Bug 10479

Summary: subversion new security issues fixed in 1.7.10 (CVE-2013-1968, CVE-2013-2112)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, oe, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/553652/
Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK
Source RPM: subversion-1.7.9-1.mga3.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 10500    

Description David Walser 2013-06-10 19:30:38 CEST 
Debian has issued an advisory on June 9:
http://www.debian.org/security/2013/dsa-2703

According to the upstream advisory, the issues are fixed in 1.7.10:
http://subversion.apache.org/security/CVE-2013-2112-advisory.txt

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-10 19:30:44 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 Oden Eriksson 2013-06-11 10:06:35 CEST 
1.7.10 uploaded for all.

CC: (none) => oe

Comment 2 Oden Eriksson 2013-06-11 11:53:24 CEST 
This is also fixed with 1.7.10:

http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
Oden Eriksson 2013-06-11 11:54:08 CEST

Summary: subversion new security issues fixed in 1.7.10 => subversion new security issues fixed in 1.7.10 (CVE-2013-1968, CVE-2013-2112)

Comment 3 David Walser 2013-06-11 18:25:51 CEST 
Thanks Oden!

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

Subversion repositories with the FSFS repository data store format can be
corrupted by newline characters in filenames. A remote attacker with a
malicious client could use this flaw to disrupt the service for other users
using that repository (CVE-2013-1968).

Subversion's svnserve server process may exit when an incoming TCP connection
is closed early in the connection process. A remote attacker can cause
svnserve to exit and thus deny service to users of the server (CVE-2013-2112).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
http://www.debian.org/security/2013/dsa-2703
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.10-1.mga2
subversion-doc-1.7.10-1.mga2
libsvn0-1.7.10-1.mga2
libsvn-gnome-keyring0-1.7.10-1.mga2
libsvn-kwallet0-1.7.10-1.mga2
subversion-server-1.7.10-1.mga2
subversion-tools-1.7.10-1.mga2
python-svn-1.7.10-1.mga2
ruby-svn-1.7.10-1.mga2
libsvnjavahl1-1.7.10-1.mga2
svn-javahl-1.7.10-1.mga2
perl-SVN-1.7.10-1.mga2
subversion-kwallet-devel-1.7.10-1.mga2
subversion-gnome-keyring-devel-1.7.10-1.mga2
perl-svn-devel-1.7.10-1.mga2
python-svn-devel-1.7.10-1.mga2
ruby-svn-devel-1.7.10-1.mga2
subversion-devel-1.7.10-1.mga2
apache-mod_dav_svn-1.7.10-1.mga2
subversion-1.7.10-1.mga3
subversion-doc-1.7.10-1.mga3
libsvn0-1.7.10-1.mga3
libsvn-gnome-keyring0-1.7.10-1.mga3
libsvn-kwallet0-1.7.10-1.mga3
subversion-server-1.7.10-1.mga3
subversion-tools-1.7.10-1.mga3
python-svn-1.7.10-1.mga3
ruby-svn-1.7.10-1.mga3
libsvnjavahl1-1.7.10-1.mga3
svn-javahl-1.7.10-1.mga3
perl-SVN-1.7.10-1.mga3
subversion-kwallet-devel-1.7.10-1.mga3
subversion-gnome-keyring-devel-1.7.10-1.mga3
perl-svn-devel-1.7.10-1.mga3
python-svn-devel-1.7.10-1.mga3
ruby-svn-devel-1.7.10-1.mga3
subversion-devel-1.7.10-1.mga3
apache-mod_dav_svn-1.7.10-1.mga3

from SRPMS:
subversion-1.7.10-1.mga2.src.rpm
subversion-1.7.10-1.mga3.src.rpm

Version: Cauldron => 3
Assignee: bugsquad => qa-bugs
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 4 Dave Hodgins 2013-06-11 19:54:49 CEST 
No poc, that I can find, so just testing using
http://maverick.inria.fr/~Xavier.Decoret/resources/svn/

Testing Mageia 2 shortly i586 & x86_64.

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 5 Dave Hodgins 2013-06-11 20:41:59 CEST 
Testing complete, Mageia 2 i586 and x86_64.

