Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 356741 (CVE-2011-0715) - <dev-vcs/subversion-1.6.16: NULL-pointer dereference in mod_dav_svn (CVE-2011-0715)
Summary: <dev-vcs/subversion-1.6.16: NULL-pointer dereference in mod_dav_svn (CVE-2011...
Status: RESOLVED FIXED
Alias: CVE-2011-0715
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://subversion.apache.org/security...
Whiteboard: A3 [glsa]
Keywords:
: 357715 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-02-27 19:21 UTC by Tim Sammut (RETIRED)
Modified: 2013-09-23 23:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
subversion-1.6.16.ebuild (subversion-1.6.16.ebuild,31.01 KB, text/plain)
2011-02-27 23:10 UTC, Arfrever Frehtes Taifersar Arahesis (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-02-27 19:21:00 UTC
***
*** This is a CONFIDENTIAL issue and may not be discussed with or disclosed 
*** to anyone without permission of security@gentoo.org. Also, no fixes
*** or updated ebuilds may be committed until this has been made public by the
*** upstream maintainer. 
***
*** Please reach out to us if you have any questions. Thank you.
***

The following is a DRAFT advisory from the upstream.

<--

Below is our advisory, followed by patches to fix the problem.  The
patches apply to Subversion 1.5.9 and Subversion 1.6.15.  Subversion 1.6.16
will be published on 3 March, including the patches below, as well as other
stability and bug fixes. You can get an advance copy of the source distribution
here:

  https://people.apache.org/~hwright/svn/1.6.16/

(Log in with "svn" / "mlDn0C4FStZ888".)

Here's the full advisory:

===========================================================================
  Subversion HTTP servers up to 1.5.9 (inclusive) or 1.6.15 (inclusive)
  are vulnerable to a remotely triggerable NULL-pointer dereference.

Summary:
========

  Subversion's mod_dav_svn Apache HTTPD server module will dereference
  a NULL pointer if a lock token is sent in a HTTP request by a
  Subversion client which has not authenticated to the server.

  This can lead to a DoS (an exploit has been tested).

Known vulnerable:
=================

  Subversion HTTPD servers <= 1.6.15
  Subversion HTTPD servers <= 1.5.9

Known fixed:
============

  Subversion 1.6.16
  svnserve (any version) is not vulnerable.

Details:
========

  Subversion requires an authenticated user name when a lock on a file
  is obtained by a client, e.g. when a user runs the 'svn lock' command.

  If a client is not authenticated and sends a lock token in a request,
  a call to the svn_fs_get_access() function will return a NULL pointer
  instead of a pointer to an svn_fs_access_t object.

  Due to a programming error the mod_dav_svn server module failed to
  validate this pointer variable before dereferencing it.

Severity:
=========

  A remote attacker may be able to crash a Subversion server.  Many Apache
  servers will respawn the listener processes, but a determined attacker
  will be able to crash these processes as they appear, denying service to
  legitimate users.

Recommendations:
================

  We recommend all users to upgrade to Subversion 1.6.16.  Users of
  Subversion 1.5.x who are unable to upgrade may apply the included
  patch.
  
  New Subversion packages can be found at:
  http://subversion.tigris.org/project_packages.html

References:
===========

  CVE-2011-0715  (Subversion)

Reported by:
============

  Philip Martin, WANdisco, Inc.

Patches:
========

  This patch applies to Subversion 1.6.x (apply with patch -p0 < patchfile):

[[[
Index: subversion/mod_dav_svn/version.c
===================================================================
--- subversion/mod_dav_svn/version.c	(revision 1071565)
+++ subversion/mod_dav_svn/version.c	(working copy)
@@ -1172,11 +1172,13 @@ dav_svn__push_locks(dav_resource *resource,
   svn_error_t *serr;
 
   serr = svn_fs_get_access(&fsaccess, resource->info->repos->fs);
-  if (serr)
+  if (serr || !fsaccess)
     {
       /* If an authenticated user name was attached to the request,
          then dav_svn_get_resource() should have already noticed and
          created an fs_access_t in the filesystem.  */
+      if (serr == NULL)
+        serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL);
       return dav_svn__sanitize_error(serr, "Lock token(s) in request, but "
                                      "missing an user name", HTTP_BAD_REQUEST,
                                      resource->info->r);
Index: subversion/mod_dav_svn/repos.c
===================================================================
--- subversion/mod_dav_svn/repos.c	(revision 1071565)
+++ subversion/mod_dav_svn/repos.c	(working copy)
@@ -1923,8 +1923,10 @@ get_resource(request_rec *r,
       dav_locktoken_list *list = ltl;
 
       serr = svn_fs_get_access(&access_ctx, repos->fs);
-      if (serr)
+      if (serr || !access_ctx)
         {
+          if (serr == NULL)
+            serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL);
           return dav_svn__sanitize_error(serr, "Lock token is in request, "
                                          "but no user name",
                                          HTTP_BAD_REQUEST, r);
]]]


