Bug 21504

Summary: cvs new security issue CVE-2017-12836
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, mageia, marja11, sysadmin-bugs, tarazed25
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5TOO MGA5-32-OK MGA6-64-OK
Source RPM: cvs-1.12.13-26.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-08-12 02:36:19 CEST 
A CVE has been assigned for a security issue in CVS:
http://openwall.com/lists/oss-security/2017/08/11/4

This is equivalent issue for CVS to the recently announced issue also affecting subversion (Bug 21495), mercurial (Bug 21502), and git (Bug 21503).

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-12 02:36:26 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-08-12 22:25:01 CEST 
Assigning to the registered maintainer of cvs.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2017-08-15 13:26:12 CEST 
Debian has issued an advisory for this on August 13:
https://www.debian.org/security/2017/dsa-3940
Comment 3 Nicolas Lécureuil 2017-08-16 23:19:29 CEST 
Pushed in updates_testing:
src.rpm:
        cvs-1.12.13-25.1.mga5
        cvs-1.12.13-26.1.mga6

Assignee: shlomif => qa-bugs
CC: (none) => mageia

Rémi Verschelde 2017-08-16 23:27:46 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 4 David Walser 2017-08-16 23:30:02 CEST 
Advisory:
========================

Updated mercurial package fixes security vulnerability:

It was discovered that CVS, a centralised version control system, did not
correctly handle maliciously constructed repository URLs, which allowed an
attacker to run an arbitrary shell command (CVE-2017-12836).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
https://www.debian.org/security/2017/dsa-3940
========================

Updated packages in core/updates_testing:
========================
cvs-1.12.13-25.1.mga5
cvs-1.12.13-26.1.mga6

from SRPMS:
cvs-1.12.13-25.1.mga5.src.rpm
cvs-1.12.13-26.1.mga6.src.rpm
Comment 5 Herman Viaene 2017-08-18 10:59:07 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues, installed tkcvs as well (GUI is a help)
Got to make new repos and import some files into it by doing at CLI:
cvs -d <some empty folder>  init
cd Documents
tkcvs -root <folder as above>
and importing CWD into repos.
All seems OK.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 6 Len Lawrence 2017-08-18 19:15:48 CEST 
mga6  x86_64

tkcvs already installed.  Installed cvs and followed in Herman's footsteps to create a local repository, switched to tkcvs to check in my bin directory then checked that out into a new empty directory on my data partition.

Installed the updated package and ran through the sequence again, starting from scratch.  One thing to note is that cvs deals in absolute pathnames: e.g.
$ cvs -d qa/cvs init
qa: host unknown
trying normal rsh (/usr/ucb/rsh)
exec: No such file or directory
cvs [init aborted]: end of file from server (consult above messages if any)
$ cvs -d /home/lcl/qa/cvs init
$ tree cvs
cvs
└── CVSROOT
    ├── checkoutlist
    ├── checkoutlist,v
    ├── commitinfo

.................................

    ├── val-tags
    ├── verifymsg
    └── verifymsg,v

2 directories, 32 files

$ cd bin
$ tkcvs -root /home/lcl/qa/cvs

Used the module browser to check in the bin files to CVS.
That all seemed to run fine but I must admit to some confusion about how to specify module paths.  This was the result:
cvs]$ tree
.
├── bin
│   ├── accumulate,v
│   ├── backdocs,v
....................
│   ├── yam,v
│   └── zipx,v
└── CVSROOT
    ├── checkoutlist
and so on.

Went back in to CVS and checked out the bin module into the current directory which was ~/tmp.  That worked fine.  ~/tmp/bin all present and correct.

So, yes, cvs still works.

CC: (none) => tarazed25

Len Lawrence 2017-08-18 19:16:06 CEST

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK

Comment 7 Rémi Verschelde 2017-08-19 11:20:17 CEST 
Validating, advisory uploaded.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => advisory MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Nicolas Lécureuil 2017-08-19 11:41:07 CEST 
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (5/core/cvs-1.12.13-25.mga5) â (6/core/cvs-1.12.13-26.mga6) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 9 Rémi Verschelde 2017-08-19 11:51:09 CEST 
Fixed advisory.

Keywords: (none) => validated_update

Comment 10 Mageia Robot 2017-08-19 12:17:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0284.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED