Discussion:
Bug#1092133: bookworm-pu: package subversion/1.14.2-4+deb12u1
Add Reply
James McCoy
2025-01-05 01:20:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ***@packages.debian.org
Control: affects -1 + src:subversion
User: ***@packages.debian.org
Usertags: pu

[ Reason ]
CVE-2024-46901 was issued for subversion. Although it's marked no DSA,
it would be useful to provide the update to the stable release.

https://security-tracker.debian.org/tracker/CVE-2024-46901

[ Impact ]
Malicious subversion clients can cause DoS of mod_dav_svn servers by
making commits which contain control characters in paths or revision
properties.

[ Tests ]
A new test was added by upstream and included in the backport. I've
added a run of the upstream tests over the dav protocol into the package
so the test is exercised.

[ Risks ]
The changes are relatively straight forward. Existing checks from the
fix for the previous CVE have been incorporated in other code paths to
ensure all relevant code paths are protecting against commits with
control characters.

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable

[ Changes ]
* Salsa CI config was added to the package. This was previously
configured in the repo, rather than as a file in the packaging.
* Additional test-specific Build-Depends (apache2-bin, apache2-utils,
net-tools, and wget) are added to run upstream's "make davautocheck"
(the target that runs all relevant tests using mod_dav_svn to access
the repository).
* debian/rules now runs "make davautocheck" in addition to the existing
"make check" (which uses file:// access to the repository).
* Upstream's fix and respective test are backported

Full commit log is
https://salsa.debian.org/jamessan/subversion/-/compare/debian/1.14.2-4...debian/bookworm

[ Other info ]
The fix was also included in 1.14.5, which is already in testing /
unstable. While verifying the patch and accompanying test for the
bookworm upload, I also discovered that I needed to run davautocheck to
exercise the mod_dav_svn path for interacting with the svn repository.
That is now enabled in sid via 1.14.5-2 and also in this upload.
Debian Bug Tracking System
2025-01-05 01:20:01 UTC
Reply
Permalink
Post by James McCoy
affects -1 + src:subversion
Bug #1092133 [release.debian.org] bookworm-pu: package subversion/1.14.2-4+deb12u1
Added indication that 1092133 affects src:subversion
--
1092133: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092133
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Salvatore Bonaccorso
2025-01-05 20:10:01 UTC
Reply
Permalink
Hi James,

[Disclaimer I'm not a member of release team]
Post by James McCoy
Package: release.debian.org
Severity: normal
Tags: bookworm
Control: affects -1 + src:subversion
Usertags: pu
[ Reason ]
CVE-2024-46901 was issued for subversion. Although it's marked no DSA,
it would be useful to provide the update to the stable release.
https://security-tracker.debian.org/tracker/CVE-2024-46901
[ Impact ]
Malicious subversion clients can cause DoS of mod_dav_svn servers by
making commits which contain control characters in paths or revision
properties.
[ Tests ]
A new test was added by upstream and included in the backport. I've
added a run of the upstream tests over the dav protocol into the package
so the test is exercised.
[ Risks ]
The changes are relatively straight forward. Existing checks from the
fix for the previous CVE have been incorporated in other code paths to
ensure all relevant code paths are protecting against commits with
control characters.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Salsa CI config was added to the package. This was previously
configured in the repo, rather than as a file in the packaging.
* Additional test-specific Build-Depends (apache2-bin, apache2-utils,
net-tools, and wget) are added to run upstream's "make davautocheck"
(the target that runs all relevant tests using mod_dav_svn to access
the repository).
* debian/rules now runs "make davautocheck" in addition to the existing
"make check" (which uses file:// access to the repository).
* Upstream's fix and respective test are backported
Full commit log is
https://salsa.debian.org/jamessan/subversion/-/compare/debian/1.14.2-4...debian/bookworm
[ Other info ]
The fix was also included in 1.14.5, which is already in testing /
unstable. While verifying the patch and accompanying test for the
bookworm upload, I also discovered that I needed to run davautocheck to
exercise the mod_dav_svn path for interacting with the svn repository.
That is now enabled in sid via 1.14.5-2 and also in this upload.
Given the window is closing very soon this weekend, if you see this in
time, can you upload it if you are confident that it will be accepted
as is by the SRM? The "improved workflow" allows to upload along with
a release.d.o bug *iff* you are confident that the upload can be
accepted (and so to reduce turnarounds).

Regards,
Salvatore
James McCoy
2025-01-06 02:20:01 UTC
Reply
Permalink
Post by Salvatore Bonaccorso
Given the window is closing very soon this weekend, if you see this in
time, can you upload it if you are confident that it will be accepted
as is by the SRM? The "improved workflow" allows to upload along with
a release.d.o bug *iff* you are confident that the upload can be
accepted (and so to reduce turnarounds).
Thanks for the reminder. It's been awhile since I've had to do a stable
upload. Done.

Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
Jonathan Wiltshire
2025-01-11 14:10:02 UTC
Reply
Permalink
package release.debian.org
tags 1092133 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: subversion
Version: 1.14.2-4+deb12u1

Explanation: fix vulnerable parsing of control characters in paths served by mod_dav_svn [CVE-2024-46901]
Debian Bug Tracking System
2025-01-11 14:10:02 UTC
Reply
Permalink
Post by Jonathan Wiltshire
package release.debian.org
Limiting to bugs with field 'package' containing at least one of 'release.debian.org'
Limit currently set to 'package':'release.debian.org'
Post by Jonathan Wiltshire
tags 1092133 = bookworm pending
Bug #1092133 [release.debian.org] bookworm-pu: package subversion/1.14.2-4+deb12u1
Added tag(s) pending.
Post by Jonathan Wiltshire
thanks
Stopping processing here.

Please contact me if you need assistance.
--
1092133: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092133
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...