Bug 19877

Summary:	subversion new security issue CVE-2016-8734
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	herman.viaene, lewyssmith, shlomif, sysadmin-bugs, youpburden
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://lwn.net/Vulnerabilities/708883/
Whiteboard:	has_procedure MGA5-32-OK advisory MGA5-64-OK
Source RPM:	subversion-1.8.16-1.mga5.src.rpm	CVE:
Status comment:
Attachments:	root shell typescript shlomif user typescript to testing this update

Description David Walser 2016-12-01 15:47:25 CET

Subversion 1.8.17 has been released on November 29:
https://lists.apache.org/thread.html/ecf3400585d1fd2ffc754bc348a4f7d9a4863573e11d551b3b287640@%3Cannounce.subversion.apache.org%3E

It fixes one security issue:
http://subversion.apache.org/security/CVE-2016-8734-advisory.txt

and other bugs:
http://svn.apache.org/repos/asf/subversion/tags/1.8.17/CHANGES

Updated committed in SVN.

Comment 1 David Walser 2016-12-02 00:40:03 CET

Updated packages submitted to the build system, hopefully to be available some time tonight.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14826#c2

Advisory:
========================

Updated subversion packages fix security vulnerability:

Subversion's mod_dontdothat module and clients using http(s):// are vulnerable
to a denial-of-service attack caused by exponential XML entity expansion.  The
attack, otherwise known as the "billion laughs attack", targets XML parsers and
can cause the targeted process to consume an excessive amount of CPU resources
or memory (CVE-2016-8734).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8734
https://lists.apache.org/thread.html/ecf3400585d1fd2ffc754bc348a4f7d9a4863573e11d551b3b287640@%3Cannounce.subversion.apache.org%3E
http://svn.apache.org/repos/asf/subversion/tags/1.8.17/CHANGES
http://subversion.apache.org/security/CVE-2016-8734-advisory.txt
========================

Updated packages in core/updates_testing:
========================
subversion-1.8.17-1.mga5
subversion-doc-1.8.17-1.mga5
libsvn0-1.8.17-1.mga5
libsvn-gnome-keyring0-1.8.17-1.mga5
libsvn-kwallet0-1.8.17-1.mga5
subversion-server-1.8.17-1.mga5
subversion-tools-1.8.17-1.mga5
python-svn-1.8.17-1.mga5
ruby-svn-1.8.17-1.mga5
libsvnjavahl1-1.8.17-1.mga5
svn-javahl-1.8.17-1.mga5
perl-SVN-1.8.17-1.mga5
subversion-kwallet-devel-1.8.17-1.mga5
subversion-gnome-keyring-devel-1.8.17-1.mga5
perl-svn-devel-1.8.17-1.mga5
python-svn-devel-1.8.17-1.mga5
ruby-svn-devel-1.8.17-1.mga5
subversion-devel-1.8.17-1.mga5
apache-mod_dav_svn-1.8.17-1.mga5

from subversion-1.8.17-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

youpburden 2016-12-07 10:29:11 CET

CC: (none) => youpburden
Whiteboard: has_procedure => (none)

David Walser 2016-12-08 21:41:51 CET

Whiteboard: (none) => has_procedure

David Walser 2016-12-12 20:31:07 CET

URL: (none) => https://lwn.net/Vulnerabilities/708883/

Comment 2 Herman Viaene 2016-12-26 14:52:23 CET

MGA5-32 on Acer D620 Xfce
No installation issues
Followed procedure as per bug 14826, all works OK

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Lewis Smith 2016-12-28 11:10:28 CET

CC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory

Comment 3 Lewis Smith 2017-01-03 21:09:34 CET

Testing M5 x64

Since the 'procedure' referred to in Comment 1 and above is somewhat scattered, I recapitulate it all here.
Make sure you have at least:
 apache-mod_dav_svn
 subversion
 subversion-tools
+ dependancies installed.

$ svnadmin create --fs-type fsfs /home/<user>/svn
$ mkdir project
$ cd project/
$ mkdir bin
$ mkdir src
$ mkdir doc
$ echo test > doc/index.html
$ echo stuff > src/Makefile
$ svn import /home/<user>/project/ file:///home/<user>/svn/project/trunk -m 'Initial import'
Adding         bin
Adding         doc
Adding         doc/index.html
Adding         src
Adding         src/Makefile

Committed revision 1.
$ cd
$ rm -rf project
$ svn checkout file:///home/<user>/svn/project
A    project/trunk
A    project/trunk/doc
A    project/trunk/doc/index.html
A    project/trunk/src
A    project/trunk/src/Makefile
A    project/trunk/bin
Checked out revision 1.

#  [edit] /etc/httpd/conf/conf.d/subversion.conf
Uncomment just the 4 lines:
        <Location /svn/repos>
           DAV svn
           SVNPath /home/<user>/svn
[leave # lines down to...]
        </Location>

# systemctl restart httpd

Browse http://localhost/svn/repos, "shows the contents of the svn repo".

