allow it to be fixed in sarge? It seems that even the unstable versions of the viewcvs package are still using an old snapshot (unstable: 0.9.2+cvs.1.0.dev.2004.07.28-4): http://packages.debian.org/cgi-bin/search_packages.pl?keywords=viewcvssearchon=namessubword=1version=allrelease=all So I suppose this package is not being maintained any longer (last 'unstable' ChangeLog Thu, 21 Jul 2005) and I haven't found any 'viewvc' package. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-386 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#363972: viewcvs: does not escape URIs correctly in parameters for diff
El jueves, 20 de abril de 2006 22:09, David Ayers escribió: Package: viewcvs Severity: normal [...] So the question is, does this bug have security implications that would allow it to be fixed in sarge? It seems that even the unstable versions of the viewcvs package are still using an old snapshot (unstable: 0.9.2+cvs.1.0.dev.2004.07.28-4): http://packages.debian.org/cgi-bin/search_packages.pl?keywords=viewcvssear chon=namessubword=1version=allrelease=all I do not see which security implications could make that '+' character is not going escaped. I am not denying it, but I would find it very strange. So I suppose this package is not being maintained any longer (last 'unstable' ChangeLog Thu, 21 Jul 2005) and I haven't found any 'viewvc' package. No, you are wrong. I am maintaining it, but the switch to viewvc is not yet done. I am spending time making the changes. I hope to have it in a couple of weeks. Best regards, Ender. -- Network engineer Debian Developer pgpQJERRN3bxr.pgp Description: PGP signature
