Bug 10479 - subversion new security issues fixed in 1.7.10 (CVE-2013-1968, CVE-2013-2112)
: subversion new security issues fixed in 1.7.10 (CVE-2013-1968, CVE-2013-2112)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/553652/
: MGA2TOO has_procedure MGA2-64-OK MGA2...
: validated_update
:
: 10500
  Show dependency treegraph
 
Reported: 2013-06-10 19:30 CEST by David Walser
Modified: 2014-05-08 18:07 CEST (History)
3 users (show)

See Also:
Source RPM: subversion-1.7.9-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-10 19:30:38 CEST
Debian has issued an advisory on June 9:
http://www.debian.org/security/2013/dsa-2703

According to the upstream advisory, the issues are fixed in 1.7.10:
http://subversion.apache.org/security/CVE-2013-2112-advisory.txt

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-06-11 10:06:35 CEST
1.7.10 uploaded for all.
Comment 2 Oden Eriksson 2013-06-11 11:53:24 CEST
This is also fixed with 1.7.10:

http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
Comment 3 David Walser 2013-06-11 18:25:51 CEST
Thanks Oden!

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

Subversion repositories with the FSFS repository data store format can be
corrupted by newline characters in filenames. A remote attacker with a
malicious client could use this flaw to disrupt the service for other users
using that repository (CVE-2013-1968).

Subversion's svnserve server process may exit when an incoming TCP connection
is closed early in the connection process. A remote attacker can cause
svnserve to exit and thus deny service to users of the server (CVE-2013-2112).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
http://www.debian.org/security/2013/dsa-2703
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.10-1.mga2
subversion-doc-1.7.10-1.mga2
libsvn0-1.7.10-1.mga2
libsvn-gnome-keyring0-1.7.10-1.mga2
libsvn-kwallet0-1.7.10-1.mga2
subversion-server-1.7.10-1.mga2
subversion-tools-1.7.10-1.mga2
python-svn-1.7.10-1.mga2
ruby-svn-1.7.10-1.mga2
libsvnjavahl1-1.7.10-1.mga2
svn-javahl-1.7.10-1.mga2
perl-SVN-1.7.10-1.mga2
subversion-kwallet-devel-1.7.10-1.mga2
subversion-gnome-keyring-devel-1.7.10-1.mga2
perl-svn-devel-1.7.10-1.mga2
python-svn-devel-1.7.10-1.mga2
ruby-svn-devel-1.7.10-1.mga2
subversion-devel-1.7.10-1.mga2
apache-mod_dav_svn-1.7.10-1.mga2
subversion-1.7.10-1.mga3
subversion-doc-1.7.10-1.mga3
libsvn0-1.7.10-1.mga3
libsvn-gnome-keyring0-1.7.10-1.mga3
libsvn-kwallet0-1.7.10-1.mga3
subversion-server-1.7.10-1.mga3
subversion-tools-1.7.10-1.mga3
python-svn-1.7.10-1.mga3
ruby-svn-1.7.10-1.mga3
libsvnjavahl1-1.7.10-1.mga3
svn-javahl-1.7.10-1.mga3
perl-SVN-1.7.10-1.mga3
subversion-kwallet-devel-1.7.10-1.mga3
subversion-gnome-keyring-devel-1.7.10-1.mga3
perl-svn-devel-1.7.10-1.mga3
python-svn-devel-1.7.10-1.mga3
ruby-svn-devel-1.7.10-1.mga3
subversion-devel-1.7.10-1.mga3
apache-mod_dav_svn-1.7.10-1.mga3

from SRPMS:
subversion-1.7.10-1.mga2.src.rpm
subversion-1.7.10-1.mga3.src.rpm
Comment 4 Dave Hodgins 2013-06-11 19:54:49 CEST
No poc, that I can find, so just testing using
http://maverick.inria.fr/~Xavier.Decoret/resources/svn/

Testing Mageia 2 shortly i586 & x86_64.
Comment 5 Dave Hodgins 2013-06-11 20:41:59 CEST
Testing complete, Mageia 2 i586 and x86_64.

