51491 – subversion <= 1.0.2 security vulnerability

Bug 51491 - subversion <= 1.0.2 security vulnerability

Summary: subversion <= 1.0.2 security vulnerability

Status:	RESOLVED DUPLICATE of bug 51462

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Highest blocker (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-05-19 10:54 UTC by Joby Walker
Modified:	2011-10-30 22:38 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joby Walker 2004-05-19 10:54:37 UTC

Email on announce@subversion.tigris.org:

Subversion 1.0.3 is ready. Grab it from:

  http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
  http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2 

The MD5 checksums are:

  1d5722a515be8f1aa6cfb779d99c6a11  subversion-1.0.3.tar.gz
  a8961f86a2bbd8deb59b2b62db303461  subversion-1.0.3.tar.bz2


Subversion versions up to and including 1.0.2 have a buffer overflow in
the date parsing code.

Both client and server are vulnerable.  The server is vulnerable over
both httpd/DAV and svnserve (that is, over http://, https://, svn://,
svn+ssh:// and other tunneled svn+*:// methods).

Additionally, clients with shared working copies, or permissions that
allow files in the administrative area of the working copy to be
written by other users, are potentially exploitable.

Severity:
=========

Severity ranges from "Denial of Service" to, potentially, "Arbitrary
Code Execution", depending upon how skilled the attacker is and the
ABI specifics of your platform.

The server vulnerabilities can be triggered without write/commit access
to the repository.  So repositories with anonymous/public read access
are vulnerable.

Workarounds:
============

There are no workarounds except to disallow public access.  Even then
you'd still be vulnerable to attack by someone who still has access
(perhaps you trust those people, though).

Recommendations:
================

We recommend all users upgrade to 1.0.3.

References:
===========

CAN-2004-0397: subversion sscanf stack overflow via revision date
               in REPORT query

Note:
=====

There was a similar vulnerability in the Neon HTTP library up to and
including version 0.24.5.  Because Subversion ships with Neon, we have
included (in Subversion 1.0.3) Neon 0.24.6, which is being released
simultaneously.  Subversion does not actually invoke the vulnerable code
in Neon; we are updating our copy of Neon simply as a reassuring
gesture, so people don't worry.  See CAN-2004-0398 for details.

Questions, comments, and bug reports to users_at_subversion.tigris.org.

Thanks,
-The Subversion Team 

--------------------8-<-------cut-here---------8-<-----------------------

 User-visible-changes:
 * fixed: security bug in date parsing. (CAN-2004-0397)

Reproducible: Always
Steps to Reproduce:

Comment 1 Kurt Lieber (RETIRED) gentoo-dev

2004-05-19 10:56:43 UTC

Paul?

Comment 2 Tobias Weisserth 2004-05-19 11:06:19 UTC

Stefan Esser has an advisory also:

http://security.e-matters.de/advisories/082004.html

regards,
Tobias

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2004-05-19 13:58:15 UTC


*** This bug has been marked as a duplicate of 51462 ***