-----------

Installed from normal repos the packages indicated, then updated them to:
 apache-mod_dav_svn-1.8.17-1.mga5
 lib64svn0-1.8.17-1.mga5
 perl-SVN-1.8.17-1.mga5
 subversion-1.8.17-1.mga5
 subversion-tools-1.8.17-1.mga5

Ran the procedure as described above, but the final step
http://localhost/svn/repos ended badly:

<D:error xmlns:D="DAV:" xmlns:m="http://apache.org/dav/xmlns" xmlns:C="svn:">
<C:error/>
<m:human-readable errcode="13">
 Could not open the requested SVN filesystem 
</m:human-readable>
</D:error>

 $ ls -l /home/lewis/svn
 drwxr-xr-x 2 lewis lewis 4096 Ion   3 20:09 conf/
 drwxr-sr-x 6 lewis lewis 4096 Ion   3 20:13 db/
 -r--r--r-- 1 lewis lewis    2 Ion   3 20:09 format
 drwxr-xr-x 2 lewis lewis 4096 Ion   3 20:09 hooks/
 drwxr-xr-x 2 lewis lewis 4096 Ion   3 20:09 locks/
 -rw-r--r-- 1 lewis lewis  246 Ion   3 20:09 README.txt

# less /etc/httpd/conf/conf.d/subversion.conf
<IfModule mod_dav_svn.c>

    <Location /svn/repos>
       DAV svn
       SVNPath /home/lewis/svn
    # ...
    </Location>

</IfModule>

Hoping for an explanantion before giving the OK.

Comment 4 Shlomi Fish 2017-01-06 12:10:31 CET

(In reply to Lewis Smith from comment #3)
> Testing M5 x64
> 
> Since the 'procedure' referred to in Comment 1 and above is somewhat
> scattered, I recapitulate it all here.
> Make sure you have at least:
>  apache-mod_dav_svn
>  subversion
>  subversion-tools
> + dependancies installed.
> 
> $ svnadmin create --fs-type fsfs /home/<user>/svn
> $ mkdir project
> $ cd project/
> $ mkdir bin
> $ mkdir src
> $ mkdir doc
> $ echo test > doc/index.html
> $ echo stuff > src/Makefile
> $ svn import /home/<user>/project/ file:///home/<user>/svn/project/trunk -m
> 'Initial import'
> Adding         bin
> Adding         doc
> Adding         doc/index.html
> Adding         src
> Adding         src/Makefile
> 
> Committed revision 1.
> $ cd
> $ rm -rf project
> $ svn checkout file:///home/<user>/svn/project
> A    project/trunk
> A    project/trunk/doc
> A    project/trunk/doc/index.html
> A    project/trunk/src
> A    project/trunk/src/Makefile
> A    project/trunk/bin
> Checked out revision 1.
> 
> #  [edit] /etc/httpd/conf/conf.d/subversion.conf
> Uncomment just the 4 lines:
>         <Location /svn/repos>
>            DAV svn
>            SVNPath /home/<user>/svn
> [leave # lines down to...]
>         </Location>
> 
> # systemctl restart httpd
> 
> Browse http://localhost/svn/repos, "shows the contents of the svn repo".
> 
> -----------
> 
> Installed from normal repos the packages indicated, then updated them to:
>  apache-mod_dav_svn-1.8.17-1.mga5
>  lib64svn0-1.8.17-1.mga5
>  perl-SVN-1.8.17-1.mga5
>  subversion-1.8.17-1.mga5
>  subversion-tools-1.8.17-1.mga5
> 
> Ran the procedure as described above, but the final step
> http://localhost/svn/repos ended badly:
> 
> <D:error xmlns:D="DAV:" xmlns:m="http://apache.org/dav/xmlns" xmlns:C="svn:">
> <C:error/>
> <m:human-readable errcode="13">
>  Could not open the requested SVN filesystem 
> </m:human-readable>
> </D:error>
> 
>  $ ls -l /home/lewis/svn
>  drwxr-xr-x 2 lewis lewis 4096 Ion   3 20:09 conf/
>  drwxr-sr-x 6 lewis lewis 4096 Ion   3 20:13 db/
>  -r--r--r-- 1 lewis lewis    2 Ion   3 20:09 format
>  drwxr-xr-x 2 lewis lewis 4096 Ion   3 20:09 hooks/
>  drwxr-xr-x 2 lewis lewis 4096 Ion   3 20:09 locks/
>  -rw-r--r-- 1 lewis lewis  246 Ion   3 20:09 README.txt
> 
> # less /etc/httpd/conf/conf.d/subversion.conf
> <IfModule mod_dav_svn.c>
> 
>     <Location /svn/repos>
>        DAV svn
>        SVNPath /home/lewis/svn
>     # ...
>     </Location>
> 
> </IfModule>
> 
> Hoping for an explanantion before giving the OK.

From my experience, Apache is sometimes configured to block read/write access to directories under /home. Perhaps we should try again with a path somewhere under / (/var or whatever).

CC: (none) => shlomif

Comment 5 Shlomi Fish 2017-01-06 12:52:50 CET

With the repository under /var/svn/test1, this works fine on a mageia 5 x86-64 VBox VM. I'll attach the user and root typescripts in the next comments.

Whiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5-32-OK advisory MGA5-64-OK

Comment 6 Shlomi Fish 2017-01-06 12:53:38 CET

Created attachment 8837 [details]
root shell typescript

Comment 7 Shlomi Fish 2017-01-06 12:54:44 CET

Created attachment 8838 [details]
shlomif user typescript to testing this update

as generated by the "script" command.

Lewis Smith 2017-01-06 21:00:44 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-01-07 22:40:40 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0009.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED