Bug 27153 - fossil new security issue allows remote code execution (CVE-2020-24614)
Summary: fossil new security issue allows remote code execution (CVE-2020-24614)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-08-20 18:13 CEST by David Walser
Modified: 2020-08-30 18:54 CEST (History)
4 users (show)

See Also:
Source RPM: fossil-2.8-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-08-20 18:13:44 CEST
Security issues in fossil have been announced today (August 20):
https://www.openwall.com/lists/oss-security/2020/08/20/1

There is a link in the message above to a location for patches to fix the issues.

Mageia 7 is also affected.
David Walser 2020-08-20 18:14:07 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Aurelien Oudelet 2020-08-20 22:15:28 CEST
Hi, thanks reporting this.

Immediately assigning to current registered packager.

CC: (none) => ouaurelien
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2020-08-22 12:13:14 CEST
Fossil 2.12.1 was uploaded to cauldron. Do you think it will be ok to upgrade the mga7-updates' packaged release to 2.12.1 as well?

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 3 David Walser 2020-08-22 13:29:20 CEST
https://fossil-scm.org/fossil/doc/trunk/www/changes.wiki

2.10.2 is closer to Mageia 7's 2.8 and also contains the security fixes.
David Walser 2020-08-22 13:30:12 CEST

Source RPM: fossil-2.10-2.mga8.src.rpm => fossil-2.8-1.mga7.src.rpm

Aurelien Oudelet 2020-08-25 11:00:18 CEST

CC: ouaurelien => (none)

Comment 4 David Walser 2020-08-26 22:31:01 CEST
CVE-2020-24614 assigned:
https://www.openwall.com/lists/oss-security/2020/08/25/1

Summary: fossil new security issue allows remote code execution => fossil new security issue allows remote code execution (CVE-2020-24614)

Comment 5 David Walser 2020-08-27 14:15:31 CEST
Updated package uploaded by Shlomi.

Advisory:
========================

Updated fossil package fixes security vulnerability:

Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows
remote authenticated users to execute arbitrary code. An attacker must have
check-in privileges on the repository (CVE-2020-24614).

The fossil package has been updated to version 2.10.2, containing fixes for
this issue, fixes for other bugs and security issues, and additional
enhancements.  See the changes list for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24614
https://www.openwall.com/lists/oss-security/2020/08/25/1
https://fossil-scm.org/fossil/doc/trunk/www/changes.wiki
========================

Updated packages in core/updates_testing:
========================
fossil-2.10.2-1.mga7

from fossil-2.10.2-1.mga7.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 6 Herman Viaene 2020-08-29 13:54:51 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues
Testing along lines in bug21551 Comment 3 and 4
$ fossil help
Usage: fossil help TOPIC
Common commands:  (use "fossil help help" for more options)
add          cat          fusefs       merge        revert       ui         
addremove    changes      gdiff        mv           rm           undo       
all          clean        git          open         settings     unpublished
amend        clone        grep         praise       sql          unversioned
annotate     commit       help         publish      stash        update     
bisect       delete       import       pull         status       version    
blame        diff         info         push         sync       
branch       extras       init         rebuild      tag        
bundle       finfo        ls           remote-url   timeline   
This is fossil version 2.10.2 [12d2ad00de] 2020-08-20 13:18:36 UTC

$ fossil version
This is fossil version 2.10.2 [12d2ad00de] 2020-08-20 13:18:36 UTC

$ cd Doc
Documents/      Documents.test/ 

$ cd Documents.test/

$ fossil init testfossil
project-id: 2be92d53511c3119e5604a39f1e0e2f8fa3da063
server-id:  d1aaac0565e7855e649e8b56e1a0be597a314f53
admin-user: tester7 (initial password is "VqHA75uyCa")

$ fossil info testfossil
project-name: <unnamed>
project-code: 2be92d53511c3119e5604a39f1e0e2f8fa3da063

$ fossil clone http://www.fossil-scm.org/ testfossil1
redirect with status 301 to http://www.fossil-scm.org/home
redirect with status 301 to https://www.fossil-scm.org/home
Round-trips: 8   Artifacts sent: 0  received: 48490
Clone done, sent: 2595  received: 36233856  ip: 45.33.6.223
Rebuilding repository meta-data...
  100.1% complete...
Extra delta compression... 
Vacuuming the database... 
project-id: CE59BB9F186226D80E49D1FA2DB29F935CCA0333
server-id:  f0eda3ba4dbf1dd1be1acb0803bcd42386be658b
admin-user: tester7 (password is "pQyJYU9KPq")

$ fossil open testfossil
project-name: <unnamed>
repository:   /home/tester7/Documents.test/testfossil
local-root:   /home/tester7/Documents.test/
config-db:    /home/tester7/.fossil
project-code: 2be92d53511c3119e5604a39f1e0e2f8fa3da063
checkout:     fc7d174477c35ebd65294fa614641a5163d04eb3 2020-08-29 11:27:57 UTC
tags:         trunk
comment:      initial empty check-in (user: tester7)
check-ins:    1

$ fossil status testfossil
repository:   /home/tester7/Documents.test/testfossil
local-root:   /home/tester7/Documents.test/
config-db:    /home/tester7/.fossil
checkout:     fc7d174477c35ebd65294fa614641a5163d04eb3 2020-08-29 11:27:57 UTC
tags:         trunk
comment:      initial empty check-in (user: tester7)

$ fossil ui testfoss
testfossil   testfossil1  

$ fossil ui testfossil1
Listening for HTTP requests on TCP port 8080
brings browser to Fossil:Home http://localhost:8080/doc/trunk/www/index.wiki

On second CLI tab

$ fossil add config.yaml 
ADDED  config.yaml

$ fossil commit -m "eerste bestand"
New_Version: ec9262068615c61657a1c40d4b7ab86e4f7fd07670a38b875aacc582774ed28e
[tester7@mach5 Documents.test]$ fossil ui
Listening for HTTP requests on TCP port 8081
This brings browser to Unnamed Fossil ProjectTimeline http://localhost:8081/timeline?c=current
showing 2 check-ins occurring around current:
the initial heck-in and the one labeled "eerste bestand"
Opened a ticket in this site:is acaepted and shown in report list

For me that all looks OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2020-08-30 02:17:46 CEST
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2020-08-30 17:21:40 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-08-30 18:54:16 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0354.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.