Bug 9624 - subversion new security issues fixed in 1.7.9
: subversion new security issues fixed in 1.7.9
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/546161/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-05 16:34 CEST by David Walser
Modified: 2013-05-02 19:14 CEST (History)
4 users (show)

See Also:
Source RPM: subversion-1.7.8-3.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-04-05 16:34:12 CEST
Upstream has released 1.7.9 to fix several security issues:
http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E

Full changelog here:
http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-12 00:27:13 CEST
Updated packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

Excessive memory usage from property changes in mod_dav_svn in Subversion
before 1.7.9 (CVE-2013-1845).

Crashes on LOCK requests against activity URLs in mod_dav_svn in Subversion
before 1.7.9 (CVE-2013-1846).

Crashes on LOCK requests against non-existant URLs in mod_dav_svn in
Subversion before 1.7.9 (CVE-2013-1847).

Crashes on PROPFIND requests against activity URLs in mod_dav_svn in
Subversion before 1.7.9 (CVE-2013-1849).

Crashes on out of range limit in log REPORT requestin mod_dav_svn in
Subversion before 1.7.9 (CVE-2013-1884).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884
http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E
http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.9-1.mga2
subversion-doc-1.7.9-1.mga2
libsvn0-1.7.9-1.mga2
libsvn-gnome-keyring0-1.7.9-1.mga2
libsvn-kwallet0-1.7.9-1.mga2
subversion-server-1.7.9-1.mga2
subversion-tools-1.7.9-1.mga2
python-svn-1.7.9-1.mga2
ruby-svn-1.7.9-1.mga2
libsvnjavahl1-1.7.9-1.mga2
svn-javahl-1.7.9-1.mga2
perl-SVN-1.7.9-1.mga2
subversion-kwallet-devel-1.7.9-1.mga2
subversion-gnome-keyring-devel-1.7.9-1.mga2
perl-svn-devel-1.7.9-1.mga2
python-svn-devel-1.7.9-1.mga2
ruby-svn-devel-1.7.9-1.mga2
subversion-devel-1.7.9-1.mga2
apache-mod_dav_svn-1.7.9-1.mga2

from subversion-1.7.9-1.mga2.src.rpm
Comment 2 Dave Hodgins 2013-04-12 05:24:49 CEST
Trying to get mod_dav_svn working.

mkdir /var/www/uploads
svnadmin create /var/www/uploads
chown -R apache.apache /var/www/uploads
chmod g+s /var/www/uploads
edit /etc/httpd/modules.d/45_mod_dav.conf
 - uncomment the lines related to /var/www/uploads
htdigest -c "/usr/user.passwd" DAV-upload admin
edit /etc/httpd/modules.d/47_mod_authz_svn.conf
 Change location and SVNpath to /var/www/uploads
 AuthUserFile /usr/user.passwd
 Don't know what to put for AuthzSVNAccessFile

If I try to access localhost/uploads, I'm getting a 403 status.

Suggestions?
Comment 3 claire robinson 2013-04-25 11:02:57 CEST
Some basic testing info in bug 6551 comment 6 and 7


(sorry Dave it doesn't help with mod_dav_svn)
Comment 4 David Walser 2013-04-26 16:07:45 CEST
Mandriva has issued an advisory for this today (April 26):
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:153/

Oden, can you give us a hint on how to test mod_dav_svn so we can release this?
Comment 5 David Walser 2013-04-26 16:10:06 CEST
Here's an updated advisory, based on Oden's.

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

Subversion's mod_dav_svn Apache HTTPD server module will use excessive
amounts of memory when a large number of properties are set or deleted
on a node. This can lead to a DoS. There are no known instances of
this problem being observed in the wild (CVE-2013-1845).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a LOCK request is made against activity URLs. This can lead to a
DoS. There are no known instances of this problem being observed in
the wild (CVE-2013-1846).

Subversion's mod_dav_svn Apache HTTPD server module will crash in
some circumstances when a LOCK request is made against a non-existent
URL. This can lead to a DoS. There are no known instances of this
problem being observed in the wild (CVE-2013-1847).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a PROPFIND request is made against activity URLs. This can lead to a
DoS. There are no known instances of this problem being observed in
the wild, but the details of how to exploit it have been disclosed
on the full disclosure mailing list (CVE-2013-1849).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a log REPORT request receives a limit that is out of the allowed
range. This can lead to a DoS. There are no known instances of this
problem being used as a DoS in the wild (CVE-2013-1884).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884
http://subversion.apache.org/security/CVE-2013-1845-advisory.txt
http://subversion.apache.org/security/CVE-2013-1846-advisory.txt
http://subversion.apache.org/security/CVE-2013-1847-advisory.txt
http://subversion.apache.org/security/CVE-2013-1849-advisory.txt
http://subversion.apache.org/security/CVE-2013-1884-advisory.txt
http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E
http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.9-1.mga2
subversion-doc-1.7.9-1.mga2
libsvn0-1.7.9-1.mga2
libsvn-gnome-keyring0-1.7.9-1.mga2
libsvn-kwallet0-1.7.9-1.mga2
subversion-server-1.7.9-1.mga2
subversion-tools-1.7.9-1.mga2
python-svn-1.7.9-1.mga2
ruby-svn-1.7.9-1.mga2
libsvnjavahl1-1.7.9-1.mga2
svn-javahl-1.7.9-1.mga2
perl-SVN-1.7.9-1.mga2
subversion-kwallet-devel-1.7.9-1.mga2
subversion-gnome-keyring-devel-1.7.9-1.mga2
perl-svn-devel-1.7.9-1.mga2
python-svn-devel-1.7.9-1.mga2
ruby-svn-devel-1.7.9-1.mga2
subversion-devel-1.7.9-1.mga2
apache-mod_dav_svn-1.7.9-1.mga2

from subversion-1.7.9-1.mga2.src.rpm
Comment 6 David Walser 2013-04-26 16:25:24 CEST
Whoops, forgot to add MDV's advisory to the References.

