Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532406 (CVE-2014-3580) - <dev-vcs/subversion-{1.7.19,1.8.11}: Two Denial of Service vulnerabilities (CVE-2014-{3580,8108})
Summary: <dev-vcs/subversion-{1.7.19,1.8.11}: Two Denial of Service vulnerabilities (C...
Status: RESOLVED FIXED
Alias: CVE-2014-3580
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://mail-archives.apache.org/mod_...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-13 02:24 UTC by Sean Amoss (RETIRED)
Modified: 2015-02-03 13:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Subversion Patches for CVE-2014-3580 (file_532406.txt,9.08 KB, text/plain)
2014-12-13 02:29 UTC, Sean Amoss (RETIRED)
no flags Details
Subversion Patches for CVE-2014-8108 (file_532406.txt,4.29 KB, text/plain)
2014-12-13 02:30 UTC, Sean Amoss (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2014-12-13 02:24:01 UTC
This email is a confidential pre-notification for multiple security alerts
for Subversion clients:
 * CVE-2014-3580
 * CVE-2014-8108

Please *do not forward* any part of this mail to anyone.  The public
announcement is not until 15 December 2014 17:00 UTC, and we'd like
to keep the information embargoed until then.

You are receiving this mail because (we think) you distribute software
that uses the Subversion libraries or that you host a Subversion installation
used by a large number of users.  We believe that you might want to have your
software patched by the time these security holes are made public on 15
December.

If you no longer maintain Subversion-related packages or hosting, please reply
to this mail indicating who the appropriate contact would be for your
organization.

Below are the advisories, followed by patches to fix the problems.  The
Subversion patches apply to Subversion 1.7.18 and Subversion 1.8.10.
Subversion 1.7.19 and 1.8.11 will will be published on 15 December, including
the patches below, as well as other stability and bug fixes. You can get an
advance copy of the source distribution here:

  https://dist.apache.org/repos/dist/dev/subversion/?p=7401

Here are the full advisories:

{{{
  mod_dav_svn is vulnerable to a remotely triggerable segfault DoS
  vulnerability with certain invalid REPORT requests.

Summary:
========

  Subversion's mod_dav_svn Apache HTTPD server module will crash when it
  receives a REPORT request for some invalid formatted special URIs.

  This can lead to a DoS.  There are no known instances of this problem
  being exploited in the wild.

Known vulnerable:
=================

  Subversion HTTPD servers 1.0.0 through 1.7.18 (inclusive)
  Subversion HTTPD servers 1.8.0 through 1.8.10 (inclusive)

Known fixed:
============

  Subversion 1.7.19
  Subversion 1.8.11

Details:
========

  Subversion's HTTP support is implemented as an interaction between mod_dav
  and mod_dav_svn.  mod_dav asks mod_dav_svn to fill a resource struct when
  a request is made.  When the resource doesn't exist in the repository the
  repository path is calculated as a NULL.  Later mod_dav calls into
  mod_dav_svn to actually handle the request and Subversion attempts to
  use the repostiory path which is NULL, resulting in the SEGFAULT.

Severity:
=========

  CVSSv2 Base Score: 5.0
  CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

  We consider this to be a medium risk vulnerability.  Repositories which
  allow for anonymous reads will be vulnerable without authentication.
  Unfortunately, no special configuration is required and all mod_dav_svn
  servers are vulnerable.

  A remote attacker may be able to crash a Subversion server.  Many Apache
  servers will respawn the listener processes, but a determined attacker
  will be able to crash these processes as they appear, denying service to
  legitimate users.  Servers using threaded MPMs will close the connection
  on other clients being served by the same process that services the
  request from the attacker.  In either case there is an increased
  processing impact of restarting a process and the cost of per process
  caches being lost.

Recommendations:
================

  We recommend all users to upgrade to Subversion 1.8.11.  Users of
  Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
  included patch.

  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  No known workarounds are available.

References:
===========

  CVE-2014-3580  (Subversion)

Reported by:
============

  Evgeny Kotkov, VisualSVN

Patches:
========

}}}

{{{
  mod_dav_svn is vulnerable to a remotely triggerable segfault DoS
  vulnerability for requests with no existant virtual transaction names.

Summary:
========

  Subversion's mod_dav_svn Apache HTTPD server module will crash when it
  receives a request for some invalid formatted special URIs.

  This can lead to a DoS.  There are no known instances of this problem
  being exploited in the wild.