In addition to http://maverick.inria.fr/~Xavier.Decoret/resources/svn/
also used https://bugs.mageia.org/show_bug.cgi?id=9624#c8 for testing
the web interface.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK

Comment 6 Dave Hodgins 2013-06-11 20:56:19 CEST 
Testing Mageia 3 shortly.
Comment 7 Dave Hodgins 2013-06-11 21:12:24 CEST 
Note for future testers, In Mageia 3, /etc/httpd/modules.d/46_mod_dav_svn.conf
as been renamed to /etc/httpd/conf/conf.d/subversion.conf
Comment 8 Dave Hodgins 2013-06-11 21:29:11 CEST 
On Mageia 3, apache fails to start with ...

httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf/modules.d/10_mod_dav_svn.conf: Cannot load modules/mod_dav_svn.so into server: /etc/httpd/modules/mod_dav_svn.so: undefined symbol: dav_do_find_liveprop

Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK feedback

Comment 9 Dave Hodgins 2013-06-11 21:42:03 CEST 
Looks like apache-mod_dav_svn needs a requires on apache-mod_dav

Once that's installed, it works ok.  Testing complete on Mageia 3 i586
and x86_64.

Would you like to add the requires, or should I open a new bug report for
the missing requires, and go ahead with validating this update?

Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK feedback => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK feedback

Comment 10 Dave Hodgins 2013-06-11 22:42:17 CEST 
As this is a security update, Bug 10500 opened for the missing requires.

Could someone from the sysadmin team push the srpm
subversion-1.7.10-1.mga3.src.rpm
from Mageia 3 Core Updates Testing to Core Updates and the srpm
subversion-1.7.10-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated subversion packages fix security vulnerabilities:

Subversion repositories with the FSFS repository data store format can be
corrupted by newline characters in filenames. A remote attacker with a
malicious client could use this flaw to disrupt the service for other users
using that repository (CVE-2013-1968).

Subversion's svnserve server process may exit when an incoming TCP connection
is closed early in the connection process. A remote attacker can cause
svnserve to exit and thus deny service to users of the server (CVE-2013-2112).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
http://www.debian.org/security/2013/dsa-2703

https://bugs.mageia.org/show_bug.cgi?id=10479

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK feedback => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 11 David Walser 2013-06-12 13:15:38 CEST 
subversion-1.7.10-1.1.mga3 is now available, fixing Bug 10500.

Keywords: validated_update => (none)
Blocks: (none) => 10500

claire robinson 2013-06-12 14:01:25 CEST

Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK

Comment 12 claire robinson 2013-06-12 14:02:04 CEST 
SRPMS:
subversion-1.7.10-1.mga2.src.rpm
subversion-1.7.10-1.1.mga3.src.rpm
Comment 13 Dave Hodgins 2013-06-13 04:48:17 CEST 
Retesting complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push the srpm
subversion-1.7.10-1.1.mga3.src.rpm
from Mageia 3 Core Updates Testing to Core Updates and the srpm
subversion-1.7.10-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated subversion packages fix security vulnerabilities:

Subversion repositories with the FSFS repository data store format can be
corrupted by newline characters in filenames. A remote attacker with a
malicious client could use this flaw to disrupt the service for other users
using that repository (CVE-2013-1968).

Subversion's svnserve server process may exit when an incoming TCP connection
is closed early in the connection process. A remote attacker can cause
svnserve to exit and thus deny service to users of the server (CVE-2013-2112).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
http://www.debian.org/security/2013/dsa-2703

https://bugs.mageia.org/show_bug.cgi?id=10479

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK => MGA2TOO has_procedure MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OK

Comment 14 David Walser 2013-06-14 18:07:38 CEST 
Oden, OpenSuSE has issued an advisory for an additional security issue affecting this.  They said 1.7.10 is also affected, but they must have a patch.  Can we fix this too?

The issue is CVE-2013-2088.

http://lists.opensuse.org/opensuse-updates/2013-06/msg00136.html
http://lwn.net/Vulnerabilities/554423/
Comment 15 Oden Eriksson 2013-06-14 18:14:36 CEST 
Oh, forgot to mention that. I can't see we ship those contrib scripts.

http://subversion.apache.org/security/CVE-2013-2088-advisory.txt
Comment 16 David Walser 2013-06-14 18:22:29 CEST 
You're right, so we don't need to worry about it.  Thanks.  Sorry for the noise.
Comment 17 Dave Hodgins 2013-06-19 02:25:21 CEST 
Advisory ready to push
Comment 18 Nicolas Vigier 2013-06-19 12:38:21 CEST 
http://advisories.mageia.org/MGASA-2013-0175.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:07:08 CEST

CC: boklm => (none)