Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472202 (CVE-2013-1968) - <dev-vcs/subversion-1.7.11 : multiple vulnerabilities (CVE-2013-{1968,2088,2112,4131})
Summary: <dev-vcs/subversion-1.7.11 : multiple vulnerabilities (CVE-2013-{1968,2088,21...
Alias: CVE-2013-1968
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: C2 [glsa]
Depends on:
Reported: 2013-06-03 18:28 UTC by Agostino Sarubbo
Modified: 2013-09-23 23:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-03 18:28:23 UTC
From :

Two vulnerabilities have been reported in Apache Subversion, which can be exploited by malicious users and malicious people to cause a DoS (Denial of 

1) An error within the svnserve server does not properly handle aborted connection messages and can be exploited to stop the service.

2) An error within FSFS repositories does not properly handle filenames and can be exploited to corrupt the repository and render it unusable.

The vulnerabilities are reported in versions 1.7.9 and prior and versions 1.6.21 and prior.

Update to version 1.7.10 or 1.6.23.

Provided and/or discovered by
1) The vendor credits Boris Lytochkin, Yandex
2) The vendor credits Stefan Sperling, elego Software Solutions

Original Advisory
Comment 1 Agostino Sarubbo gentoo-dev 2013-06-03 18:28:30 UTC
From :

A vulnerability has been reported in Apache Subversion, which can be exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to an input validation error in the hook script while processing filenames and can be exploited 
to inject and execute arbitrary shell commands via a specially crafted request.

Successful exploitation requires that contrib scripts are used on the server.

The vulnerability is reported in versions 1.6.22 and prior and versions 1.7.10 and prior.

Apply fixes.
Further details available to Secunia VIM customers

Provided and/or discovered by
The vendor credits Daniel Shahaf, elego Software Solutions

Original Advisory

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-02 23:26:34 UTC
B3 for the first set, C2 for the second one. Need a version bump to 1.7.10/1.6.22 and to apply the patch in [1]. The second comment's vulnerability is fixed in 1.7.11/1.6.23, but those are not released yet.


Red Hat bugs:
Comment 3 Sławomir Nizio 2013-07-28 22:10:31 UTC

1.7.11 and 1.8.1 have been released.
Comment 4 Thomas Sachau gentoo-dev 2013-08-03 08:57:22 UTC
1.7.11 in tree, no 1.6 update, as we dont have that series in tree
Comment 5 Thomas Sachau gentoo-dev 2013-08-16 16:19:29 UTC
adding arches

Please stabilize:


target keywords: alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 6 Agostino Sarubbo gentoo-dev 2013-08-16 19:39:09 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-16 19:43:17 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2013-08-17 16:23:19 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2013-08-18 12:51:49 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-18 12:51:58 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-18 12:52:08 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-18 12:52:16 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-08-18 12:52:27 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-08-18 12:52:33 UTC
s390 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-08-18 12:52:42 UTC
sh stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-08-18 12:52:49 UTC
sparc stable
Comment 17 Joseph 2013-08-18 16:17:50 UTC
subversion-1.7.11.ebuild has a digest verification problem 

Calculating dependencies - * Digest verification failed:
 * /usr/portage/dev-vcs/subversion/subversion-1.7.11.ebuild
 * Reason: Filesize does not match recorded size
 * Got: 14633
 * Expected: 14632
Comment 18 Thomas Sachau gentoo-dev 2013-08-18 20:53:55 UTC
Manifest issue has been fixed in the meantime, all stable arches done, affected older versions removed
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-08-26 19:28:40 UTC
CVE-2013-2112 (
  The svnserve server in Subversion before 1.6.23 and 1.7.x before 1.7.10
  allows remote attackers to cause a denial of service (exit) by aborting a

CVE-2013-2088 (
  contrib/hook-scripts/ in Subversion before 1.6.23 allows
  remote authenticated users with commit permissions to execute arbitrary
  commands via shell metacharacters in a filename.

CVE-2013-1968 (
  Subversion before 1.6.23 and 1.7.x before 1.7.10 allows remote authenticated
  users to cause a denial of service (FSFS repository corruption) via a
  newline character in a file name.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2013-08-26 19:34:27 UTC
CVE-2013-4131 (
  The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through
  1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a
  denial of service (assertion failure or out-of-bounds read) via a certain
  (1) COPY, (2) DELETE, or (3) MOVE request against a revision root.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2013-09-23 23:15:38 UTC
This issue was resolved and addressed in
 GLSA 201309-11 at
by GLSA coordinator Sean Amoss (ackle).