Bug 862459 - (CVE-2014-0032) VUL-1: CVE-2014-0032: subversion: remotely triggerable segmentation fault in mod_dav_svn
(CVE-2014-0032)
VUL-1: CVE-2014-0032: subversion: remotely triggerable segmentation fault in ...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE 13.1
Classification: openSUSE
Component: Security
Final
Other openSUSE 12.3
: P3 - Medium : Normal (vote)
: Final
Assigned To: Security Team bot
E-mail List
maint:released:sle11-sp3:56348
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-05 22:57 UTC by Andreas Stieger
Modified: 2014-04-17 05:53 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2014-02-05 22:57:10 UTC
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0

from https://svn.apache.org/repos/asf/subversion/branches/1.7.x/CHANGES

Version 1.7.15
(12 Feb 2014, from /branches/1.7.x)
http://svn.apache.org/repos/asf/subversion/tags/1.7.15

 User-visible changes:
  - Client-side bugfixes:
    * copy: fix some scenarios that broke the working copy (r1560690)
    * diff: fix regressions due to fixes in 1.7.14 (issue #4460)

  - Server-side bugfixes:
    * mod_dav_svn: prevent crashes with SVNListParentPath on (CVE-2014-0032)
    * reduce memory usage during checkout and export (r1564215)

 Developer-visible changes:
  - General:
    * fix failure in checkout_tests.py
    * support compiling against Cyrus sasl 2.1.25 (r1404912, r1413402)


Reproducible: Didn't try
Comment 1 Andreas Stieger 2014-02-05 22:59:34 UTC
Release currently being rolled. Will prepare update to coincide with upstream release.
Comment 2 Andreas Stieger 2014-02-06 19:17:20 UTC
from http://svn.apache.org/repos/asf/subversion/tags/1.8.6/CHANGES


Version 1.8.6
(12 Feb 2014, from /branches/1.8.x)
http://svn.apache.org/repos/asf/subversion/tags/1.8.6

 User-visible changes:
  - Client-side bugfixes:
    * use CryptoAPI to validate intermediary certificates on Windows (r1564623)
    * fix automatic relocate for wcs not at repository root (r1541638 et al)
    * diff: fix when target is a drive root on Windows (r1541635)
    * wc: improve performance when used with SQLite 3.8 (r1542765)
    * copy: fix some scenarios that broke the working copy (r1560690)
    * move: fix errors when moving files between an external and the parent
      working copy (r1551524, r1551579)
    * log: resolve performance regression in certain scenarios (r1553101 et al)
    * merge: decrease work to detect differences between 3 files (r1548486)
    * checkout: don't require flush support for symlinks on Windows (r1547774)
    * commit: don't change file permissions inappropriately (issue #4440)
    * commit: fix assertion due to invalid pool lifetime (r1553376 et al)
    * version: don't cut off the distribution version on Linux (r1544878 et al)
    * flush stdout before exiting to avoid information being lost (r1499470)
    * status: fix missing sentinel value on warning codes (r1543145)

  - Server-side bugfixes:
    * reduce memory usage during checkout and export (r1564215)
    * fsfs: create rep-cache.db with proper permissions (issue #3437)
    * mod_dav_svn: prevent crashes with SVNListParentPath on (CVE-2014-0032)
    * mod_dav_svn: fix SVNAllowBulkUpdates directive merging (r1548105)
    * mod_dav_svn: include requested property changes in reports (r1557522)
    * svnserve: correct default cache size in help text (r1563110)
    * svnadmin dump: reduce size of dump files with '--deltas' (r1554978)

 Developer-visible changes:
  - API changes:
    * numerous documentation fixes
    * svn_client_commit_item3_dup() fix pool lifetime issues (r1550803)
    * ra_serf: properly ask multiple certificate validation providers for
      acceptance of certificate failures (r1535532)
    * release internal fs objects when closing commit editor (r1555499)
    * svn_client_proplist4() don't call the callback multiple times for
      the same path in order to deliver inherited properties (r1549858 et al)

  - Bindings:
    * javahl: make test suite run without installing on OS X (r1535115)
    * swig: fix building out of tarball on OS X (r1555654)
    * swig-pl: fix with --enable-sqlite-compatibility-version (r1559009)
Comment 4 Bernhard Wiedemann 2014-02-09 23:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (862459) was mentioned in
https://build.opensuse.org/request/show/221557 Factory / subversion
Comment 5 Andreas Stieger 2014-02-09 23:22:56 UTC
Maintenance request for 13.1:
https://build.opensuse.org/request/show/221558
Comment 6 Andreas Stieger 2014-02-14 19:28:41 UTC
The releases are delayed due to other regressions. Instead, the fix was patched in. 13.1 update already running, maintenance request for 12.3: https://build.opensuse.org/request/show/222394
Comment 7 SMASH SMASH 2014-02-20 09:25:12 UTC
Affected packages:

SLE-11-SP3: subversion
SLE-10-SP3-TERADATA: subversion
SLE-11-SP2: subversion
Comment 8 Bernhard Wiedemann 2014-02-21 09:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (862459) was mentioned in
https://build.opensuse.org/request/show/223334 13.1 / subversion
Comment 9 Bernhard Wiedemann 2014-02-26 19:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (862459) was mentioned in
https://build.opensuse.org/request/show/223995 12.3 / subversion
Comment 10 Marcus Meissner 2014-02-27 12:55:58 UTC
Thanks Andreas!

Dirk is internal subversion maintainer, reassign for affectedness clarification.
Comment 11 Andreas Stieger 2014-02-27 13:04:11 UTC
(In reply to comment #10)
> Dirk is internal subversion maintainer, reassign for affectedness
> clarification.

This may be helpful:
https://subversion.apache.org/security/CVE-2014-0032-advisory.txt

> Known vulnerable:
> =================
> 
>   Subversion HTTPD servers 1.3.0 through 1.7.14 (inclusive)
>   Subversion HTTPD servers 1.8.0 through 1.8.5 (inclusive)
>
Comment 12 Swamp Workflow Management 2014-02-28 10:04:38 UTC
openSUSE-SU-2014:0307-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 862459
CVE References: CVE-2014-0032
Sources used:
openSUSE 13.1 (src):    subversion-1.8.8-2.21.1
Comment 15 Swamp Workflow Management 2014-03-06 14:04:35 UTC
openSUSE-SU-2014:0334-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 862459
CVE References: CVE-2014-0032
Sources used:
openSUSE 12.3 (src):    subversion-1.7.16-2.28.1
Comment 28 Petr Gajdos 2014-03-28 10:16:26 UTC
For sles12 used original patch referenced in comment 20.
Comment 33 Swamp Workflow Management 2014-04-17 01:45:41 UTC
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools
Products:
SLE-STUDIOONSITE 1.3 (x86_64)
Comment 34 Swamp Workflow Management 2014-04-17 01:47:23 UTC
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 35 Swamp Workflow Management 2014-04-17 05:04:24 UTC
SUSE-SU-2014:0540-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 862459
CVE References: CVE-2014-0032
Sources used:
SUSE Studio Onsite 1.3 (src):    subversion-1.6.17-1.27.2
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    subversion-1.6.17-1.27.2
Comment 36 Marcus Meissner 2014-04-17 05:53:20 UTC
released