Bug 13838

Summary: subversion new security issues CVE-2014-3522 and CVE-2014-3528
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: rverschelde, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/608738/
Whiteboard: MGA3TOO has_procedure advisory MGA3-32-OK MGA4-64-OK
Source RPM: subversion-1.8.9-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-08-01 17:25:36 CEST 
A security issue in subversion was fixed upstream and assigned a CVE:
http://openwall.com/lists/oss-security/2014/08/01/4

Links to the upstream commits to fix the issue are linked in the message above.

Those commits are from the development branch.  It appears that upstream is planning to backport them to 1.7 and 1.8.

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-01 17:25:41 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-08-12 17:17:24 CEST 
Subversion 1.7.18 and 1.8.10 have been released on August 11:
https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6BA.5030100@apache.org%3E
http://svn.apache.org/repos/asf/subversion/tags/1.8.10/CHANGES
https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6B7.3010503@apache.org%3E
http://svn.apache.org/repos/asf/subversion/tags/1.7.18/CHANGES

It fixes CVE-2014-3528 as well as CVE-2014-3522.

Updated to 1.8.10 in SVN, but it doesn't build now in Cauldron because of Java breakage:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140812150817.luigiwalser.valstar.10045/log/subversion-1.8.10-1.mga5/build.0.20140812150904.log

CC: (none) => dmorganec
Summary: subversion new security issue CVE-2014-3528 => subversion new security issues CVE-2014-3522 and CVE-2014-3528

Comment 2 David Walser 2014-08-15 18:17:00 CEST 
Ubuntu has issued an advisory for this on August 14:
http://www.ubuntu.com/usn/usn-2316-1/

URL: (none) => http://lwn.net/Vulnerabilities/608738/

Comment 3 David Walser 2014-08-15 18:31:56 CEST 
subversion-1.8.10-1.mga5 built and uploaded in Cauldron.

Note that Mageia 3 is not vulnerable to CVE-2014-3522 due to our package not being built with serf support.  It is vulnerable in Mageia 4.

CC: dmorganec => (none)
Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Severity: normal => major

Comment 4 David Walser 2014-08-15 18:50:59 CEST 
Updated package uploaded for Mageia 4.

Patched package uploaded for Mageia 3.

Advisory (Mageia 3):
========================

Updated subversion packages fix security vulnerability:

Bert Huijben discovered that Subversion did not properly handle cached
credentials. A malicious server could possibly use this issue to obtain
credentials cached for a different server (CVE-2014-3528).

The subversion package has been patched to fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3528
http://subversion.apache.org/security/CVE-2014-3528-advisory.txt
http://www.ubuntu.com/usn/usn-2316-1/
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.14-1.2.mga3
subversion-doc-1.7.14-1.2.mga3
libsvn0-1.7.14-1.2.mga3
libsvn-gnome-keyring0-1.7.14-1.2.mga3
libsvn-kwallet0-1.7.14-1.2.mga3
subversion-server-1.7.14-1.2.mga3
subversion-tools-1.7.14-1.2.mga3
python-svn-1.7.14-1.2.mga3
ruby-svn-1.7.14-1.2.mga3
libsvnjavahl1-1.7.14-1.2.mga3
svn-javahl-1.7.14-1.2.mga3
perl-SVN-1.7.14-1.2.mga3
subversion-kwallet-devel-1.7.14-1.2.mga3
subversion-gnome-keyring-devel-1.7.14-1.2.mga3
perl-svn-devel-1.7.14-1.2.mga3
python-svn-devel-1.7.14-1.2.mga3
ruby-svn-devel-1.7.14-1.2.mga3
subversion-devel-1.7.14-1.2.mga3
apache-mod_dav_svn-1.7.14-1.2.mga3

from subversion-1.7.14-1.2.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated subversion packages fix security vulnerabilities:

Ben Reser discovered that Subversion did not correctly validate SSL
certificates containing wildcards. A remote attacker could exploit this to
perform a man in the middle attack to view sensitive information or alter
encrypted communications (CVE-2014-3522).

Bert Huijben discovered that Subversion did not properly handle cached
credentials. A malicious server could possibly use this issue to obtain
credentials cached for a different server (CVE-2014-3528).