  This patch applies to Subversion 1.5.x:

[[[
Index: subversion/mod_dav_svn/version.c
===================================================================
--- subversion/mod_dav_svn/version.c	(revision 1071565)
+++ subversion/mod_dav_svn/version.c	(working copy)
@@ -1155,11 +1155,13 @@ dav_svn__push_locks(dav_resource *resource,
   svn_error_t *serr;
 
   serr = svn_fs_get_access(&fsaccess, resource->info->repos->fs);
-  if (serr)
+  if (serr || !fsaccess)
     {
       /* If an authenticated user name was attached to the request,
          then dav_svn_get_resource() should have already noticed and
          created an fs_access_t in the filesystem.  */
+      if (serr == NULL)
+        serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL);
       return dav_svn__sanitize_error(serr, "Lock token(s) in request, but "
                                      "missing an user name", HTTP_BAD_REQUEST,
                                      resource->info->r);
Index: subversion/mod_dav_svn/repos.c
===================================================================
--- subversion/mod_dav_svn/repos.c	(revision 1071565)
+++ subversion/mod_dav_svn/repos.c	(working copy)
@@ -1773,8 +1773,10 @@ get_resource(request_rec *r,
       dav_locktoken_list *list = ltl;
 
       serr = svn_fs_get_access(&access_ctx, repos->fs);
-      if (serr)
+      if (serr || !access_ctx)
         {
+          if (serr == NULL)
+            serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL);
           return dav_svn__sanitize_error(serr, "Lock token is in request, "
                                          "but no user name",
                                          HTTP_BAD_REQUEST, r);
]]]
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-02-27 19:23:23 UTC
Arfrever, please add an updated ebuild to this bug, and not in CVS. Thanks!
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-02-27 23:10:19 UTC
Created attachment 264115 [details]
subversion-1.6.16.ebuild
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-01 21:36:19 UTC
(In reply to comment #2)
> Created an attachment (id=264115) [details]
> subversion-1.6.16.ebuild
> 

Thank you.

Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.

Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, chainsaw
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : armin76, tcunha
     x86 : fauli, maekke
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-01 22:36:08 UTC
http://subversion.tigris.org/downloads/subversion-1.6.16.tar.bz2 doesn't exist yet.
Comment 5 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-03-01 22:39:01 UTC
(In reply to comment #4)

wget https://svn:mlDn0C4FStZ888@people.apache.org/~hwright/svn/1.6.16/tarzan-shrew/subversion-1.6.16.tar.bz2
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-02 15:51:02 UTC
HPPA is OK.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2011-03-03 16:19:21 UTC
Does not seem to be released yet, please do not lift the embargo yet.
Arch liasons: please test and report if it is stable, do not commit yet!
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-03-03 20:41:28 UTC
This issue is now public.

http://subversion.apache.org/security/CVE-2011-0715-advisory.txt

@python, please commit the ebuild with HPPA and any additional noted stables below.

Adding full Arch teams for remaining stabilization.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-03 20:45:53 UTC
(In reply to comment #8)
> @python, please 

So now arfrever equals python@? ;-)
Comment 10 Joe Jezak (RETIRED) gentoo-dev 2011-03-04 05:16:04 UTC
Marked ppc stable.
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2011-03-04 05:31:34 UTC
x86 done.
Comment 12 Agostino Sarubbo gentoo-dev 2011-03-04 11:04:15 UTC
amd64 ok
Comment 13 Alex Buell 2011-03-05 09:59:51 UTC
Build and tested on SPARC, no serious failures found with tests although some tests were skipped and some 'xfailed'.
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2011-03-05 11:44:24 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 15 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-05 13:07:05 UTC
ppc64 stable
Comment 16 Markos Chandras (RETIRED) gentoo-dev 2011-03-06 11:47:49 UTC
amd64 done. Thanks Agostino
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-03-06 19:35:35 UTC
Thanks, Arfrever. FWIW and our policy is not specific in this regard, but please let us change the whiteboard to [glsa]. It's at the [stable] to [glsa] transition that we either file a new GLSA request or note the new bug on an existing request. If someone else changes the whiteboard for us, it is possible we'll miss that step. Thanks.

Added to existing GLSA request.
Comment 18 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-03-07 09:51:52 UTC
*** Bug 357715 has been marked as a duplicate of this bug. ***
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:12:03 UTC
CVE-2011-0715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0715):
  The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache
  Subversion before 1.6.16, allows remote attackers to cause a denial of
  service (NULL pointer dereference and daemon crash) via a request that
  contains a lock token.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2013-09-23 23:15:26 UTC
This issue was resolved and addressed in
 GLSA 201309-11 at http://security.gentoo.org/glsa/glsa-201309-11.xml
by GLSA coordinator Sean Amoss (ackle).