Bug 29266 - fossil new TLS verification security issue (CVE-2021-36377)
Summary: fossil new TLS verification security issue (CVE-2021-36377)
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-18 19:43 CEST by David Walser
Modified: 2021-07-26 16:17 CEST (History)
3 users (show)

See Also:
Source RPM: fossil-2.12.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-07-18 19:43:51 CEST
openSUSE has issued an advisory on July 17:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AQ44KVDTB6D2MENE7C2YPVCSV3BXT3B4/

The issue is fixed upstream in 2.14.2:
https://fossil-scm.org/home/doc/trunk/www/changes.wiki#v2_14

Mageia 8 is also affected.
David Walser 2021-07-18 19:44:08 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.14.2

Comment 1 Nicolas Lécureuil 2021-07-19 00:15:58 CEST
fixed in mga9

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2021-07-19 00:20:25 CEST
fixed in mga8:

src: 
    - fossil-2.14.2-1.mga8

Assignee: geiger.david68210 => qa-bugs

Comment 3 Aurelien Oudelet 2021-07-19 22:38:22 CEST
Suggested Advisory:
========================

Updated fossil package fixes security vulnerabilities:

Client-side TLS so that it verifies that the server hostname matches its certificate (Fixed in fossil 2.14.2).

A data exfiltration bug in the server (Fixed in fossil 2.14.1).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29266
 - https://fossil-scm.org/home/doc/trunk/www/changes.wiki#v2_14
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AQ44KVDTB6D2MENE7C2YPVCSV3BXT3B4/
========================

Updated package in core/updates_testing:
========================
fossil-2.14.2-1.mga8

from SRPM:
fossil-2.14.2-1.mga8.src.rpm

CC: (none) => ouaurelien
Status comment: Fixed upstream in 2.14.2 => (none)
Source RPM: fossil-2.14-1.mga9.src.rpm => fossil-2.12.1-1.mga8.src.rpm

Comment 4 Herman Viaene 2021-07-26 14:54:43 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 27153 Comment 6 for testing.

$ fossil help TOPIC
Try "fossil help help" or "fossil help -a" for more options
Frequently used commands:
add          cat          diff         ls           revert       timeline   
addremove    changes      extras       merge        rm           ui         
all          chat         finfo        mv           settings     undo       
amend        clean        gdiff        open         sql          unversioned
annotate     clone        grep         pull         stash        update     
bisect       commit       help         push         status       version    
blame        dbstat       info         rebuild      sync       
branch       delete       init         remote       tag        
This is fossil version 2.14.2 [fb3938ee09] 2021-06-15 01:00:33 UTC

[tester8@mach5 ~]$ fossil version
This is fossil version 2.14.2 [fb3938ee09] 2021-06-15 01:00:33 UTC

$ cd Documenten.test/
this is a newly created folder on the home folder, thus completely empty.

[tester8@mach5 Documenten.test]$ fossil init testfossil
project-id: 625324c274456347f877666391c7b2025983ab48
server-id:  bb3f378185dc4ac571bb337013d8092f70ce15f0
admin-user: tester8 (initial password is "AxP56FkiCb")

[tester8@mach5 Documenten.test]$ ls
testfossil

[tester8@mach5 Documenten.test]$ fossil info testfossil
project-name: <unnamed>
project-code: 625324c274456347f877666391c7b2025983ab48
[tester8@mach5 Documenten.test]$ ls -als
totaal 232
  4 drwxrwxr-x  2 tester8 tester8   4096 jul 26 14:25 ./
  4 drwxr-x--- 24 tester8 tester8   4096 jul 26 14:23 ../
224 -rw-r--r--  1 tester8 tester8 229376 jul 26 14:25 testfossil

[tester8@mach5 Documenten.test]$ fossil clone http://www.fossil-scm.org/ testfossil1
redirect with status 301 to http://www.fossil-scm.org/home
redirect with status 301 to https://www.fossil-scm.org/home
Round-trips: 9   Artifacts sent: 0  received: 52932
Clone done, sent: 2966  received: 40760752  ip: 45.33.6.223
Rebuilding repository meta-data...
  100.1% complete...
Extra delta compression... 
Vacuuming the database... 
project-id: CE59BB9F186226D80E49D1FA2DB29F935CCA0333
server-id:  9dced0bbc2fe88c6d9491cd172132efecf167d57
admin-user: tester8 (password is "PzBxy5DjQi")

[tester8@mach5 Documenten.test]$ ls -als
totaal 55748
    4 drwxrwxr-x  2 tester8 tester8     4096 jul 26 14:29 ./
    4 drwxr-x--- 24 tester8 tester8     4096 jul 26 14:23 ../
  224 -rw-r--r--  1 tester8 tester8   229376 jul 26 14:25 testfossil
55516 -rw-r--r--  1 tester8 tester8 56844288 jul 26 14:29 testfossil1

[tester8@mach5 Documenten.test]$ fossil open testfossil
directory /home/tester8/Documenten.test is not empty
use the -f or --force option to override
Of course it's not empty, I just created the two repos in it and these are SQLite files.
but continuing using the sugggestion above

