Multiple vulnerabilities in Bionic, Focal and Jammy

Bug #1970228 reported by Luís Cunha dos Reis Infante da Câmara
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
subversion (Ubuntu)
Fix Released
Undecided
Luís Cunha dos Reis Infante da Câmara
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

The version in Bionic is vulnerable to CVE-2018-11782, CVE-2019-0203 and CVE-2020-17525.

The version in Focal is vulnerable to CVE-2020-17525.

The version in Jammy is vulnerable to CVE-2021-28544 and CVE-2022-24070.

Please release patched versions.

Debian released a security advisory on April 13.

description: updated
summary: - Version in Jammy is vulnerable to CVE-2021-28544
+ Version in Jammy is vulnerable to CVE-2021-28544 and CVE-2022-24070
description: updated
description: updated
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
information type: Private Security → Public Security
summary: - Version in Jammy is vulnerable to CVE-2021-28544 and CVE-2022-24070
+ Multiple vulnerabilities in Bionic, Focal and Jammy
description: updated
summary: - Multiple vulnerabilities in Bionic, Focal and Jammy
+ Multiple vulnerabilities in Bionic, Focal, Impish and Jammy
description: updated
no longer affects: ubuntu-cve-tracker
Changed in subversion (Ubuntu):
status: New → In Progress
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Revision history for this message
Luís Cunha dos Reis Infante da Câmara (luis220413) wrote : Re: Multiple vulnerabilities in Bionic, Focal, Impish and Jammy

Subversion 1.9.7-4ubuntu1 and 1.9.12 fail to build on Ubuntu 18.04 because they use javah, that was removed in OpenJDK 10 (the default-jre-headless package installs OpenJDK 11), and there is no equivalent of the -force flag in its replacement (javac). Therefore, I am packaging the latest version of the next Subversion LTS (1.10.8) based on the packaging in Debian buster.

Revision history for this message
Luís Cunha dos Reis Infante da Câmara (luis220413) wrote :
Revision history for this message
Luís Cunha dos Reis Infante da Câmara (luis220413) wrote (last edit ):

Patches for Focal and Jammy will be added today.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "subversion_bionic.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
description: updated
summary: - Multiple vulnerabilities in Bionic, Focal, Impish and Jammy
+ Multiple vulnerabilities in Bionic, Focal and Jammy
Revision history for this message
Luís Cunha dos Reis Infante da Câmara (luis220413) wrote :
Changed in subversion (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Luís Cunha dos Reis Infante da Câmara (luis220413) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs. I've reviewed them:

- NACK on the bionic debdiff. Updating the version isn't acceptable for a security update. You can fix the FTBFS by using the java10-compatibility patch from buster.
- NACK on the focal debdiff. It doesn't look like you added the patch to the series file, so it's not getting applied during the build.
- NACK on the jammy debdiff. Please use targeted backported patches, and not a whole new upstream version.

Revision history for this message
Luís Cunha dos Reis Infante da Câmara (luis220413) wrote :
Revision history for this message
Luís Cunha dos Reis Infante da Câmara (luis220413) wrote :
Revision history for this message
Luís Cunha dos Reis Infante da Câmara (luis220413) wrote :
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for the updated patches - they look a lot better. Note, one thing we try and do is to add references to the patch files to indicate where they came from as per https://dep-team.pages.debian.net/deps/dep3/ - as an example see the update in http://launchpadlibrarian.net/596090586/subversion_1.14.1-3_1.14.1-3ubuntu0.1.diff.gz which shows these headers included in the new debian/patches/CVE-XXX.patch files which got added as part of that update.

Including these also makes it a lot easier for reviewers to ensure that the changes are 'official' and match what the upstream.

Also the debian/changelog entry is a bit terse compared to what we normally would do - as an example please see step 3 at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

However, in this case as you have already put a lot of work into these, I am happy to go with them as they are (although I am replacing the patches with the ones with dep-3 headers from the impish update linked above so we can keep as much attribution etc as possible). I will sponsor these later today/tomorrow.

Thanks again.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package subversion - 1.13.0-3ubuntu0.2

---------------
subversion (1.13.0-3ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Remote unauthenticated denial-of-service in Subversion
    mod_authz_svn (LP: #1970228)
    - debian/patches/CVE-2020-17525.patch: Check for NULL repos_root_dirent in
      subversion/libsvn_repos/config_file.c.
    - CVE-2020-17525

 -- Luís Infante da Câmara <email address hidden> Thu, 12 May 2022 21:47:08 +0100

Changed in subversion (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package subversion - 1.9.7-4ubuntu1.1

---------------
subversion (1.9.7-4ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: CVE-2018-11782, CVE-2019-0203, CVE-2020-17525 (LP: #1970228)
    - debian/patches/CVE-2018-11782.patch: New patch from upstream security
      advisory, that also fixes CVE-2019-0203.
    - debian/patches/handle_missing_file.patch: New patch from Subversion 1.10
      needed to apply CVE-2020-17525.patch.
    - debian/patches/CVE-2020-17525.patch: New patch from upstream security
      advisory.
    - debian/patches/java10-compatibility: New patch from Debian buster to fix
      build failure with OpenJDK 11.

 -- Luís Infante da Câmara <email address hidden> Sat, 21 May 2022 08:24:25 +0100

Changed in subversion (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package subversion - 1.14.1-3ubuntu0.22.04.1

---------------
subversion (1.14.1-3ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: CVE-2021-28544, CVE-2022-24070 (LP: #1970228)
    - debian/patches/CVE-2021-28544.patch, debian/patches/CVE-2022-24070.patch:
      New patches from upstream security advisories.

 -- Luís Infante da Câmara <email address hidden> Sat, 21 May 2022 11:52:35 +0100

Changed in subversion (Ubuntu Jammy):
status: New → Fix Released
Revision history for this message
Alex Murray (alexmurray) wrote :

Setting impish to Incomplete since there is no debdiff to sponsor at this stage.

Changed in subversion (Ubuntu Impish):
status: New → Incomplete
Revision history for this message
Alex Murray (alexmurray) wrote :

Removing ubuntu-security-sponsors since there is no debdiff to sponsor.

no longer affects: subversion (Ubuntu Impish)
Changed in subversion (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers