Bug 18299 - subversion new security issues CVE-2016-2167 and CVE-2016-2168
Summary: subversion new security issues CVE-2016-2167 and CVE-2016-2168
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/685491/
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-04-29 20:25 CEST by David Walser
Modified: 2016-05-05 11:06 CEST (History)
2 users (show)

See Also:
Source RPM: subversion-1.8.15-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-04-29 20:25:33 CEST 
Debian has issued an advisory today (April 29):
https://www.debian.org/security/2016/dsa-3561

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

Daniel Shahaf and James McCoy discovered that an implementation error in the
authentication against the Cyrus SASL library would permit a remote user to
specify a realm string which is a prefix of the expected realm string and
potentially allowing a user to authenticate using the wrong realm
(CVE-2016-2167).

Ivan Zhakov of VisualSVN discovered a remotely triggerable denial of service
vulnerability in the mod_authz_svn module during COPY or MOVE authorization
check. An authenticated remote attacker could take advantage of this flaw to
cause a denial of service (Subversion server crash) via COPY or MOVE requests
with specially crafted header (CVE-2016-2168).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2168
http://mail-archives.apache.org/mod_mbox/subversion-announce/201604.mbox/%3CCAP_GPNgJet+7_MAhomFVOXPgLtewcUw9w=k9zdPCkq5tvPxVMA@mail.gmail.com%3E
http://svn.apache.org/repos/asf/subversion/tags/1.8.16/CHANGES
http://subversion.apache.org/security/CVE-2016-2167-advisory.txt
http://subversion.apache.org/security/CVE-2016-2168-advisory.txt
https://www.debian.org/security/2016/dsa-3561
========================

Updated packages in core/updates_testing:
========================
subversion-1.8.16-1.mga5
subversion-doc-1.8.16-1.mga5
libsvn0-1.8.16-1.mga5
libsvn-gnome-keyring0-1.8.16-1.mga5
libsvn-kwallet0-1.8.16-1.mga5
subversion-server-1.8.16-1.mga5
subversion-tools-1.8.16-1.mga5
python-svn-1.8.16-1.mga5
ruby-svn-1.8.16-1.mga5
libsvnjavahl1-1.8.16-1.mga5
svn-javahl-1.8.16-1.mga5
perl-SVN-1.8.16-1.mga5
subversion-kwallet-devel-1.8.16-1.mga5
subversion-gnome-keyring-devel-1.8.16-1.mga5
perl-svn-devel-1.8.16-1.mga5
python-svn-devel-1.8.16-1.mga5
ruby-svn-devel-1.8.16-1.mga5
subversion-devel-1.8.16-1.mga5
apache-mod_dav_svn-1.8.16-1.mga5

from subversion-1.8.16-1.mga5.src.rpm
Comment 1 David Walser 2016-04-29 20:25:46 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14826#c2

Whiteboard: (none) => has_procedure

Comment 2 Len Lawrence 2016-04-30 23:24:01 CEST 
x86_64

Installed all the packages listed and carried out the setting-up instructions
outlined in bug 10895 #4.
$ svnadmin create --fs-type fsfs ~/svn
$ cd
$ mkdir project
$ cd project
$ mkdir bin
$ mkdir src
$ mkdir doc

Updated all as listed.

$ echo test > doc/index.html
$ echo whatever > src/Makefile
$ svn import ~/project/ file:///home/lcl/svn/project/trunk -m 'Initial import'
Adding         bin
Adding         doc
Adding         doc/index.html
Adding         src
Adding         src/Makefile

Committed revision 1.

$ cd
$ rm -rf project
$ svn checkout file:///home/lcl/svn/project
A    project/trunk
A    project/trunk/doc
A    project/trunk/doc/index.html
A    project/trunk/src
A    project/trunk/src/Makefile
A    project/trunk/bin
Checked out revision 1.

