I've downgraded this because it does not affect the default
configuration. It only affects installations which use the optional
feature to use a MySQL database of commits.
I'm attaching a debdiff for the changes in case if anyone thinks they
should be applied in isolation (perhaps as a stable-security update).
The ordinary functionality still works after these changes, but the
database feature is sufficiently complex to set up that I gave up on
trying to test it.
Ben.
--
Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.
diff -u viewvc-1.1.5/debian/changelog viewvc-1.1.5/debian/changelog
--- viewvc-1.1.5/debian/changelog
+++ viewvc-1.1.5/debian/changelog
@@ -1,3 +1,13 @@
+viewvc (1.1.5-1.2) UNRELEASED; urgency=low
+
+ * Non-maintainer upload
+ * view_query: No longer allow an undocumented URL parameter to
+override the admin-declared SQL row limit, which could result
+in excessive CPU usage and memory consumption (CVE-2009-5024)
+(Closes: #671482)
+
+ -- Ben Hutchings Sat, 12 May 2012 23:13:16 +0100
+
viewvc (1.1.5-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -u viewvc-1.1.5/debian/patches/series viewvc-1.1.5/debian/patches/series
--- viewvc-1.1.5/debian/patches/series
+++ viewvc-1.1.5/debian/patches/series
@@ -5,0 +6,2 @@
+rev2547
+rev2551
only in patch2:
unchanged:
--- viewvc-1.1.5.orig/debian/patches/rev2547
+++ viewvc-1.1.5/debian/patches/rev2547
@@ -0,0 +1,175 @@
+
+r2547 | cmpilato | 2011-04-19 21:40:04 +0100 (Tue, 19 Apr 2011) | 30 lines
+
+Try to make some sense of the various CVSdb-related limitation
+mechanisms, namely by removing the largely redundant "global" limit
+and allowing the per-query row limit (which already exist, too) to do
+its work.
+
+While here, remove a poorly conceived (but thankfully unhighlighted)
+mechanism for overriding the administrative limit on database rows
+which was accessible via URL CGI params.
+
+* lib/viewvc.py
+ (_legal_params): Remove 'limit' as a legal parameter.
+ (view_query): No longer allow an undocumented URL parameter to
+override the admin-declared SQL row limit. That should have never
+been allowed!
+
+* lib/cvsdb.py
+ (CheckinDatabase.__init__): Remove 'row_limit' parameter and
+associated self._row_limit member.
+ (CheckinDatabase.CreateSQLQueryString): No longer fuss with
+self._row_limit. Let the individual query carry the row limit.
+ (ConnectDatabase): Update call to CheckinDatabase().
+
+* lib/query.py
+ (form_to_cvsdb_query): Now accept 'cfg' parameter, and set the
+query's row limit from the configured defaults.
+ (run_query): Update call to form_to_cvsdb_query().
+
+* docs/url-reference.html
+ Remove reference to the 'limit' parameter.
+
+
+--- viewvc-1.1.5.orig/docs/url-reference.html
viewvc-1.1.5/docs/url-reference.html
+@@ -1193,13 +1193,6 @@
+ page
+
+
+-limit=LIMIT
+-optional
+-maximum number of file-revisions to process during a
+-query. Default is value of row_limit configuration
+-option
+-
+-
+ limit_changes=LIMIT_CHANGES
+ optional
+ maximum number of files to list per commit in query
+--- viewvc-1.1.5.orig/lib/cvsdb.py
viewvc-1.1.5/lib/cvsdb.py
+@@ -38,13 +38,12 @@
+ ## complient database interface
+
+ class CheckinDatabase:
+-def __init__(self, host, port, user, passwd, database, row_limit):
++def __init__(self, host, port, user, passwd, database):
+ self._host = host
+ self._port = port
+ self._user = user
+ self._passwd = passwd
+ self._database = database
+-self._row_limit = row_limit
+ self._version = None
+
+ ## database lookup caches
+@@ -444,13 +443,11 @@
+ conditions = string.join(joinConds + condList, " AND ")
+ conditions = conditions and "WHERE %s" % conditions
+
+-## limit the number of rows requested or we could really slam
+-## a server with a large database
++## apply the query's row limit, if any (so we avoid really
++## slamming a server with a large database)
+ limit = ""
+ if query.limit:
+ limit = "LIMIT %s" % (str(query.limit))
+-elif self._row_limit:
+-limit = "LIMIT %s" % (str(self._row_limit))
+
+ sql = "SELECT %s.* FROM %s %s %s %s" \
+ % (commits_table, tables, conditions, order_by, limit)
+@@ -769,8 +766,8 @@
+ self.data = data
+ self.match = match
+
+-## CheckinDatabaseQueryData is a object which contains the search parameters
+-## for a query to the CheckinDatabase
++## CheckinDatabaseQuery is an object which contains the search
++## parameters for a query to the Checkin Database
+ class CheckinDatabaseQuery:
+ def __init__(self):
+ ## sorting
+@@ -861,7 +858,7 @@
+
