Bug 10895 - subversion new security issue CVE-2013-4131
: subversion new security issue CVE-2013-4131
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/561784/
: MGA2TOO MGA2-64-OK MGA2-32-OK MGA3-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-01 20:57 CEST by David Walser
Modified: 2014-08-19 19:47 CEST (History)
6 users (show)

See Also:
Source RPM: subversion-1.7.10-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-08-01 20:57:18 CEST
OpenSuSE has issued an advisory today (August 1):
http://lists.opensuse.org/opensuse-updates/2013-08/msg00000.html

According to the upstream advisory, the issue is fixed in 1.7.11:
https://subversion.apache.org/security/CVE-2013-4131-advisory.txt

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-02 09:04:15 CEST
1.7.11 has been submitted for 2, 3 and cauldron.
Comment 2 David Walser 2013-08-02 14:10:59 CEST
Thanks Oden!  Assigning to QA.

Advisory:
========================

Updated subversion packages fix security vulnerability:

Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion
on some requests made against a revision root. This can lead to a DoS. If
assertions are disabled it will trigger a read overflow which may cause a
SEGFAULT (or equivalent) or undefined behavior. Commit access is required to
exploit this (CVE-2013-4131).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4131
https://subversion.apache.org/security/CVE-2013-4131-advisory.txt
http://lists.opensuse.org/opensuse-updates/2013-08/msg00000.html
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.11-1.mga2
subversion-doc-1.7.11-1.mga2
libsvn0-1.7.11-1.mga2
libsvn-gnome-keyring0-1.7.11-1.mga2
libsvn-kwallet0-1.7.11-1.mga2
subversion-server-1.7.11-1.mga2
subversion-tools-1.7.11-1.mga2
python-svn-1.7.11-1.mga2
ruby-svn-1.7.11-1.mga2
libsvnjavahl1-1.7.11-1.mga2
svn-javahl-1.7.11-1.mga2
perl-SVN-1.7.11-1.mga2
subversion-kwallet-devel-1.7.11-1.mga2
subversion-gnome-keyring-devel-1.7.11-1.mga2
perl-svn-devel-1.7.11-1.mga2
python-svn-devel-1.7.11-1.mga2
ruby-svn-devel-1.7.11-1.mga2
subversion-devel-1.7.11-1.mga2
apache-mod_dav_svn-1.7.11-1.mga2
subversion-1.7.11-1.mga3
subversion-doc-1.7.11-1.mga3
libsvn0-1.7.11-1.mga3
libsvn-gnome-keyring0-1.7.11-1.mga3
libsvn-kwallet0-1.7.11-1.mga3
subversion-server-1.7.11-1.mga3
subversion-tools-1.7.11-1.mga3
python-svn-1.7.11-1.mga3
ruby-svn-1.7.11-1.mga3
libsvnjavahl1-1.7.11-1.mga3
svn-javahl-1.7.11-1.mga3
perl-SVN-1.7.11-1.mga3
subversion-kwallet-devel-1.7.11-1.mga3
subversion-gnome-keyring-devel-1.7.11-1.mga3
perl-svn-devel-1.7.11-1.mga3
python-svn-devel-1.7.11-1.mga3
ruby-svn-devel-1.7.11-1.mga3
subversion-devel-1.7.11-1.mga3
apache-mod_dav_svn-1.7.11-1.mga3

from SRPMS:
subversion-1.7.11-1.mga2.src.rpm
subversion-1.7.11-1.mga3.src.rpm
Comment 3 Dave Hodgins 2013-08-06 03:16:38 CEST
Advisory 10895.adv uploaded to svn.
Comment 4 Dave Hodgins 2013-08-11 03:11:18 CEST
No poc that I can find, so just testing that it works.

Testing complete Mageia 2 i586 and x86_64.