$ cd project
$ ls -a
.  ..  .svn  trunk
$ svn info
Path: .
Working Copy Root Path: /home/lcl/project
URL: file:///home/lcl/svn/project
Relative URL: ^/project
Repository Root: file:///home/lcl/svn
Repository UUID: e0eb750c-cb4b-45e1-8e3d-535e378144aa
Revision: 1
Node Kind: directory
Schedule: normal
Last Changed Author: lcl
Last Changed Rev: 1
Last Changed Date: 2016-04-30 20:17:57 +0100 (Sat, 30 Apr 2016)

Edited /etc/httpd/conf/conf.d/subversion.conf to point to /home/lcl/svn.

$ sudo systemctl restart httpd.service
Job for httpd.service failed. See "systemctl status httpd.service" and "journalctl -xe" for details.
$ sudo systemctl -l status httpd.service
รข httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: failed (Result: exit-code) since Sat 2016-04-30 20:56:39 BST; 1min 13s ago
  Process: 32615 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 32615 (code=exited, status=1/FAILURE)

Apr 30 20:56:39 vega httpd[32615]: httpd: Syntax error on line 54 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf/modules.d/10_mod_nss.conf: Cannot load modules/libmodnss.so into server: /etc/httpd/modules/libmodnss.so: cannot open shared object file: No such file or directory
Apr 30 20:56:39 vega systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Apr 30 20:56:39 vega systemd[1]: Failed to start The Apache HTTP Server.
Apr 30 20:56:39 vega systemd[1]: Unit httpd.service entered failed state.
Apr 30 20:56:39 vega systemd[1]: httpd.service failed.

Line 54 of httpd.conf reads:
Include conf/modules.d/*.conf
and /etc/httpd/conf/modules.d/10_mod_nss.conf starts with:
LoadModule dav_svn_module     modules/mod_dav_svn.so

$ ls /etc/httpd/modules/lib*nss.so*
ls: cannot access modules/lib*nss.so*: No such file or directory

$ urpmq --whatprovides libmodnss
No package named libmodnss

Looks like my system is missing something.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2016-04-30 23:55:08 CEST 
$ sudo urpme apache-mod_nss
$ sudo urpmi apache-mod_nss
apache-mod_nss certificate database generated

# systemctl start httpd.service

Fine.
Comment 4 Len Lawrence 2016-05-01 00:01:27 CEST 
$ firefox http://localhost/svn/repos
Shows this in the browser:
repos - Revision 1: /
    project/

project -> trunk
trunk -> bin/ doc/ src/
etc. etc.

Good for 64-bit
Len Lawrence 2016-05-01 00:01:44 CEST

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 5 Len Lawrence 2016-05-01 12:30:58 CEST 
i586 in virtualbox

Updated all the packages listed and carried out the setting-up instructions
for a dummy project from bug 10895 #c4, exactly as in the 64-bit test;
committed project to svn, removed project directory and checked out the project, which
recreated the project directory.
$ ls -a project
.  ..  .svn  trunk
$ ls project/trunk
$ cd project
$ svn info
Path: .
Working Copy Root Path: /home/lcl/project
URL: file:///home/lcl/svn/project
Relative URL: ^/project
Repository Root: file:///home/lcl/svn
Repository UUID: e4d39550-3a9f-4e2e-be80-86301193ee89
Revision: 1
Node Kind: directory
Schedule: normal
Last Changed Author: lcl
Last Changed Rev: 1
Last Changed Date: 2016-05-01 11:12:05 +0100 (Sun, 01 May 2016)
bin  doc  src
$ sudo vi /etc/httpd/conf/conf.d/subversion.conf
$ sudo systemctl restart httpd.service
$ firefox http://localhost/svn/repos
This brought up the project page in the browser.

Validating this for both architectures.  Would someone in sysadmin please push to updates.
Len Lawrence 2016-05-01 12:32:01 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 6 claire robinson 2016-05-02 00:08:40 CEST 
Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 7 Mageia Robot 2016-05-05 11:06:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0161.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.