Bug 11207 - subversion new security issue CVE-2013-4277
: subversion new security issue CVE-2013-4277
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/566113/
: MGA2TOO MGA2-32-OK has_procedure MGA3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-09 19:20 CEST by David Walser
Modified: 2014-05-08 18:06 CEST (History)
3 users (show)

See Also:
Source RPM: subversion-1.7.9-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-09-09 19:20:15 CEST
Fedora has issued an advisory on September 3:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115318.html

Mageia 2 and Mageia 3 are also affected.

The issue is fixed upstream in 1.7.13.

Here is the upstream advisory:
http://subversion.apache.org/security/CVE-2013-4277-advisory.txt

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-09-10 09:44:25 CEST
fixed with subversion-1.7.13-1.mga2, subversion-1.7.13-1.mga3 and subversion-1.7.13-1.mga4
Comment 2 David Walser 2013-09-10 16:47:18 CEST
Thanks Oden!

Advisory:
========================

Updated subversion packages fix security vulnerability:

svnserve takes a --pid-file option which creates a file containing the process
id it is running as. It does not take steps to ensure that the file it has been
directed at is not a symlink. If the pid file is in a directory writeable by
unprivileged users, the destination could be replaced by a symlink allowing for
privilege escalation. svnserve does not create a pid file by default
(CVE-2013-4277).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4277
http://subversion.apache.org/security/CVE-2013-4277-advisory.txt
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115318.html
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.13-1.mga2
subversion-doc-1.7.13-1.mga2
libsvn0-1.7.13-1.mga2
libsvn-gnome-keyring0-1.7.13-1.mga2
libsvn-kwallet0-1.7.13-1.mga2
subversion-server-1.7.13-1.mga2
subversion-tools-1.7.13-1.mga2
python-svn-1.7.13-1.mga2
ruby-svn-1.7.13-1.mga2
libsvnjavahl1-1.7.13-1.mga2
svn-javahl-1.7.13-1.mga2
perl-SVN-1.7.13-1.mga2
subversion-kwallet-devel-1.7.13-1.mga2
subversion-gnome-keyring-devel-1.7.13-1.mga2
perl-svn-devel-1.7.13-1.mga2
python-svn-devel-1.7.13-1.mga2
ruby-svn-devel-1.7.13-1.mga2
subversion-devel-1.7.13-1.mga2
apache-mod_dav_svn-1.7.13-1.mga2
subversion-1.7.13-1.mga3
subversion-doc-1.7.13-1.mga3
libsvn0-1.7.13-1.mga3
libsvn-gnome-keyring0-1.7.13-1.mga3
libsvn-kwallet0-1.7.13-1.mga3
subversion-server-1.7.13-1.mga3
subversion-tools-1.7.13-1.mga3
python-svn-1.7.13-1.mga3
ruby-svn-1.7.13-1.mga3
libsvnjavahl1-1.7.13-1.mga3
svn-javahl-1.7.13-1.mga3
perl-SVN-1.7.13-1.mga3
subversion-kwallet-devel-1.7.13-1.mga3
subversion-gnome-keyring-devel-1.7.13-1.mga3
perl-svn-devel-1.7.13-1.mga3
python-svn-devel-1.7.13-1.mga3
ruby-svn-devel-1.7.13-1.mga3
subversion-devel-1.7.13-1.mga3
apache-mod_dav_svn-1.7.13-1.mga3

from SRPMS:
subversion-1.7.13-1.mga2.src.rpm
subversion-1.7.13-1.mga3.src.rpm
Comment 3 Dave Hodgins 2013-09-11 01:44:26 CEST
Test failed on Mageia 2 i586.

[dave@i2v ~]$ touch file
[dave@i2v ~]$ ln -s file symlink
[dave@i2v ~]$ svnserve -X --pid-file symlink
^C
[dave@i2v ~]$ cat symlink
9857
[dave@i2v ~]$ svnserve -X --pid-file symlink
^C
[dave@i2v ~]$ cat symlink
9960
Comment 4 Dave Hodgins 2013-09-11 01:45:31 CEST
Forgot to mention, the first run of svnserve was before installing the update,
the second after, so it doesn't look like the bug is fixed.
Comment 5 Dave Hodgins 2013-09-11 01:58:52 CEST
Ah. Never mind. Didn't realize it deleted the symlink, then created
a regular file.
Comment 6 Dave Hodgins 2013-09-11 02:05:00 CEST
Advisory 11207.adv committed to svn.
Comment 7 Dave Hodgins 2013-09-11 02:15:02 CEST
Testing complete both releases, both arches.

Someone from the sysadmin team please push 11207.adv to updates.
Comment 8 Nicolas Vigier 2013-09-13 22:21:29 CEST
http://advisories.mageia.org/MGASA-2013-0275.html

Note You need to log in before you can comment on or make changes to this bug.