In addition to http://maverick.inria.fr/~Xavier.Decoret/resources/svn/
also used https://bugs.mageia.org/show_bug.cgi?id=9624#c8 for testing
the web interface.
Comment 6 Dave Hodgins 2013-06-11 20:56:19 CEST
Testing Mageia 3 shortly.
Comment 7 Dave Hodgins 2013-06-11 21:12:24 CEST
Note for future testers, In Mageia 3, /etc/httpd/modules.d/46_mod_dav_svn.conf
as been renamed to /etc/httpd/conf/conf.d/subversion.conf
Comment 8 Dave Hodgins 2013-06-11 21:29:11 CEST
On Mageia 3, apache fails to start with ...

httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf/modules.d/10_mod_dav_svn.conf: Cannot load modules/mod_dav_svn.so into server: /etc/httpd/modules/mod_dav_svn.so: undefined symbol: dav_do_find_liveprop
Comment 9 Dave Hodgins 2013-06-11 21:42:03 CEST
Looks like apache-mod_dav_svn needs a requires on apache-mod_dav

Once that's installed, it works ok.  Testing complete on Mageia 3 i586
and x86_64.

Would you like to add the requires, or should I open a new bug report for
the missing requires, and go ahead with validating this update?
Comment 10 Dave Hodgins 2013-06-11 22:42:17 CEST
As this is a security update, Bug 10500 opened for the missing requires.

Could someone from the sysadmin team push the srpm
subversion-1.7.10-1.mga3.src.rpm
from Mageia 3 Core Updates Testing to Core Updates and the srpm
subversion-1.7.10-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated subversion packages fix security vulnerabilities:

Subversion repositories with the FSFS repository data store format can be
corrupted by newline characters in filenames. A remote attacker with a
malicious client could use this flaw to disrupt the service for other users
using that repository (CVE-2013-1968).

Subversion's svnserve server process may exit when an incoming TCP connection
is closed early in the connection process. A remote attacker can cause
svnserve to exit and thus deny service to users of the server (CVE-2013-2112).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
http://www.debian.org/security/2013/dsa-2703

https://bugs.mageia.org/show_bug.cgi?id=10479
Comment 11 David Walser 2013-06-12 13:15:38 CEST
subversion-1.7.10-1.1.mga3 is now available, fixing Bug 10500.
Comment 12 claire robinson 2013-06-12 14:02:04 CEST
SRPMS:
subversion-1.7.10-1.mga2.src.rpm
subversion-1.7.10-1.1.mga3.src.rpm
Comment 13 Dave Hodgins 2013-06-13 04:48:17 CEST
Retesting complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push the srpm
subversion-1.7.10-1.1.mga3.src.rpm
from Mageia 3 Core Updates Testing to Core Updates and the srpm
subversion-1.7.10-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated subversion packages fix security vulnerabilities:

Subversion repositories with the FSFS repository data store format can be
corrupted by newline characters in filenames. A remote attacker with a
malicious client could use this flaw to disrupt the service for other users
using that repository (CVE-2013-1968).

Subversion's svnserve server process may exit when an incoming TCP connection
is closed early in the connection process. A remote attacker can cause
svnserve to exit and thus deny service to users of the server (CVE-2013-2112).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
http://www.debian.org/security/2013/dsa-2703

https://bugs.mageia.org/show_bug.cgi?id=10479
Comment 14 David Walser 2013-06-14 18:07:38 CEST
Oden, OpenSuSE has issued an advisory for an additional security issue affecting this.  They said 1.7.10 is also affected, but they must have a patch.  Can we fix this too?

The issue is CVE-2013-2088.

http://lists.opensuse.org/opensuse-updates/2013-06/msg00136.html
http://lwn.net/Vulnerabilities/554423/
Comment 15 Oden Eriksson 2013-06-14 18:14:36 CEST
Oh, forgot to mention that. I can't see we ship those contrib scripts.

http://subversion.apache.org/security/CVE-2013-2088-advisory.txt
Comment 16 David Walser 2013-06-14 18:22:29 CEST
You're right, so we don't need to worry about it.  Thanks.  Sorry for the noise.
Comment 17 Dave Hodgins 2013-06-19 02:25:21 CEST
Advisory ready to push
Comment 18 Nicolas Vigier 2013-06-19 12:38:21 CEST
http://advisories.mageia.org/MGASA-2013-0175.html

Note You need to log in before you can comment on or make changes to this bug.