The subversion package has been updated to 1.8.10 to fix these issues and
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3528
http://subversion.apache.org/security/CVE-2014-3522-advisory.txt
http://subversion.apache.org/security/CVE-2014-3528-advisory.txt
https://mail-archives.apache.org/mod_mbox/subversion-dev/201408.mbox/%3C53E8E6BA.5030100@apache.org%3E
http://svn.apache.org/repos/asf/subversion/tags/1.8.10/CHANGES
http://www.ubuntu.com/usn/usn-2316-1/
========================

Updated packages in core/updates_testing:
========================
subversion-1.8.10-1.mga4
subversion-doc-1.8.10-1.mga4
libsvn0-1.8.10-1.mga4
libsvn-gnome-keyring0-1.8.10-1.mga4
libsvn-kwallet0-1.8.10-1.mga4
subversion-server-1.8.10-1.mga4
subversion-tools-1.8.10-1.mga4
python-svn-1.8.10-1.mga4
ruby-svn-1.8.10-1.mga4
libsvnjavahl1-1.8.10-1.mga4
svn-javahl-1.8.10-1.mga4
perl-SVN-1.8.10-1.mga4
subversion-kwallet-devel-1.8.10-1.mga4
subversion-gnome-keyring-devel-1.8.10-1.mga4
perl-svn-devel-1.8.10-1.mga4
python-svn-devel-1.8.10-1.mga4
ruby-svn-devel-1.8.10-1.mga4
subversion-devel-1.8.10-1.mga4
apache-mod_dav_svn-1.8.10-1.mga4

from subversion-1.8.10-1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 5 Rémi Verschelde 2014-08-16 10:09:45 CEST 
There are bits of procedure here:
https://bugs.mageia.org/show_bug.cgi?id=10895#c4

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 6 David Walser 2014-08-18 22:24:32 CEST 
Works fine Mageia 3 i586.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK

Comment 7 Rémi Verschelde 2014-08-19 18:54:40 CEST 
To follow the procedure in comment 5, you need to install subversion-tools for the first part, and apache-mod_dav_svn for the last one.
Comment 8 Rémi Verschelde 2014-08-19 18:58:30 CEST 
Testing complete Mageia 4 x86_64.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-64-OK

Comment 9 William Kenney 2014-08-19 19:09:05 CEST 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
subversion

default install of subversion

[root@localhost wilcal]# urpmi subversion
Package subversion-1.8.8-1.mga4.i586 is already installed

[wilcal@localhost ~]$ svnadmin create --fs-type fsfs /home/wilcal/svn
bash: svnadmin: command not found

What next?

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 10 David Walser 2014-08-19 19:11:40 CEST 
(In reply to William Kenney from comment #9)
> What next?

Rémi already answered that question, twice:
https://bugs.mageia.org/show_bug.cgi?id=10895#c8
https://bugs.mageia.org/show_bug.cgi?id=13838#c7
Comment 11 William Kenney 2014-08-19 19:36:39 CEST 
Did it again:

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
subversion subversion-tools apache-mod_dav_svn

default install of subversion, subversion-tools, apache-mod_dav_svn

[root@localhost project]# urpmi subversion
Package subversion-1.8.8-1.mga4.i586 is already installed
[root@localhost project]# urpmi subversion-tools
Package subversion-tools-1.8.8-1.mga4.i586 is already installed
[root@localhost project]# urpmi apache-mod_dav_svn
Package apache-mod_dav_svn-1.8.8-1.mga4.i586 is already installed

[wilcal@localhost ~]$ svnadmin create --fs-type fsfs /home/wilcal/svn
creates svn directory with subversion subdirectories and files.

wilcal@localhost ~]$ cd project
[wilcal@localhost project]$ ls -al
total 24
drwxrwxr-x  5 wilcal wilcal 4096 Aug 19 10:24 ./
drwxr-xr-x 38 wilcal wilcal 4096 Aug 19 10:24 ../
drwxrwxr-x  2 wilcal wilcal 4096 Aug 19 10:24 bin/
-rw-------  1 wilcal wilcal   60 Aug 19 10:24 .directory
drwxrwxr-x  2 wilcal wilcal 4096 Aug 19 10:24 doc/
drwxrwxr-x  2 wilcal wilcal 4096 Aug 19 10:24 src/
[wilcal@localhost project]$ echo test>doc/index.html
[wilcal@localhost project]$ echo stuff>src/Makefile

All went well to here:
[wilcal@localhost project]$ svn import /home/wilcal/project/ file:///home/wilcal/svn/project
svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options                  
svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 12 David Walser 2014-08-20 00:19:40 CEST 
This can be validated once the advisory is uploaded.
Comment 13 claire robinson 2014-08-20 17:05:48 CEST 
Validating. Separate advisories uploaded for mga3 and mga4

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2014-08-21 11:37:02 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0338.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 15 Mageia Robot 2014-08-21 11:37:05 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0339.html