[dave@i2v ~]$ svnadmin create --fs-type fsfs /home/dave/svn
[dave@i2v ~]$ mkdir project
[dave@i2v ~]$ cd project/
[dave@i2v project]$ mkdir bin
[dave@i2v project]$ mkdir src
[dave@i2v project]$ mkdir doc
[dave@i2v project]$ echo test>doc/index.html
[dave@i2v project]$ echo stuff>src/Makefile
[dave@i2v project]$ svn import /home/dave/project/ file:///home/dave/svn/project/trunk -m 'Initial import'
Adding         doc
Adding         doc/index.html
Adding         src
Adding         src/Makefile
Adding         bin

Committed revision 1.
[dave@i2v project]$ cd
[dave@i2v ~]$ rm -rf project
[dave@i2v ~]$ svn checkout file:///home/dave/svn/project
A    project/trunk
A    project/trunk/doc
A    project/trunk/doc/index.html
A    project/trunk/src
A    project/trunk/src/Makefile
A    project/trunk/bin
Checked out revision 1.
[dave@i2v ~]$  sudo mc -e /etc/httpd/modules.d/46_mod_dav_svn.conf
See https://bugs.mageia.org/show_bug.cgi?id=9624#c8
[dave@i2v ~]$  sudo service httpd restart
[dave@i2v ~]$ firefox http://localhost/svn/repos
Comment 5 Dave Hodgins 2013-08-11 03:46:49 CEST
Testing complete on Mageia 3 i586 and x86_64.
Note: Edit /etc/httpd/conf/conf.d/subversion.conf instead of 46...

Could someone from the sysadmin team push 10895.adv to updates.
Comment 6 Thomas Backlund 2013-08-11 14:25:31 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0244.html
Comment 7 William Kenney 2014-08-19 18:36:28 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
subversion

default install of subversion

[root@localhost wilcal]# urpmi subversion
Package subversion-1.8.8-1.mga4.i586 is already installed

[wilcal@localhost ~]$ svnadmin create --fs-type fsfs /home/wilcal/svn
bash: svnadmin: command not found

What next?

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 8 Rémi Verschelde 2014-08-19 18:41:02 CEST
$ urpmf bin/svnadmin
subversion-tools:/usr/bin/svnadmin
Comment 9 Rémi Verschelde 2014-08-19 18:41:22 CEST
You commented in the wrong bug report though :-)
Comment 10 William Kenney 2014-08-19 19:07:26 CEST
(In reply to Rémi Verschelde from comment #9)

> You commented in the wrong bug report though :-)

Opps, better put it where it's supposed to be.
Comment 11 William Kenney 2014-08-19 19:35:26 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
subversion subversion-tools apache-mod_dav_svn

default install of subversion, subversion-tools, apache-mod_dav_svn

[root@localhost project]# urpmi subversion
Package subversion-1.8.8-1.mga4.i586 is already installed
[root@localhost project]# urpmi subversion-tools
Package subversion-tools-1.8.8-1.mga4.i586 is already installed
[root@localhost project]# urpmi apache-mod_dav_svn
Package apache-mod_dav_svn-1.8.8-1.mga4.i586 is already installed

[wilcal@localhost ~]$ svnadmin create --fs-type fsfs /home/wilcal/svn
creates svn directory with subversion subdirectories and files.

wilcal@localhost ~]$ cd project
[wilcal@localhost project]$ ls -al
total 24
drwxrwxr-x  5 wilcal wilcal 4096 Aug 19 10:24 ./
drwxr-xr-x 38 wilcal wilcal 4096 Aug 19 10:24 ../
drwxrwxr-x  2 wilcal wilcal 4096 Aug 19 10:24 bin/
-rw-------  1 wilcal wilcal   60 Aug 19 10:24 .directory
drwxrwxr-x  2 wilcal wilcal 4096 Aug 19 10:24 doc/
drwxrwxr-x  2 wilcal wilcal 4096 Aug 19 10:24 src/
[wilcal@localhost project]$ echo test>doc/index.html
[wilcal@localhost project]$ echo stuff>src/Makefile

All went well to here:
[wilcal@localhost project]$ svn import /home/wilcal/project/ file:///home/wilcal/svn/project
svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options                  
svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 12 Rémi Verschelde 2014-08-19 19:46:46 CEST
As the message error tells you, you need to either specify a SVN_EDITOR environment variable, or to use the -m option to include a commit log.

That is, either (provided you have nano, you can also use kwrite or any text editor):
$ SVN_EDITOR=nano svn import /home/wilcal/project/ file:///home/wilcal/svn/project

or:
$ svn import /home/wilcal/project/ file:///home/wilcal/svn/project -m 'my funny little commit message'

The -m option was actually used in the procedure, but I had overlooked it too :-)
Comment 13 David Walser 2014-08-19 19:47:52 CEST
Or just use the EDITOR variable, but the -m option is easier.  And again we're in the wrong bug.

Note You need to log in before you can comment on or make changes to this bug.