---8<-- announce email --8<-- Details below: Subversion versions up to and including 1.0.4 have a potential Denial of Service and Heap Overflow issue related to the parsing of strings in the 'svn://' family of access protocols. This affects only sites running svnserve. It does not affect 'http://' access -- repositories served only by Apache/mod_dav_svn do not have this vulnerability. Details: ======== The svn protocol sends strings as a length followed by the string. The parser would trust that the sender was providing an accurate length of the string and would allocate sufficent memory to store the entire string. This would allow the sender of a string to Denial of Service the other side by suggesting that the string is very large. Additionally, if the size given is large enough it may cause the integer holding the size to wrap, thus allocating less memory than the string length and resulting in a heap overflow. The parsing code with the flaw is shared by both the svnserve server and clients using the svn://, svn+ssh:// and other tunneled svn+*:// methods. Severity: ========= Severity ranges from "Denial of Service" to, potentially, "Arbitrary Code Execution", depending upon how skilled the attacker is and the ABI specifics of your platform. Since the error is in the parsing of the protocol, including the parsing of authentication, the server vulnerabilities can be triggered without read or write access to the repository. So any svnserve process that an attacker can connect to is vulnerable even if they do not have read or write access. The Denial of Service attack is reasonably easy to carry out, while exploiting the heap overflow is more difficult. There are no known exploits in the wild at the time of this advisory. Workarounds: ============ Disable svnserve and use DAV (http://) instead. Recommendations: ================ We recommend all users upgrade to 1.0.5. References: =========== CAN-2004-0413: Subversion svn:// protocol string parsing error. -- 8< -- Reproducible: Always Steps to Reproduce:
Fixed in 1.0.4-r1 which is the same thing as 1.0.5
arch maintainers please do your thing. subversion-1.0.4-r1.ebuild:KEYWORDS="~x86 ~sparc ~ppc ~amd64 ~alpha"
x86 amd64 : please mark stable. GLSA already drafted and reviewed.
amd64 stable
*** Bug 53587 has been marked as a duplicate of this bug. ***
glsa 200406-07
Stable on alpha.
Stable on sparc.
*** Bug 54157 has been marked as a duplicate of this bug. ***
*** Bug 55507 has been marked as a duplicate of this bug. ***
