Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627480 (CVE-2017-9800) - <dev-vcs/subversion-{1.8.18, 1.9.7}: Arbitrary code execution on clients through malicious svn+ssh URLs
Summary: <dev-vcs/subversion-{1.8.18, 1.9.7}: Arbitrary code execution on clients thro...
Alias: CVE-2017-9800
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2017-08-10 19:24 UTC by Hanno Böck
Modified: 2017-09-17 19:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-08-10 19:24:52 UTC

From upstream:

  A Subversion client sometimes connnects to URLs provided by the repository.
  This happens in two primary cases: during 'checkout', 'export', 'update', and
  'switch', when the tree being downloaded contains svn:externals properties;
  and when using 'svnsync sync' with one URL argument.

  A maliciously constructed svn+ssh:// URL would cause Subversion clients to
  run an arbitrary shell command.  Such a URL could be generated by a malicious
  server, by a malicious user committing to a honest server (to attack another
  user of that server's repositories), or by a proxy server.

  The vulnerability affects all clients, including those that use file://,
  http://, and plain (untunneled) svn://.

  An exploit has been tested.

1.9.7 + 1.7.19 upstream releases contain the fix. Please bump.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-08-11 15:59:55 UTC
commit 2a9da294f39199baec5a9eedd5ee368d62af42ec
Author: Lars Wendler <>
Date:   Fri Aug 11 14:16:43 2017

    dev-vcs/subversion: Security bump to versions 1.8.18 and 1.9.7
    Committed straight to stable.
    Package-Manager: Portage-2.3.6, Repoman-2.3.3
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-01 00:42:44 UTC
Thank you, Lars.

@Security please add to an existing glsa or file a new one and add CVE. 

Gentoo Security Padawan
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 19:03:32 UTC
This issue was resolved and addressed in
 GLSA 201709-09 at
by GLSA coordinator Aaron Bauman (b-man).