Known vulnerable:
=================

  Subversion HTTPD servers 1.7.0 through 1.7.18 (inclusive)
  Subversion HTTPD servers 1.8.0 through 1.8.10 (inclusive)

Known fixed:
============

  Subversion 1.7.19
  Subversion 1.8.11

Details:
========

  Subversion 1.7.0 and newer added new protocol variant to the HTTP support.
  One of the changes in this new protocol was that the client no longer had
  to generate the UUID by which transactions would be referred to.  However,
  there were circumstances where clients needed to provide their own names for
  transactions and so it has support for virtual transaction names.  These
  transaction names are then mapped to the servers internal transaction id
  much as was done in the old protocol.  New special URIs were provided to
  allow the client to access the transactions by these virtual transaction
  names.

  Making a request for a URI that refers to a non-existant virtual transaction
  name results in the lookup for the internal transaction id to be NULL.
  Subsequent uses of the transaction id do not properly validate that the
  id is valid and result in a SEGFAULT.

Severity:
=========

  CVSSv2 Base Score: 5.0
  CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

  We consider this to be a medium risk vulnerability.  Repositories which
  allow for anonymous reads will be vulnerable without authentication.
  Unfortunately, no special configuration is required and all mod_dav_svn
  servers that support the new protocol variant are vulnerable.

  A remote attacker may be able to crash a Subversion server.  Many Apache
  servers will respawn the listener processes, but a determined attacker
  will be able to crash these processes as they appear, denying service to
  legitimate users.  Servers using threaded MPMs will close the connection
  on other clients being served by the same process that services the
  request from the attacker.  In either case there is an increased
  processing impact of restarting a process and the cost of per process
  caches being lost.

Recommendations:
================

  We recommend all users to upgrade to Subversion 1.8.11.  Users of
  Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the
  included patch.

  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  No known workarounds are available.

References:
===========

  CVE-2014-8108  (Subversion)

Reported by:
============

  Evgeny Kotkov, VisualSVN

Patches:
========

}}}
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-13 02:29:11 UTC
Created attachment 391530 [details]
Subversion Patches for CVE-2014-3580
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-13 02:30:09 UTC
Created attachment 391532 [details]
Subversion Patches for CVE-2014-8108
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2014-12-16 09:26:33 UTC
This is now public via $URL.
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-12-16 12:17:39 UTC
+*subversion-1.8.11 (16 Dec 2014)
+
+  16 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -subversion-1.8.9.ebuild,
+  +subversion-1.8.11.ebuild,
+  -files/subversion-1.6.0-disable_linking_against_unneeded_libraries.patch,
+  -files/subversion-1.6.2-local_library_preloading.patch,
+  -files/subversion-1.6.3-kwallet_window.patch,
+  -files/subversion-1.7.6-kwallet.patch,
+  -files/subversion-1.7.6-revert-mod_dontdothat-move.patch,
+  -files/svnserve.initd:
+  Security bump (bug #532406). Removed old.
+

Arches please test and mark stable =dev-vcs/subversion-1.8.11 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-17 22:33:39 UTC
Stable for HPPA.
Comment 6 Thomas Sachau gentoo-dev 2014-12-18 19:52:46 UTC
Arches: Also please test and mark stable: dev-vcs/subversion-1.7.19

target keywords="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-20 08:50:50 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-21 11:38:08 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-12-21 11:42:53 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-23 09:36:37 UTC
alpha stable
Comment 11 Markus Meier gentoo-dev 2014-12-23 12:47:44 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-24 14:38:27 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-24 14:48:33 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-12-25 11:28:14 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-12-26 09:29:50 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 16 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-12-26 13:50:01 UTC
+  26 Dec 2014; Lars Wendler <polynomial-c@gentoo.org>
+  -subversion-1.7.18.ebuild, -subversion-1.8.10.ebuild,
+  -subversion-1.8.10-r1.ebuild, -files/subversion-1.8.9-po_fixes.patch:
+  Removed vulnerable versions.
+
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 00:54:30 UTC
CVE-2014-8108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8108):
  The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.7.x before
  1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of
  service (NULL pointer dereference and crash) via a request for a URI that
  triggers a lookup for a virtual transaction name that does not exist.

CVE-2014-3580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3580):
  The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before
  1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of
  service (NULL pointer dereference and server crash) via a REPORT request for
  a resource that does not exist.
Comment 18 Sergey Popov gentoo-dev 2015-01-19 10:03:52 UTC
Thanks for you work, guys

GLSA vote: no
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2015-02-03 13:01:06 UTC
NO too, closing.