Bug 14826 - subversion new security issues CVE-2014-3580 and CVE-2014-8108
Summary: subversion new security issues CVE-2014-3580 and CVE-2014-8108
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627315/
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-17 17:52 CET by David Walser
Modified: 2014-12-24 18:48 CET (History)
3 users (show)

See Also:
Source RPM: subversion-1.8.10-6.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-17 17:52:35 CET
Upstream has released version 1.8.11 on December 15, fixing two security issues:
https://mail-archives.apache.org/mod_mbox/subversion-dev/201412.mbox/%3C548F4EF1.9070900@apache.org%3E
http://svn.apache.org/repos/asf/subversion/tags/1.8.11/CHANGES

Update checked into SVN for Mageia 4 and Cauldron.

Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-17 17:54:26 CET

Whiteboard: (none) => MGA4TOO,

David Walser 2014-12-17 17:54:35 CET

Whiteboard: MGA4TOO, => MGA4TOO

Comment 1 David Walser 2014-12-19 01:14:29 CET
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

A NULL pointer dereference flaw was found in the way mod_dav_svn handled
REPORT requests. A remote, unauthenticated attacker could use a crafted
REPORT request to crash mod_dav_svn (CVE-2014-3580).

A NULL pointer dereference flaw was found in the way mod_dav_svn handled URIs
for virtual transaction names. A remote, unauthenticated attacker could send
a request for a virtual transaction name that does not exist, causing
mod_dav_svn to crash (CVE-2014-8108).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108
http://subversion.apache.org/security/CVE-2014-3580-advisory.txt
http://subversion.apache.org/security/CVE-2014-8108-advisory.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1174054
https://bugzilla.redhat.com/show_bug.cgi?id=1174057
========================

Updated packages in core/updates_testing:
========================
subversion-1.8.11-1.mga4
subversion-doc-1.8.11-1.mga4
libsvn0-1.8.11-1.mga4
libsvn-gnome-keyring0-1.8.11-1.mga4
libsvn-kwallet0-1.8.11-1.mga4
subversion-server-1.8.11-1.mga4
subversion-tools-1.8.11-1.mga4
python-svn-1.8.11-1.mga4
ruby-svn-1.8.11-1.mga4
libsvnjavahl1-1.8.11-1.mga4
svn-javahl-1.8.11-1.mga4
perl-SVN-1.8.11-1.mga4
subversion-kwallet-devel-1.8.11-1.mga4
subversion-gnome-keyring-devel-1.8.11-1.mga4
perl-svn-devel-1.8.11-1.mga4
python-svn-devel-1.8.11-1.mga4
ruby-svn-devel-1.8.11-1.mga4
subversion-devel-1.8.11-1.mga4
apache-mod_dav_svn-1.8.11-1.mga4

from subversion-1.8.11-1.mga4.src.rpm

Severity: normal => major
Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2014-12-19 02:08:21 CET
Quoting Rémi from last time...

There are bits of procedure here:
https://bugs.mageia.org/show_bug.cgi?id=10895#c4

To follow that procedure, you need to install subversion-tools for the first part, and apache-mod_dav_svn for the last one.

Whiteboard: (none) => has_procedure

Comment 3 Herman Viaene 2014-12-20 11:16:03 CET
MGA4-32 on Acer D620,
Trying to install from Core uo-pdates resting I get in MCC:
Sorry, the following package cannot be selected:

- subversion-kwallet-devel-1.8.11-1.mga4.i586
Is this essential to the issue?

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2014-12-20 12:09:45 CET
MGA44-64 on HP Probook 6555b
No installation issues, but trying to repeat the procedure of Comment 2, throws a problem. At the CLI:
svn import /home/xxxx/project/ file:///home/xxxx/svn/project
svn: E205007: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the --message (-m) or --file (-F) options
svn: E205007: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no 'editor-cmd' run-time configuration option was found
I  tried
svn import -m "Test update" /home/tester4/project/ file:///home/tester4/svn/project
That seemed to do the trick.
Checkin and checkout OK
Then used su -l on second konsole tab to edit the subversion.conf file to refer to /home/xxxx/svn as SVN path and restart the httpd service, as I never use sudo
Pointing Firefox to http://http://localhost/svn/repos results in
Object not found ......Error 404
Comment 5 Herman Viaene 2014-12-20 12:15:21 CET
Subversion.conf file:
<IfModule mod_dav_svn.c>

