Similar to the libneon issue a manual scan for common programming errors revealed an unsafe call to sscanf() in one of Subversions date parsing functions. When Subversions tries to convert a string into an apr_time_t it falls back to the vulnerable sscanf() to decode old-styled date strings. This function is exposed to an external attacker through a DAV2 REPORT query or a get-dated-rev svn-protocol command. Both ways have been proven exploitable, but exploiting through the DAV2 protocol is somewhat harder because the date string has to be in utf-8 format. On the other hand exploiting through the svn-protocol is a trivial standard stackoverflow with the exception that whitespace and the '\0' character is forbidden. And as a sidenotice: Exploiting this stackoverflow is even possible when Propolice or similar protections are in place because a lot of fancy things can be done by overwriting the function parameters. CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0397 to this issue. Reproducible: Always Steps to Reproduce: 1. 2. 3.
A little too late :) Thanks anyway *** This bug has been marked as a duplicate of 51462 ***
*** Bug 51518 has been marked as a duplicate of this bug. ***
*** Bug 51566 has been marked as a duplicate of this bug. ***
