*** *** This is a CONFIDENTIAL issue and may not be discussed with or disclosed *** to anyone without permission of security@gentoo.org. Also, no fixes *** or updated ebuilds may be committed until this has been made public by the *** upstream maintainer. *** *** Please reach out to us if you have any questions. Thank you. *** The following is a DRAFT advisory from the upstream. <-- Below is our advisory, followed by patches to fix the problem. The patches apply to Subversion 1.5.9 and Subversion 1.6.15. Subversion 1.6.16 will be published on 3 March, including the patches below, as well as other stability and bug fixes. You can get an advance copy of the source distribution here: https://people.apache.org/~hwright/svn/1.6.16/ (Log in with "svn" / "mlDn0C4FStZ888".) Here's the full advisory: =========================================================================== Subversion HTTP servers up to 1.5.9 (inclusive) or 1.6.15 (inclusive) are vulnerable to a remotely triggerable NULL-pointer dereference. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if a lock token is sent in a HTTP request by a Subversion client which has not authenticated to the server. This can lead to a DoS (an exploit has been tested). Known vulnerable: ================= Subversion HTTPD servers <= 1.6.15 Subversion HTTPD servers <= 1.5.9 Known fixed: ============ Subversion 1.6.16 svnserve (any version) is not vulnerable. Details: ======== Subversion requires an authenticated user name when a lock on a file is obtained by a client, e.g. when a user runs the 'svn lock' command. If a client is not authenticated and sends a lock token in a request, a call to the svn_fs_get_access() function will return a NULL pointer instead of a pointer to an svn_fs_access_t object. Due to a programming error the mod_dav_svn server module failed to validate this pointer variable before dereferencing it. Severity: ========= A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Recommendations: ================ We recommend all users to upgrade to Subversion 1.6.16. Users of Subversion 1.5.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.tigris.org/project_packages.html References: =========== CVE-2011-0715 (Subversion) Reported by: ============ Philip Martin, WANdisco, Inc. Patches: ======== This patch applies to Subversion 1.6.x (apply with patch -p0 < patchfile): [[[ Index: subversion/mod_dav_svn/version.c =================================================================== --- subversion/mod_dav_svn/version.c (revision 1071565) +++ subversion/mod_dav_svn/version.c (working copy) @@ -1172,11 +1172,13 @@ dav_svn__push_locks(dav_resource *resource, svn_error_t *serr; serr = svn_fs_get_access(&fsaccess, resource->info->repos->fs); - if (serr) + if (serr || !fsaccess) { /* If an authenticated user name was attached to the request, then dav_svn_get_resource() should have already noticed and created an fs_access_t in the filesystem. */ + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token(s) in request, but " "missing an user name", HTTP_BAD_REQUEST, resource->info->r); Index: subversion/mod_dav_svn/repos.c =================================================================== --- subversion/mod_dav_svn/repos.c (revision 1071565) +++ subversion/mod_dav_svn/repos.c (working copy) @@ -1923,8 +1923,10 @@ get_resource(request_rec *r, dav_locktoken_list *list = ltl; serr = svn_fs_get_access(&access_ctx, repos->fs); - if (serr) + if (serr || !access_ctx) { + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token is in request, " "but no user name", HTTP_BAD_REQUEST, r); ]]] This patch applies to Subversion 1.5.x: [[[ Index: subversion/mod_dav_svn/version.c =================================================================== --- subversion/mod_dav_svn/version.c (revision 1071565) +++ subversion/mod_dav_svn/version.c (working copy) @@ -1155,11 +1155,13 @@ dav_svn__push_locks(dav_resource *resource, svn_error_t *serr; serr = svn_fs_get_access(&fsaccess, resource->info->repos->fs); - if (serr) + if (serr || !fsaccess) { /* If an authenticated user name was attached to the request, then dav_svn_get_resource() should have already noticed and created an fs_access_t in the filesystem. */ + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token(s) in request, but " "missing an user name", HTTP_BAD_REQUEST, resource->info->r); Index: subversion/mod_dav_svn/repos.c =================================================================== --- subversion/mod_dav_svn/repos.c (revision 1071565) +++ subversion/mod_dav_svn/repos.c (working copy) @@ -1773,8 +1773,10 @@ get_resource(request_rec *r, dav_locktoken_list *list = ltl; serr = svn_fs_get_access(&access_ctx, repos->fs); - if (serr) + if (serr || !access_ctx) { + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token is in request, " "but no user name", HTTP_BAD_REQUEST, r); ]]]
Arfrever, please add an updated ebuild to this bug, and not in CVS. Thanks!
Created attachment 264115 [details] subversion-1.6.16.ebuild
(In reply to comment #2) > Created an attachment (id=264115) [details] > subversion-1.6.16.ebuild > Thank you. Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, chainsaw hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : armin76, tcunha x86 : fauli, maekke
http://subversion.tigris.org/downloads/subversion-1.6.16.tar.bz2 doesn't exist yet.
(In reply to comment #4) wget https://svn:mlDn0C4FStZ888@people.apache.org/~hwright/svn/1.6.16/tarzan-shrew/subversion-1.6.16.tar.bz2
HPPA is OK.
Does not seem to be released yet, please do not lift the embargo yet. Arch liasons: please test and report if it is stable, do not commit yet!
This issue is now public. http://subversion.apache.org/security/CVE-2011-0715-advisory.txt @python, please commit the ebuild with HPPA and any additional noted stables below. Adding full Arch teams for remaining stabilization.
(In reply to comment #8) > @python, please So now arfrever equals python@? ;-)
Marked ppc stable.
x86 done.
amd64 ok
Build and tested on SPARC, no serious failures found with tests although some tests were skipped and some 'xfailed'.
alpha/arm/ia64/s390/sh/sparc stable
ppc64 stable
amd64 done. Thanks Agostino
Thanks, Arfrever. FWIW and our policy is not specific in this regard, but please let us change the whiteboard to [glsa]. It's at the [stable] to [glsa] transition that we either file a new GLSA request or note the new bug on an existing request. If someone else changes the whiteboard for us, it is possible we'll miss that step. Thanks. Added to existing GLSA request.
*** Bug 357715 has been marked as a duplicate of this bug. ***
CVE-2011-0715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0715): The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.16, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request that contains a lock token.
This issue was resolved and addressed in GLSA 201309-11 at http://security.gentoo.org/glsa/glsa-201309-11.xml by GLSA coordinator Sean Amoss (ackle).