Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 280494 (CVE-2009-2411)

Summary: <dev-util/subversion-1.6.4 Remote code execution in server and client (CVE-2009-2411)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: arfrever, chainsaw, klieber, robbat2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
subversion-1.6.4.ebuild
none
subversion-1.6.4-r10.ebuild none

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-05 19:29:16 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Hyrum K. Wright informed us about this vulnerablility in Subversion:

===========================================================================
  Subversion clients and servers up to 1.6.3 (inclusive) have heap
  overflow issues in the parsing of binary deltas.

Summary:
========

  Subversion clients and servers have multiple heap overflow issues in
  the parsing of binary deltas.  This is related to an allocation
  vulnerability in the APR library used by Subversion.

  Clients with commit access to a vulnerable server can cause a remote
  heap overflow; servers can cause a heap overflow on vulnerable
  clients that try to do a checkout or update.  

  This can lead to a DoS (an exploit has been tested) and to arbitrary
  code execution (no exploit tested, but the possibility is clear).
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-05 19:53:20 UTC
An updated ebuild is being prepared, we'll prestable after that. As usual, no commits to CVS please.
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-05 20:07:15 UTC
Created attachment 200289 [details]
subversion-1.6.4.ebuild
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-05 20:07:59 UTC
Created attachment 200290 [details]
subversion-1.6.4-r10.ebuild
Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-05 20:34:40 UTC
The tarball can be downloaded from https://orac.ece.utexas.edu/pub/svn/1.6.4/
Username: svn
Password: KEnuprE3
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-05 20:49:00 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : fauli, maekke
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-05 20:49:41 UTC
Comment on attachment 200290 [details]
subversion-1.6.4-r10.ebuild

Target is -r0.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-08-05 21:34:58 UTC
in case it is not clear from above, the distfile can be fetched via

wget --no-check-certificate https://svn:KEnuprE3@orac.ece.utexas.edu/pub/svn/1.6.4/moonlight/to-tigris/subversion-1.6.4.tar.bz2

Please handle this ASAP. Also cc'ing Kurt and Robin from infra.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-06 10:51:42 UTC
amd64 ok
Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-06 11:56:58 UTC
x86 looks ok to (the same tests fail as in the previous version)
Comment 10 Jeroen Roovers gentoo-dev 2009-08-06 17:13:55 UTC
HPPA is OK.
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-06 20:56:55 UTC
Public via $URL.

Arches: Please allow me to reiterate the urgency of this bug.
Comment 12 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-08-06 21:02:57 UTC
dev-util/subversion-1.6.4{,-r10} is now in the tree.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-08-08 21:58:17 UTC
ppc64 done
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-08 22:01:33 UTC
CVE-2009-2411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2411):
  Multiple integer overflows in the libsvn_delta library in Subversion
  before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated
  users and remote Subversion servers to execute arbitrary code via an
  svndiff stream with large windows that trigger a heap-based buffer
  overflow, a related issue to CVE-2009-2412.

Comment 15 nixnut (RETIRED) gentoo-dev 2009-08-09 14:40:48 UTC
ppc stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-08-09 16:09:11 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-09 21:04:21 UTC
GLSA request filed.
Comment 18 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-18 21:40:34 UTC
GLSA 200908-05