First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 53555
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jani Averbach <jaa@jaa.iki.fi>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
jaervosz: ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 53555 depends on: Show dependency tree
Bug 53555 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-06-10 11:22 0000 
---8<-- announce email --8<--
Details below:


Subversion versions up to and including 1.0.4 have a potential
Denial of Service and Heap Overflow issue related to the parsing of
strings in the 'svn://' family of access protocols.

This affects only sites running svnserve.  It does not affect
'http://' access -- repositories served only by Apache/mod_dav_svn
do not have this vulnerability.

Details:
========

The svn protocol sends strings as a length followed by the string.  The
parser would trust that the sender was providing an accurate length of
the string and would allocate sufficent memory to store the entire
string.  This would allow the sender of a string to Denial of Service
the other side by suggesting that the string is very large.
Additionally, if the size given is large enough it may cause the integer
holding the size to wrap, thus allocating less memory than the string
length and resulting in a heap overflow.

The parsing code with the flaw is shared by both the svnserve server and
clients using the svn://, svn+ssh:// and other tunneled svn+*://
methods.

Severity:
=========

Severity ranges from "Denial of Service" to, potentially, "Arbitrary
Code Execution", depending upon how skilled the attacker is and the
ABI specifics of your platform.

Since the error is in the parsing of the protocol, including the parsing
of authentication, the server vulnerabilities can be triggered without
read or write access to the repository.  So any svnserve process that an
attacker can connect to is vulnerable even if they do not have read or
write access.

The Denial of Service attack is reasonably easy to carry out, while
exploiting the heap overflow is more difficult.  There are no known
exploits in the wild at the time of this advisory.

Workarounds:
============

Disable svnserve and use DAV (http://) instead.

Recommendations:
================

We recommend all users upgrade to 1.0.5.

References:
===========

CAN-2004-0413: Subversion svn:// protocol string parsing error.

-- 8< --

Reproducible: Always
Steps to Reproduce:

------- Comment #1 From solar 2004-06-10 12:23:47 0000 ------- 
Fixed in 1.0.4-r1 which is the same thing as 1.0.5

------- Comment #2 From solar 2004-06-10 13:01:36 0000 ------- 
arch maintainers please do your thing.

subversion-1.0.4-r1.ebuild:KEYWORDS="~x86 ~sparc ~ppc ~amd64 ~alpha"

------- Comment #3 From Sune Kloppenborg Jeppesen 2004-06-10 13:48:13 0000 ------- 
x86 amd64 : please mark stable.

GLSA already drafted and reviewed.

------- Comment #4 From Jason Huebel (RETIRED) 2004-06-10 15:07:56 0000 ------- 
amd64 stable

------- Comment #5 From Daniel Black 2004-06-10 15:50:15 0000 ------- 
*** Bug 53587 has been marked as a duplicate of this bug. ***

------- Comment #6 From Kurt Lieber 2004-06-10 16:16:36 0000 ------- 
glsa 200406-07

------- Comment #7 From Bryan Østergaard (RETIRED) 2004-06-10 16:20:58 0000 ------- 
Stable on alpha.

------- Comment #8 From Jason Wever (RETIRED) 2004-06-11 20:16:32 0000 ------- 
Stable on sparc.

------- Comment #9 From Thierry Carrez (RETIRED) 2004-06-17 05:13:27 0000 ------- 
*** Bug 54157 has been marked as a duplicate of this bug. ***

------- Comment #10 From Thierry Carrez (RETIRED) 2004-06-29 00:37:41 0000 ------- 
*** Bug 55507 has been marked as a duplicate of this bug. ***
First Last Prev Next    No search results available      Search page      Enter new bug