[tester8@mach5 Documenten.test]$ fossil open testfossil -f
project-name: <unnamed>
repository:   /home/tester8/Documenten.test/testfossil
local-root:   /home/tester8/Documenten.test/
config-db:    /home/tester8/.config/fossil.db
project-code: 625324c274456347f877666391c7b2025983ab48
checkout:     3d587b7b01f55e36a1abbe2ab7b72ff7575587d9 2021-07-26 12:25:26 UTC
tags:         trunk
comment:      initial empty check-in (user: tester8)
check-ins:    1

[tester8@mach5 Documenten.test]$ fossil status testfossil
repository:   /home/tester8/Documenten.test/testfossil
local-root:   /home/tester8/Documenten.test/
config-db:    /home/tester8/.config/fossil.db
checkout:     3d587b7b01f55e36a1abbe2ab7b72ff7575587d9 2021-07-26 12:25:26 UTC
tags:         trunk
comment:      initial empty check-in (user: tester8)

[tester8@mach5 Documenten.test]$ fossil ui testfoss
repository does not exist or is in an unreadable directory: testfoss
that is unexpected w.r.t. the previous update procedure, but going on.

[tester8@mach5 Documenten.test]$ fossil ui testfossil1
Listening for HTTP requests on TCP port 8080

(firefox:13629): Gtk-WARNING **: 14:45:18.332: Theme parsing error: gtk.css:2:33: Failed to import: Error at oening file /home/tester8/.config/gtk-3.0/window_decorations.css: file or folder does not exist


This brings browser to Fossil:Home http://localhost:8080/doc/trunk/www/index.wiki, the contents seems OK be except for a red textt "ERROR: no such command: builtin_request_js"

on a second CLI tab
[tester8@mach5 Documenten]$ fossil add tutorialredis.txt 
repository does not exist or is in an unreadable directory: /home/tester8/Documenten/testfossil
That is not OK either, the repo has been force-opened before

So comitting is not possible here.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2021-07-26 15:14:48 CEST
Not giving up totally
$ fossil delete testfossil
[tester8@mach5 Documenten.test]$ ls -als
totaal 55828
    4 drwxrwxr-x  2 tester8 tester8     4096 jul 26 14:46 ./
    4 drwxr-x--- 24 tester8 tester8     4096 jul 26 14:23 ../
   32 -rw-r--r--  1 tester8 tester8    32768 jul 26 14:40 .fslckout
  224 -rw-r--r--  1 tester8 tester8   229376 jul 26 14:40 testfossil
55564 -rw-r--r--  1 tester8 tester8 56893440 jul 26 14:46 testfossil1
delete the .fslckout and testfossil manually
[tester8@mach5 Documenten.test]$ fossil init testfossil
project-id: c1b07ab9f072e52cfcfb3a24068e7197338d9695
server-id:  cf5311be68f54a9a6f9f36f5ce1ebe4d81551369
admin-user: tester8 (initial password is "Gy8CarFqxA")
[tester8@mach5 Documenten.test]$ fossil open testfossil
directory /home/tester8/Documenten.test is not empty
use the -f or --force option to override
[tester8@mach5 Documenten.test]$ fossil open testfossil -f
project-name: <unnamed>
repository:   /home/tester8/Documenten.test/testfossil
local-root:   /home/tester8/Documenten.test/
config-db:    /home/tester8/.config/fossil.db
project-code: c1b07ab9f072e52cfcfb3a24068e7197338d9695
checkout:     59b25ce6ede6d9509fc0c4c79ac7c43fb4237de8 2021-07-26 12:58:54 UTC
tags:         trunk
comment:      initial empty check-in (user: tester8)
check-ins:    1
copied a text file into the folder and went on

[tester8@mach5 Documenten.test]$ fossil add tutorialredis.txt 
ADDED  tutorialredis.txt
[tester8@mach5 Documenten.test]$ fossil commit -m "eerste bestand"
New_Version: d230d32b6df2e1ca1532def171a95999cb14ac68d902e5f585ea2c7d663097d4

$ fossil ui
Listening for HTTP requests on TCP port 8080

(firefox:16796): Gtk-WARNING **: 15:07:55.388: Theme parsing error: gtk.css:2:33: Failed to import: Fout bij het openen van bestand /home/tester8/.config/gtk-3.0/window_decorations.css: Bestand of map bestaat niet
This brings browser to Unnamed Fossil ProjectTimeline http://localhost:8081/timeline?c=current
showing 2 check-ins occurring around current:
the initial heck-in and the one labeled "eerste bestand"
Opened a ticket in this site:is acaepted and shown in report list

I'd rather have someone else looking into this , I don't feel confident. This is certainly operating as smoothly as in bug 27153
Comment 6 David Walser 2021-07-26 16:17:36 CEST
Fedora has issued an advisory for this today (July 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JBTRZ5HCOUTIIKJF3T37NORI4P7EVYCY/

It has been assigned CVE-2021-36377.

Severity: normal => major
Summary: fossil new TLS verification security issue => fossil new TLS verification security issue (CVE-2021-36377)


Note You need to log in before you can comment on or make changes to this bug.