Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 51462

Summary: dev-util/subversion: Subversion versions up to and including 1.0.2 have a buffer overflow in
Product: Gentoo Security Reporter: Jani Averbach <jaa>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: blocker CC: condordes, douggorley, gen2daniel, jay, pauldv, sbh, sr, zorloc
Priority: Highest Flags: condordes: Assigned_To? (condordes)
Version: unspecified   
Hardware: All   
OS: All   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0397
Whiteboard:
Package list:
Runtime testing required: ---

Description Jani Averbach 2004-05-19 08:54:28 UTC 
From subversion 1.0.3 announce mail:
http://subversion.tigris.org/servlets/ReadMsg?list=announce&msgNo=125


Subversion versions up to and including 1.0.2 have a buffer overflow in
the date parsing code.

Both client and server are vulnerable.  The server is vulnerable over
both httpd/DAV and svnserve (that is, over http://, https://, svn://,
svn+ssh:// and other tunneled svn+*:// methods).

Additionally, clients with shared working copies, or permissions that
allow files in the administrative area of the working copy to be
written by other users, are potentially exploitable.


Reproducible: Always
Steps to Reproduce:





There is similar issue with up to and includind net-misc/neon-0.24.5
(CAN-2004-0398).
So, there is also update for neon (0.24.6), please see http://www.webdav.org/neon/.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 09:00:22 UTC 
*** Bug 51463 has been marked as a duplicate of this bug. ***
Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-05-19 12:39:16 UTC 
pauldv, please bump. thanks.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 13:58:17 UTC 
*** Bug 51491 has been marked as a duplicate of this bug. ***
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 14:00:28 UTC 
Reassigning back to security so that we keep track of this one. Still waiting for pauldv's bump.
Comment 5 Andrew Cowie 2004-05-20 08:51:04 UTC 
I'm raising a new bug for this, but FYI, subversion 1.0.4 is now available. 1.0.3 is the security fix.

http://subversion.tigris.org/project_status.html

AfC
Sydney
Comment 6 Jani Averbach 2004-05-20 09:21:21 UTC 
The new bug number for 1.0.4 is 51572 http://bugs.gentoo.org/show_bug.cgi?id=51572,

But, 1.0.4 isn't out yet (planned for tomorrow)!
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-05-20 10:04:11 UTC 
Apparently 1.0.3 is in CVS. Stable flags are OK -- so it's ready for a GLSA
Comment 8 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-05-20 11:00:52 UTC 
GLSA Drafted.
Comment 9 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-05-20 11:38:29 UTC 
GLSA 200405-14.