Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 280494 (CVE-2009-2411) - <dev-util/subversion-1.6.4 Remote code execution in server and client (CVE-2009-2411)
Summary: <dev-util/subversion-1.6.4 Remote code execution in server and client (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2009-2411
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://subversion.tigris.org/security...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-05 19:29 UTC by Alex Legler (RETIRED)
Modified: 2009-08-18 21:40 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
subversion-1.6.4.ebuild (subversion-1.6.4.ebuild,26.33 KB, text/plain)
2009-08-05 20:07 UTC, Arfrever Frehtes Taifersar Arahesis (RETIRED) 		no flags Details
subversion-1.6.4-r10.ebuild (subversion-1.6.4-r10.ebuild,26.66 KB, text/plain)
2009-08-05 20:07 UTC, Arfrever Frehtes Taifersar Arahesis (RETIRED) 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-05 19:29:16 UTC 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Hyrum K. Wright informed us about this vulnerablility in Subversion:

===========================================================================
  Subversion clients and servers up to 1.6.3 (inclusive) have heap
  overflow issues in the parsing of binary deltas.

Summary:
========

  Subversion clients and servers have multiple heap overflow issues in
  the parsing of binary deltas.  This is related to an allocation
  vulnerability in the APR library used by Subversion.

  Clients with commit access to a vulnerable server can cause a remote
  heap overflow; servers can cause a heap overflow on vulnerable
  clients that try to do a checkout or update.  

  This can lead to a DoS (an exploit has been tested) and to arbitrary
  code execution (no exploit tested, but the possibility is clear).
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-05 19:53:20 UTC 
An updated ebuild is being prepared, we'll prestable after that. As usual, no commits to CVS please.
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-05 20:07:15 UTC 
Created attachment 200289 [details]
subversion-1.6.4.ebuild
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-05 20:07:59 UTC 
Created attachment 200290 [details]
subversion-1.6.4-r10.ebuild
Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-05 20:34:40 UTC 
The tarball can be downloaded from https://orac.ece.utexas.edu/pub/svn/1.6.4/
Username: svn
Password: KEnuprE3
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-05 20:49:00 UTC 
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : fauli, maekke
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-05 20:49:41 UTC 
Comment on attachment 200290 [details]
subversion-1.6.4-r10.ebuild

Target is -r0.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-08-05 21:34:58 UTC 
in case it is not clear from above, the distfile can be fetched via

wget --no-check-certificate https://svn:KEnuprE3@orac.ece.utexas.edu/pub/svn/1.6.4/moonlight/to-tigris/subversion-1.6.4.tar.bz2

Please handle this ASAP. Also cc'ing Kurt and Robin from infra.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-06 10:51:42 UTC 
amd64 ok
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-06 11:56:58 UTC 
x86 looks ok to (the same tests fail as in the previous version)
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-08-06 17:13:55 UTC 
HPPA is OK.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-06 20:56:55 UTC 
Public via $URL.

Arches: Please allow me to reiterate the urgency of this bug.
Comment 12 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-06 21:02:57 UTC 
dev-util/subversion-1.6.4{,-r10} is now in the tree.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-08-08 21:58:17 UTC 
ppc64 done
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-08 22:01:33 UTC 
CVE-2009-2411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2411):
  Multiple integer overflows in the libsvn_delta library in Subversion
  before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated
  users and remote Subversion servers to execute arbitrary code via an
  svndiff stream with large windows that trigger a heap-based buffer
  overflow, a related issue to CVE-2009-2412.
Comment 15 nixnut (RETIRED) gentoo-dev 2009-08-09 14:40:48 UTC 
ppc stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-08-09 16:09:11 UTC 
alpha/arm/ia64/s390/sh/sparc stable
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-09 21:04:21 UTC 
GLSA request filed.
Comment 18 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-18 21:40:34 UTC 
GLSA 200908-05