Summary: | <dev-vcs/subversion-1.7.14 - multiple vulnerabilities (CVE-2013-{4505,4558}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sergey Popov <pinkbyte> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | tommy, vsync |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sergey Popov
2013-11-15 06:39:22 UTC
SEMI-PUBLIC, as fix can be viewed in trunk A small update to the advisory for CVE-2013-4558 that I sent out on 14 November 2013. The only thing that has changed is that the vulnerable versions has been reduced since the issue was created by the fix for CVE-2013-4131. Thanks to Murray McAllister of RedHat for asking some questions that lead to the discovery of this inaccuracy in our advisory. The embargo date for this remains 25 November 2013 17:00 UTC. The updated advisory follows: {{{ mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits. Summary: ======== When SVNAutoversioning is enabled via SVNAutoversioning on commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort. Known vulnerable: ================= mod_dav_svn 1.7.11 through 1.7.13 mod_dav_svn 1.8.1 through 1.8.4 Known fixed: ============ mod_dav_svn 1.7.14 mod_dav_svn 1.8.5 Details: ======== Given a repository located at http://example.com/repos the assert can be triggered by commands like: curl -X PUT http://example.com/repos/A/ curl -X MKCOL http://example.com/repos/A/../B The assert happens after the commit has happened in the repository and will not occur if the commit is rejected. Severity: ========= CVSSv2 Base Score: 3.5 CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P We consider this to be a low risk vulnerability. The attacker needs to have commit access to the repository to exploit the vulnerability. Most Subversion servers do not have autoversioning enabled. In order for there to be any impact assertions must have been enabled when mod_dav_svn was built. In this case if assertions are disabled there is no impact. They are enabled by default on *nix and disabled on Windows. The assertion will cause the http server process to abort. Apache httpd servers using a prefork MPM will simply start a new process to replace the process that died. Servers using threaded MPMs may be processing other requests in the same process as the process that the attack causes to die. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users upgrade mod_dav_svn to Subversion 1.8.5 or 1.7.14 or newer. Disabling SVNAutoversioning will avoid the problem. Building Subversion with assertions disabled will avoid the problem. This can be done using the -disable-debug option to configure on *nix and by using a Release buld profile on Windows. References: =========== CVE-2013-4558 (Subversion) Reported by: ============ Philip Martin, WANdisco Patches: ======== Patch for Subversion 1.7.x and 1.8.x: [[[ Index: subversion/mod_dav_svn/repos.c =================================================================== --- subversion/mod_dav_svn/repos.c (revision 1539596) +++ subversion/mod_dav_svn/repos.c (working copy) @@ -2456,9 +2456,12 @@ get_parent_resource(const dav_resource *resource, parent->info = parentinfo; parentinfo->uri_path = - svn_stringbuf_create(get_parent_path(resource->info->uri_path->data, - TRUE, resource->pool), - resource->pool); + svn_stringbuf_create( + get_parent_path( + svn_urlpath__canonicalize(resource->info->uri_path->data, + resource->pool), + TRUE, resource->pool), + resource->pool); parentinfo->repos = resource->info->repos; parentinfo->root = resource->info->root; parentinfo->r = resource->info->r; ]]] }}} This issue is now public @maintainers: please bump it in tree and say when it will be ready to stabilize, thanks *** Bug 492626 has been marked as a duplicate of this bug. *** version 1.7.14 added, will add arch teams for stabilizatin tomorrow, if no major regressions are reported till then arches, please mark stable: =dev-vcs/subversion-1.7.14 target keywords="alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" Stable for HPPA. amd64 stable x86 stable ppc stable ppc64 stable arm stable alpha stable CVE-2013-4558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4558): The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /. CVE-2013-4505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4505): The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request. sparc stable Ready for vote, I vote NO. GLSA vote: no. Note to maintainers: please clean up after the last version is stabled. still waiting for ia64 stabilization ia64 stable old version removed closed as [noglsa] |