Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 463728 (CVE-2013-1849) - <dev-vcs/subversion-1.7.9: DoS (crash) via PROPFIND request made against activity URLs (CVE-2013-1849)
Summary: <dev-vcs/subversion-1.7.9: DoS (crash) via PROPFIND request made against acti...
Alias: CVE-2013-1849
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on: CVE-2013-1845
  Show dependency tree
Reported: 2013-03-29 12:37 UTC by Agostino Sarubbo
Modified: 2013-09-23 23:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-29 12:37:21 UTC
From ${URL} :

It was found that Subversion's mod_dav_svn Apache HTTPD server module will crash when a PROPFIND 
request is made against activity URLs. This can lead to a DoS. 

There is a flaw in mod_dav_svn that improperly tries to process this request instead of rejecting 
it and results in an attempt to access invalid memory (NULL).  Which results in the httpd process 
segfaulting and dying.  How bad the impact of that is varies based upon the configuration of the 
httpd server. httpd servers using a prefork MPM will simply start a new process to replace the 
process that died.  Servers using threaded MPMs may be processing other requests in the same 
process as the process that the attack causes to die.  In either case there is an increased 
processing impact of restarting a process and the cost of per process caches being lost.

External Reference:
Comment 1 Agostino Sarubbo gentoo-dev 2013-05-05 12:12:53 UTC
Old removed, @security, please add it to existing draft.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 11:59:29 UTC
CVE-2013-1849 (
  The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through
  1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of
  service (NULL pointer dereference and crash) via a PROPFIND request for an
  activity URL.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-05-09 17:17:12 UTC
Updated existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-09-23 23:15:32 UTC
This issue was resolved and addressed in
 GLSA 201309-11 at
by GLSA coordinator Sean Amoss (ackle).