Bug 22186

Summary: fossil new security issue CVE-2017-17459
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, marja11, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Source RPM: fossil-2.3-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-12-12 23:48:55 CET 
openSUSE has issued an advisory today (December 12):
https://lists.opensuse.org/opensuse-updates/2017-12/msg00046.html

The issue is fixed upstream in 2.4 (already in Cauldron).

Mageia 5 is also affected.
David Walser 2017-12-12 23:49:19 CET

Whiteboard: (none) => MGA5TOO
Version: Cauldron => 6
CC: (none) => mageia, shlomif

Comment 1 Marja Van Waes 2017-12-13 06:19:04 CET 
Assigning to the registered fossil maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2017-12-28 16:11:43 CET 
Advisory:
========================

Updated fossil package fixes security vulnerability:

Client-side code execution via crafted "ssh://" URLs (CVE-2017-17459).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459
https://lists.opensuse.org/opensuse-updates/2017-12/msg00046.html
========================

Updated packages in core/updates_testing:
========================
fossil-2.4-1.mga5
fossil-2.4-1.mga6

from SRPMS:
fossil-2.4-1.mga5.src.rpm
fossil-2.4-1.mga6.src.rpm

Assignee: shlomif => qa-bugs

Comment 3 Herman Viaene 2017-12-30 15:32:25 CET 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
$ fossil help
Usage: fossil help TOPIC
Common commands:  (use "fossil help -a|--all" for a complete list)
add          cat          finfo        mv           rm           undo       
addremove    changes      fusefs       open         settings     unpublished
all          clean        gdiff        praise       sqlite3      unversioned
amend        clone        help         publish      stash        update     
annotate     commit       import       pull         status       version    
bisect       delete       info         push         sync       
blame        diff         init         rebuild      tag        
branch       export       ls           remote-url   timeline   
bundle       extras       merge        revert       ui         
This is fossil version 2.4 [a0001dcf57] 2017-11-03 09:29:29 UTC
$ fossil version
This is fossil version 2.4 [a0001dcf57] 2017-11-03 09:29:29 UTC
Refering to tests in bug 21551
$ cd Documenten.orig/
$ fossil init testfossil
project-id: 06d5f20f96011b291b940260998419ceb3ebfa23
server-id:  5ea25bb8bb9c9ee50212e00d54fc3bede422fdc8
admin-user: tester5 (initial password is "24ea73")
$ fossil info testfossil
project-name: <unnamed>
project-code: 06d5f20f96011b291b940260998419ceb3ebfa23
[tester5@mach6 Documenten.orig]$ fossil clone http://www.fossil-scm.org/ testfossil1
Round-trips: 6   Artifacts sent: 0  received: 38461
Clone done, sent: 1578  received: 27022723  ip: 45.33.6.223
Rebuilding repository meta-data...
  100.0% complete...
Extra delta compression... 
Vacuuming the database... 
project-id: CE59BB9F186226D80E49D1FA2DB29F935CCA0333
server-id:  2d208cb5dc8f477b4e6c393ef53f0b6693d31fab
admin-user: tester5 (password is "92d273")
$ fossil open testfossil
project-name: <unnamed>
repository:   /home/tester5/Documenten.orig/testfossil
local-root:   /home/tester5/Documenten.orig/
config-db:    /home/tester5/.fossil
project-code: 06d5f20f96011b291b940260998419ceb3ebfa23
checkout:     4562ad284b80e2b3744a5f6273177f26694b0484 2017-12-30 13:56:21 UTC
tags:         trunk
comment:      initial empty check-in (user: tester5)
check-ins:    1
$ fossil status testfossil
repository:   /home/tester5/Documenten.orig/testfossil
local-root:   /home/tester5/Documenten.orig/
config-db:    /home/tester5/.fossil
checkout:     4562ad284b80e2b3744a5f6273177f26694b0484 2017-12-30 13:56:21 UTC
tags:         trunk
comment:      initial empty check-in (user: tester5)
$ fossil ui testfossil1
Listening for HTTP requests on TCP port 8080
shows in browser http://localhost:8080/doc/trunk/www/index.wiki titled "What is fossil"
Trying to follow RĂ©mi's example brings me into problems due to my lack of ..... 
Good enough for me.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Dave Hodgins 2018-01-01 08:00:18 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Dave Hodgins 2018-01-03 14:27:18 CET 
Validating based on the fossil version command working.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-01-03 15:23:38 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0042.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED