CVE-2024-46901 was announced here: https://www.openwall.com/lists/oss-security/2024/12/09/1
Whiteboard: (none) => MGA9TOOSource RPM: (none) => subversion-1.14.3-3.mga10.src.rpm, subversion-1.14.2-2.mga9.src.rpmStatus comment: (none) => Fixed upstream in 1.14.5CVE: (none) => CVE-2024-46901
No one packager in evidence for this, so assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. (CVE-2024-46901) References: https://www.openwall.com/lists/oss-security/2024/12/09/1 ======================== Updated packages in core/updates_testing: ======================== apache-mod_dav_svn-1.14.2-2.1.mga9 lib(64)svn-gnome-keyring0-1.14.2-2.1.mga9 lib(64)svn-kwallet0-1.14.2-2.1.mga9 lib(64)svn0-1.14.2-2.1.mga9 lib(64)svnjavahl1-1.14.2-2.1.mga9 perl-SVN-1.14.2-2.1.mga9 python3-svn-1.14.2-2.1.mga9 subversion-1.14.2-2.1.mga9 subversion-devel-1.14.2-2.1.mga9 subversion-doc-1.14.2-2.1.mga9 subversion-server-1.14.2-2.1.mga9 subversion-tools-1.14.2-2.1.mga9 svn-javahl-1.14.2-2.1.mga9 from SRPM: subversion-1.14.2-2.1.mga9.src.rpm
Status comment: Fixed upstream in 1.14.5 => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsSource RPM: subversion-1.14.3-3.mga10.src.rpm, subversion-1.14.2-2.mga9.src.rpm => subversion-1.14.2-2.mga9.src.rpmWhiteboard: MGA9TOO => (none)Version: Cauldron => 9
RH x86_64 installing subversion-1.14.2-2.1.mga9.x86_64.rpm lib64svn0-1.14.2-2.1.mga9.x86_64.rpm perl-SVN-1.14.2-2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64svn0 ################################################################################################## 2/3: subversion ################################################################################################## 3/3: perl-SVN ################################################################################################## 1/3: removing perl-SVN-2:1.14.2-2.mga9.x86_64 ################################################################################################## 2/3: removing subversion-2:1.14.2-2.mga9.x86_64 ################################################################################################## As in https://bugs.mageia.org/show_bug.cgi?id=30274#c2 Used to send advisory OK for me 3/3: removing lib64svn0-2:1.14.2-2.mga9.x86_64 ##################################################################################################
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Treied to test along lines of bugs 28348, 10895 and 9624 $ svnadmin create --fs-type fsfs /home/tester9/testsvn [tester9@mach3 testsvn]$ mkdir project [tester9@mach3 testsvn]$ cd project/ [tester9@mach3 project]$ mkdir bin [tester9@mach3 project]$ mkdir src [tester9@mach3 project]$ mkdir doc [tester9@mach3 project]$ echo test>doc/index.html [tester9@mach3 project]$ echo stuff>src/Makefile $ svn import /home/tester9/testsvn/project/ file:///home/tester9/testsvn/project/trunk -m 'Initial import' Adding bin Adding doc Adding doc/index.html Adding src Adding src/Makefile Committing transaction... Committed revision 1. $ cd .. $ ls conf/ db/ format hooks/ locks/ project/ README.txt $ rm -rf project $ ls conf/ db/ format hooks/ locks/ README.txt [tester9@mach3 testsvn]$ svn checkout file:///home/tester9/testsvn/project A project/trunk A project/trunk/bin A project/trunk/doc A project/trunk/doc/index.html A project/trunk/src A project/trunk/src/Makefile Checked out revision 1. But then, bug 10895 lists sudo mc -e /etc/httpd/modules.d/46_mod_dav_svn.conf but that file does not exist. Found file /etc/httpd/conf/modules.d/10_mod_dav_snv.conf and added the lines stated in bug 9624 (changed to my own folders) and after restart of httpd, tried to point firefox to the snv repo but get this: This XML file does not appear to have any style information associated with it. The document tree is shown below. <D:error> <C:error/> <m:human-readable errcode="13"> Could not open the requested SVN filesystem </m:human-readable> </D:error>
CC: (none) => herman.viaene
Forgot to mention, had to add the EDITOR environment variable asq in previous bugs. Not good.
Keywords: (none) => feedback
Installed and tested without issues. I only use subversion for legacy repositories so only did some quick tests. Did not test the apache, java, gnome-keyring0, and kwallet0 packages. Tested on old repositories and newly created ones. Tested svnserve and local filesystem repositories. Tested a bunch of commands: status, info, checkout, commit, diff, ls, update, upgrade, add, move, mkdir, merge, copy, delete. System: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver. $ uname -a Linux jupiter 6.6.65-desktop-2.mga9 #1 SMP PREEMPT_DYNAMIC Thu Dec 12 12:42:26 UTC 2024 x86_64 GNU/Linux $ rpm -qa | grep '1.14.2-2.1' | sort lib64svn0-1.14.2-2.1.mga9 subversion-1.14.2-2.1.mga9 subversion-server-1.14.2-2.1.mga9 subversion-tools-1.14.2-2.1.mga9
CC: (none) => mageia
(In reply to Herman Viaene from comment #4) > But then, bug 10895 lists > sudo mc -e /etc/httpd/modules.d/46_mod_dav_svn.conf > but that file does not exist. > Found file /etc/httpd/conf/modules.d/10_mod_dav_snv.conf and added the lines > stated in bug 9624 (changed to my own folders) and after restart of httpd, > tried to point firefox to the snv repo but get this: > > This XML file does not appear to have any style information associated with > it. The document tree is shown below. > <D:error> > <C:error/> > <m:human-readable errcode="13"> Could not open the requested SVN filesystem > </m:human-readable> > </D:error> Hi, Are you sure that the httpd user has the right to read the repository? Best regards, Nico.
Hi, I did the same test as Herman, following comment 4, and I was able to see the repository in Firefox at http://localhost/svn/repos. So I think that the problem Herman saw definitively came from the fact that the httpd user had no right to read the repository. In my test, I just verified that all the files belonging to the test user, including the home directory, are readable (and executable, for the directories) by other users. Best regards, Nico.
Keywords: feedback => (none)
Created attachment 14863 [details] access rights of repo
Hi, Your attachment confirms my thoughts (the httpd user cannot enter into /home/tester9): """ $ ls -als testsvn/ total 36 4 drwxr-xr-x 7 tester9 tester9 4096 Dec 17 11:55 ./ 4 drwx------ 32 tester9 tester9 4096 Feb 12 11:21 ../ """ Best regards, Nico.
Right, corrected that, and now the project displays. So let it go.
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0058.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED