Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 463860 (CVE-2013-1845)

Summary: <dev-vcs/subversion-1.7.9: Multiple DoS vulnerabilities (CVE-2013-{1845,1846,1847,1884})
Product: Gentoo Security Reporter: Sean Amoss (RETIRED) <ackle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: tommy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://dist.apache.org/repos/dist/dev/subversion/?p=1654
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 463728    
Attachments:
Description Flags
Subversion Advisories none

Description Sean Amoss (RETIRED) gentoo-dev Security 2013-03-30 14:20:41 UTC 
Created attachment 343764 [details]
Subversion Advisories

The Gentoo Linux Security Team received advanced notification from Ben Reser (breser@apache.org) of 4 denial of service vulnerabilities found in Subversion. The vulnerabilities affect versions prior to 1.7.8 and 1.6.21. The patches and fixed versions will be released 2013-04-04 21:00 UTC. The fixed versions are also available at $URL.

The advisories and patches are attached.
Comment 1 Thomas Sachau gentoo-dev 2013-03-30 17:29:46 UTC 
I dont plan to support the 1.6 series anymore, so this will result in 1.6.17-r7 being dropped, unless someone else steps up to maintain the 1.6 series or subversion itself.
the fixed 1.7.9 version from $URL compiles fine with the 1.7.8 ebuild, so a quick bump for that one can be done.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-08 21:47:02 UTC 
Now public.
Comment 3 Thomas Sachau gentoo-dev 2013-04-08 22:42:37 UTC 
ebuild for 1.7.9 added
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-19 15:13:27 UTC 
(In reply to comment #3)
> ebuild for 1.7.9 added

Should we proceed to stabilize?
Comment 5 Thomas Sachau gentoo-dev 2013-04-20 08:56:28 UTC 
(In reply to comment #4)
> (In reply to comment #3)
> > ebuild for 1.7.9 added
> 
> Should we proceed to stabilize?

I added 2 dependency related fixes yesterday, which also affected version 1.7.7 as the current stable version. Otherwise there have not been any bug reports, so looks good for stabilization.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-20 13:51:11 UTC 
Arches, please test and mark stable:
=dev-vcs/subversion-1.7.9
Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
Comment 7 Agostino Sarubbo gentoo-dev 2013-04-20 20:43:08 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-04-20 20:48:23 UTC 
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-04-21 12:59:11 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-04-22 08:46:28 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-04-22 09:10:18 UTC 
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-04-22 10:11:58 UTC 
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-04-22 10:34:28 UTC 
s390 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-04-22 10:38:08 UTC 
sh stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-04-22 10:40:01 UTC 
sparc stable
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2013-04-22 11:48:17 UTC 
Stable for HPPA.
Comment 17 Agostino Sarubbo gentoo-dev 2013-04-22 12:24:46 UTC 
alpha stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-05-05 12:12:39 UTC 
Old removed, @security, please add it to existing draft.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:59:07 UTC 
CVE-2013-1884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1884):
  The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.8
  allows remote attackers to cause a denial of service (segmentation fault and
  crash) via a log REPORT request with an invalid limit, which triggers an
  access of an uninitialized variable.

CVE-2013-1847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1847):
  The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through
  1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of
  service (NULL pointer dereference and crash) via an anonymous LOCK for a URL
  that does not exist.

CVE-2013-1846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1846):
  The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21
  and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial
  of service (NULL pointer dereference and crash) via a LOCK on an activity
  URL.

CVE-2013-1845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1845):
  The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21
  and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial
  of service (memory consumption) by (1) setting or (2) deleting a large
  number of properties for a file or directory.
Comment 20 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 17:17:37 UTC 
Updated existing GLSA.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2013-09-23 23:15:34 UTC 
This issue was resolved and addressed in
 GLSA 201309-11 at http://security.gentoo.org/glsa/glsa-201309-11.xml
by GLSA coordinator Sean Amoss (ackle).