Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767898 (CVE-2020-17525) - <dev-vcs/subversion-1.14.1: DoS in mod_authz_svn (CVE-2020-17525)
Summary: <dev-vcs/subversion-1.14.1: DoS in mod_authz_svn (CVE-2020-17525)
Status: RESOLVED FIXED
Alias: CVE-2020-17525
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://subversion.apache.org/securit...
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on: 778455
Blocks:
  Show dependency tree
 
Reported: 2021-01-29 23:28 UTC by Thomas Deutschmann (RETIRED)
Modified: 2021-05-17 08:09 UTC (History)
2 users (show)

See Also:
Package list:
dev-vcs/subversion-1.14.1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2021-01-29 23:28:50 UTC 
Incoming details.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-11 01:33:59 UTC 
CVE-2020-17525:

A null-pointer-dereference has been found in mod_authz_svn that results in
a remote unauthenticated Denial-of-Service in some server configurations.

The vulnerability can be triggered by an unauthenticated user if the
Apache HTTPD server is configured to use an in-repository authz file,
with configuration directives such as:

  AuthzSVNAccessFile "^/authz"
  AuthzSVNReposRelativeAccessFile "^/authz"

The problem originates when sending a GET request to a non-existent
repository. The mod_authz_svn module will attempt to find authz rules
at a path within the requested SVN repository. Upon constructing this
path, the function svn_repos_find_root_path will return a NULL pointer
since the requested repository does not exist on-disk.
A check for this legitimate NULL pointer condition is missing, which
results in a segmentation fault when the NULL pointer is used.

The in-repository authz feature was first introduced in Subversion 1.8:
https://subversion.apache.org/docs/release-notes/1.8.html#in-repo-authz

The missing NULL check was first introduced during refactoring of the
authz code during development work leading up to Subversion 1.9.
Subversion 1.8 servers are unaffected.


Fixed in 1.14.1. Please bump
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-11 16:35:59 UTC 
Please proceed with stabilization when ready.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2021-02-28 20:54:53 UTC 
Let's go.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 18:29:34 UTC 
sparc done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 19:16:12 UTC 
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 19:17:05 UTC 
arm64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 19:19:52 UTC 
ppc64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-01 19:20:26 UTC 
Hitting bug 740464 on ppc.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-02 04:44:58 UTC 
amd64 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-02 04:50:14 UTC 
x86 done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-17 03:04:19 UTC 
ppc done

all arches done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-17 03:05:30 UTC 
Please cleanup.
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-05-17 08:09:02 UTC 
No glsa here.