    #<Location /svn/repos>
    #   DAV svn
    #   SVNPath /home/xxxx/svn
    #
    #   # Limit write permission to list of valid users.
    #   <LimitExcept GET PROPFIND OPTIONS REPORT>
    #      # Require SSL connection for password protection.
    #      # SSLRequireSSL
    #
    #      AuthType Basic
    #      AuthName "Authorization Realm"
    #      AuthUserFile /path/to/passwdfile
    #      AuthzSVNAccessFile /path/to/access/file
    #      Require valid-user
    #   </LimitExcept>
    #</Location>

</IfModule>
Comment 6 David Walser 2014-12-20 13:26:46 CET
(In reply to Herman Viaene from comment #3)
> MGA4-32 on Acer D620,
> Trying to install from Core uo-pdates resting I get in MCC:
> Sorry, the following package cannot be selected:
> 
> - subversion-kwallet-devel-1.8.11-1.mga4.i586
> Is this essential to the issue?

Why can't it be selected?

(In reply to Herman Viaene from comment #5)
> Subversion.conf file:
> <IfModule mod_dav_svn.c>
> 
>     #<Location /svn/repos>
>     #   DAV svn
>     #   SVNPath /home/xxxx/svn
>     #
>     #   # Limit write permission to list of valid users.
>     #   <LimitExcept GET PROPFIND OPTIONS REPORT>
>     #      # Require SSL connection for password protection.
>     #      # SSLRequireSSL
>     #
>     #      AuthType Basic
>     #      AuthName "Authorization Realm"
>     #      AuthUserFile /path/to/passwdfile
>     #      AuthzSVNAccessFile /path/to/access/file
>     #      Require valid-user
>     #   </LimitExcept>
>     #</Location>
> 
> </IfModule>

It's commented out, that's why /svn/repos doesn't exist.
Comment 7 Herman Viaene 2014-12-20 13:52:05 CET
On Comment 5 : for other ones not to make the same mistakes, the 3 lines <Location>, SVNPath and </Location> have to be effective (not commented out.
Then the svn repos works OK

Whiteboard: has_procedure => has_procedure MGA4-64 OK

Comment 8 Herman Viaene 2014-12-20 14:32:59 CET
(In reply to Herman Viaene from comment #7)
> On Comment 5 : for other ones not to make the same mistakes, the 3 lines
> <Location>, SVNPath and </Location> have to be effective (not commented out.
> Then the svn repos works OK
Four lines: forgot to mention DAV line
Comment 9 Herman Viaene 2014-12-20 14:40:18 CET
On Comment 6 ref. Comment 3
I first updated in MCC the core updates testing and then tried again to install subversion-kwallet-devel-1.8.11-1.mga4.i586, and this time it drew in a whole bunch of dependencies.
Oncce all packages installed, the test procedure runs OK.
Note on this subversion-kwallet. I do this test on a Xfce machine, installing this pack drew in 266 dependencies, of which the large majority is KDE related (of course, it is "K"wallet). But am I right in thinking that svn and apache are not really depending on KDE????
Herman Viaene 2014-12-20 14:40:51 CET

Whiteboard: has_procedure MGA4-64 OK => has_procedure MGA4-64 OK MGA4-32-OK

Comment 10 David Walser 2014-12-22 20:07:32 CET
LWN reference for CVE-2014-3580:
http://lwn.net/Vulnerabilities/627315/

Nothing for CVE-2014-8108 yet.

URL: (none) => http://lwn.net/Vulnerabilities/627315/

claire robinson 2014-12-23 10:50:24 CET

Whiteboard: has_procedure MGA4-64 OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 11 Rémi Verschelde 2014-12-23 11:10:41 CET
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 12 Mageia Robot 2014-12-23 21:36:05 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0545.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 13 David Walser 2014-12-24 18:48:55 CET
LWN reference for CVE-2014-8108:
http://lwn.net/Vulnerabilities/627592/

Note You need to log in before you can comment on or make changes to this bug.