Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 767898 (CVE-2020-17525)

Summary: <dev-vcs/subversion-1.14.1: DoS in mod_authz_svn (CVE-2020-17525)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dilfridge, zlogene
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
Whiteboard: C3 [noglsa cve]
Package list:
dev-vcs/subversion-1.14.1
Runtime testing required: ---
Bug Depends on: 778455    
Bug Blocks:    

Description Thomas Deutschmann gentoo-dev Security 2021-01-29 23:28:50 UTC
Incoming details.
Comment 1 John Helmert III gentoo-dev Security 2021-02-11 01:33:59 UTC
CVE-2020-17525:

A null-pointer-dereference has been found in mod_authz_svn that results in
a remote unauthenticated Denial-of-Service in some server configurations.

The vulnerability can be triggered by an unauthenticated user if the
Apache HTTPD server is configured to use an in-repository authz file,
with configuration directives such as:

  AuthzSVNAccessFile "^/authz"
  AuthzSVNReposRelativeAccessFile "^/authz"

The problem originates when sending a GET request to a non-existent
repository. The mod_authz_svn module will attempt to find authz rules
at a path within the requested SVN repository. Upon constructing this
path, the function svn_repos_find_root_path will return a NULL pointer
since the requested repository does not exist on-disk.
A check for this legitimate NULL pointer condition is missing, which
results in a segmentation fault when the NULL pointer is used.

The in-repository authz feature was first introduced in Subversion 1.8:
https://subversion.apache.org/docs/release-notes/1.8.html#in-repo-authz

The missing NULL check was first introduced during refactoring of the
authz code during development work leading up to Subversion 1.9.
Subversion 1.8 servers are unaffected.


Fixed in 1.14.1. Please bump
Comment 2 John Helmert III gentoo-dev Security 2021-02-11 16:35:59 UTC
Please proceed with stabilization when ready.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2021-02-28 20:54:53 UTC
Let's go.
Comment 4 Sam James archtester gentoo-dev Security 2021-03-01 18:29:34 UTC
sparc done
Comment 5 Sam James archtester gentoo-dev Security 2021-03-01 19:16:12 UTC
arm done
Comment 6 Sam James archtester gentoo-dev Security 2021-03-01 19:17:05 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-03-01 19:19:52 UTC
ppc64 done
Comment 8 Sam James archtester gentoo-dev Security 2021-03-01 19:20:26 UTC
Hitting bug 740464 on ppc.
Comment 9 Sam James archtester gentoo-dev Security 2021-03-02 04:44:58 UTC
amd64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-03-02 04:50:14 UTC
x86 done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-17 03:04:19 UTC
ppc done

all arches done
Comment 12 Sam James archtester gentoo-dev Security 2021-05-17 03:05:30 UTC
Please cleanup.
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2021-05-17 08:09:02 UTC
No glsa here.