Advisory:
========================

Updated subversion packages fix security vulnerabilities:

Subversion's mod_dav_svn Apache HTTPD server module will use excessive
amounts of memory when a large number of properties are set or deleted
on a node. This can lead to a DoS. There are no known instances of
this problem being observed in the wild (CVE-2013-1845).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a LOCK request is made against activity URLs. This can lead to a
DoS. There are no known instances of this problem being observed in
the wild (CVE-2013-1846).

Subversion's mod_dav_svn Apache HTTPD server module will crash in
some circumstances when a LOCK request is made against a non-existent
URL. This can lead to a DoS. There are no known instances of this
problem being observed in the wild (CVE-2013-1847).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a PROPFIND request is made against activity URLs. This can lead to a
DoS. There are no known instances of this problem being observed in
the wild, but the details of how to exploit it have been disclosed
on the full disclosure mailing list (CVE-2013-1849).

Subversion's mod_dav_svn Apache HTTPD server module will crash when
a log REPORT request receives a limit that is out of the allowed
range. This can lead to a DoS. There are no known instances of this
problem being used as a DoS in the wild (CVE-2013-1884).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1884
http://subversion.apache.org/security/CVE-2013-1845-advisory.txt
http://subversion.apache.org/security/CVE-2013-1846-advisory.txt
http://subversion.apache.org/security/CVE-2013-1847-advisory.txt
http://subversion.apache.org/security/CVE-2013-1849-advisory.txt
http://subversion.apache.org/security/CVE-2013-1884-advisory.txt
http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E
http://svn.apache.org/repos/asf/subversion/tags/1.7.9/CHANGES
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:153/
========================

Updated packages in core/updates_testing:
========================
subversion-1.7.9-1.mga2
subversion-doc-1.7.9-1.mga2
libsvn0-1.7.9-1.mga2
libsvn-gnome-keyring0-1.7.9-1.mga2
libsvn-kwallet0-1.7.9-1.mga2
subversion-server-1.7.9-1.mga2
subversion-tools-1.7.9-1.mga2
python-svn-1.7.9-1.mga2
ruby-svn-1.7.9-1.mga2
libsvnjavahl1-1.7.9-1.mga2
svn-javahl-1.7.9-1.mga2
perl-SVN-1.7.9-1.mga2
subversion-kwallet-devel-1.7.9-1.mga2
subversion-gnome-keyring-devel-1.7.9-1.mga2
perl-svn-devel-1.7.9-1.mga2
python-svn-devel-1.7.9-1.mga2
ruby-svn-devel-1.7.9-1.mga2
subversion-devel-1.7.9-1.mga2
apache-mod_dav_svn-1.7.9-1.mga2

from subversion-1.7.9-1.mga2.src.rpm
Comment 7 Dave Hodgins 2013-04-30 04:46:32 CEST
After adding
Allow from 127.0.0.1
to the <Directory "/var/www/uploads"> section of
/etc/httpd/modules.d/45_mod_dav.conf

Trying to access http://localhost/uploads/ still returns a 403
status, but with the message
You don't have permission to access the requested directory. There is either no index document or the directory is read-protected.

No idea what I'm missing.
Comment 8 claire robinson 2013-04-30 18:45:14 CEST
Testing complete mga2 64

I think you're just editing the wrong file Dave.

Followed the tutorial here to create an svn repo at /home/claire/svn with something in it: http://maverick.inria.fr/~Xavier.Decoret/resources/svn/

Edited /etc/httpd/modules.d/46_mod_dav_svn.conf

Ignored the bit about limiting to users and just changed this bit..

        <Location /svn/repos>
           DAV svn
           SVNPath /home/claire/svn

        #   # Limit write permission to list of valid users.
        #   <LimitExcept GET PROPFIND OPTIONS REPORT>
        #      # Require SSL connection for password protection.
        #      # SSLRequireSSL
        #
        #      AuthType Basic
        #      AuthName "Authorization Realm"
        #      AuthUserFile /absolute/path/to/passwdfile
        #      Require valid-user
        #   </LimitExcept>
        </Location>

After that http://localhost/svn/repos shows the contents of the svn repo.
Comment 9 claire robinson 2013-04-30 18:48:39 CEST
Forgot to mention, I restarted httpd after editing the file.
Comment 10 claire robinson 2013-05-01 13:41:28 CEST
Testing complete mga2 32

Validating

Advisory & SRPM in comment 6

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 11 Thomas Backlund 2013-05-02 19:14:57 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0127

Note You need to log in before you can comment on or make changes to this bug.