Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 463728 (CVE-2013-1849)

Summary: <dev-vcs/subversion-1.7.9: DoS (crash) via PROPFIND request made against activity URLs (CVE-2013-1849)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: tommy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=929093
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 463860    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-03-29 12:37:21 UTC 
From ${URL} :

It was found that Subversion's mod_dav_svn Apache HTTPD server module will crash when a PROPFIND 
request is made against activity URLs. This can lead to a DoS. 

There is a flaw in mod_dav_svn that improperly tries to process this request instead of rejecting 
it and results in an attempt to access invalid memory (NULL).  Which results in the httpd process 
segfaulting and dying.  How bad the impact of that is varies based upon the configuration of the 
httpd server. httpd servers using a prefork MPM will simply start a new process to replace the 
process that died.  Servers using threaded MPMs may be processing other requests in the same 
process as the process that the attack causes to die.  In either case there is an increased 
processing impact of restarting a process and the cost of per process caches being lost.

External Reference:

http://seclists.org/fulldisclosure/2013/Mar/56
Comment 1 Agostino Sarubbo gentoo-dev 2013-05-05 12:12:53 UTC 
Old removed, @security, please add it to existing draft.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:59:29 UTC 
CVE-2013-1849 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1849):
  The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through
  1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of
  service (NULL pointer dereference and crash) via a PROPFIND request for an
  activity URL.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 17:17:12 UTC 
Updated existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-09-23 23:15:32 UTC 
This issue was resolved and addressed in
 GLSA 201309-11 at http://security.gentoo.org/glsa/glsa-201309-11.xml
by GLSA coordinator Sean Amoss (ackle).