Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 198590
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 198590 depends on: Show dependency tree
Bug 198590 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-11-09 19:27 0000 
Subversion 1.4.3 and earlier does not properly implement the "partial access"
privilege for users who have access to changed paths but not copied paths,
which allows remote authenticated users to obtain sensitive information
(revision properties) via svn (1) propget, (2) proplist, or (3) propedit.

----

More elaborate description at $URL.

Upstream patch: http://svn.collab.net/viewvc/svn?view=rev&revision=25185

------- Comment #1 From Benedikt Böhm 2007-11-10 20:44:15 0000 ------- 
i have just added 1.4.5 to the tree with many fixes. this is the next candidate
for stabilization

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-11-11 08:39:26 0000 ------- 
Thx Benedikt. Is this one ready for stable marking now?

------- Comment #3 From Arfrever Frehtes Taifersar Arahesis 2007-11-11 16:31:34 0000 ------- 
(In reply to comment #2)
> Is this one ready for stable marking now?

Yes. There's nothing new for UNIX-like systems. 1.4.5 contains only a fix for
Windows.

------- Comment #4 From Robert Buchholz 2007-11-11 17:10:30 0000 ------- 
Arches, please test and mark stable dev-util/subversion-1.4.5.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"

------- Comment #5 From Robert Buchholz 2007-11-11 17:17:02 0000 ------- 
Oh, wait. Hollow, is that an authoritative answer?

------- Comment #6 From Arfrever Frehtes Taifersar Arahesis 2007-11-11 17:20:52 0000 ------- 
(In reply to comment #5)
> Oh, wait. Hollow, is that an authoritative answer?

Yes. I belong to Subversion upstream and I don't have bad intentions.

http://subversion.tigris.org/servlets/ReadMsg?list=users&msgNo=69413

1.4.5 works identically as 1.4.4 on GNU/Linux and *BSD.

------- Comment #7 From Benedikt Böhm 2007-11-11 17:50:22 0000 ------- 
yep, go for stabilization :)

------- Comment #8 From Robert Buchholz 2007-11-11 17:53:25 0000 ------- 
(In reply to comment #6)
> Yes. I belong to Subversion upstream and I don't have bad intentions.

I didn't mean you have bad intentions, just that I first thought you were in
the Gentoo Apache team. And we have 1.3.* stable right now, so this is not a
tiny bump.

------- Comment #9 From Dawid Węgliński 2007-11-11 18:54:08 0000 ------- 
x86 stable

------- Comment #10 From Markus Ullmann 2007-11-11 19:28:33 0000 ------- 
stable on sparc

------- Comment #11 From Raúl Porcel 2007-11-11 20:09:01 0000 ------- 
alpha/ia64 stable

------- Comment #12 From Jeroen Roovers 2007-11-12 16:57:52 0000 ------- 
Stable for HPPA, despite:

  IUSE.invalid                   1
   dev-util/subversion/subversion-1.4.5.ebuild: svnserve

------- Comment #13 From Markus Rothe 2007-11-12 19:34:25 0000 ------- 
ppc64 stable

------- Comment #14 From Tobias Scherbaum 2007-11-13 19:57:29 0000 ------- 
ppc stable

------- Comment #15 From Chris Gianelloni (RETIRED) 2007-11-14 01:16:45 0000 ------- 
amd64 done...

------- Comment #16 From Robert Buchholz 2007-11-14 01:23:45 0000 ------- 
GLSA vote is open.

I vote NO
since this this vulnerability is rare and with little impact, quoting: "data is
not commonly copied from a private location to a public one... only
reveal the contents of properties, not the revision's changed-paths
information.  And, of course, this bug does not permit anyone to see
file contents or directory listings that they should not."

------- Comment #17 From Pierre-Yves Rofes 2007-11-14 08:57:54 0000 ------- 
voting NO too and closing.

------- Comment #18 From Peter Volkov 2008-03-06 09:48:26 0000 ------- 
Does not affect current (2008.0) release. Removing release.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug