Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1009
A vulnerability has been identified in Subversion
25 July 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Subversion
Publisher: The Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4131
Original Bulletin:
http://subversion.apache.org/security/CVE-2013-4131-advisory.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
Subversion HTTP servers up to 1.8.0 (inclusive) are vulnerable
to a remotely triggerable "Assertion failed" DoS vulnerability or read
overflow.
Summary:
========
Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion
on some requests made against a revision root. This can lead to a DoS.
If assertions are disabled it will trigger a read overflow which may cause a
SEGFAULT (or equivalent) or undefined behavior.
Commit access is required to exploit this.
Known vulnerable:
=================
Subversion HTTPD servers 1.7.0 through 1.7.10 (inclusive).
Subversion HTTPD servers 1.8.0 (including 1.8.0 release candidates).
Known fixed:
============
Subversion 1.8.1
Subversion 1.7.11
svnserve (any version) is not vulnerable.
Subversion 1.6.x is not vulnerable.
Details:
========
The vulnerability can be triggered in two ways. The first way requires
that the Subversion server runs Apache HTTPD 2.2.25 or later or Apache HTTPD
2.4.5 or later. When running under those versions of Apache HTTPD, the
vulnerability can be triggered by making a COPY request against a revision
root. The following Subversion operation generates such a request:
% svn cp -mm ^/ ^/foo
With any version of Apache HTTPD, the vulnerability may be triggered by
making a DELETE HTTP request against a revision root, a MOVE HTTP request
whose source or destination is a revision root, or a COPY HTTP request whose
destination is a revision root. These requests are not part of any valid
Subversion operation.
Making a copy of the repository root is a valid Subversion operation.
However, a code change in Apache HTTPD 2.2.25/2.4.5 led to a codepath being
exercised for a revision root that was never before executed for a revision
root. That code performs a hand-rolled path arithmetic instead of using the
internal path manipulation library, and thus passes an invalid path down to
a library function which runs an assert() validation on that path.
When assertions are enabled, the validation fails and kills the httpd
process. When assertions are disabled, code would read beyond allocated
memory, which may lead to a segfault or undefined behavior.
Severity:
=========
CVSSv2 Base Score: 4
CVSSv2 Base Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P
How bad the impact of that is varies based upon several environmental
configuration details. Specifically whether assertions were enabled at
build time and what MPM mode Apache httpd is using.
When assertions are enabled (defaults to on for *nix systems and off for
Windows) then the assertion will prevent any undefined behavior, at the cost
of a causing the http server process to abort. Apache httpd servers using a
prefork MPM will simply start a new process to replace the process that
died. Servers using threaded MPMs may be processing other requests in the
same process as the process that the attack causes to die. In either case
there is an increased processing impact of restarting a process and the cost
of per process caches being lost.
When assertions are disabled a read overflow will occur. This may cause a
segfault. However, it may also simply read into other memory that was
allocated and as a result the precise behavior of Subversion is partially
undefined. Subversion may accept or reject the request when it should not
do so based on locks, "If:" http headers or ETags. We have not found any
cases where the contents of the memory that has been read into will be
leaked to the client or into the repository.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.8.1 or 1.7.11.
Users who are unable to upgrade may apply the included patches.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
We remind users that we recommend upgrading Apache HTTPD to 2.2.25 (for
repositories served by HTTPD) due to an independent security issue fixed
in that HTTPD release: CVE-2013-1896. See <http://s.apache.org/H1a> for
details about CVE-2013-1896, including a recommendation for those who serve
Subversion repositories with Apache HTTPD 2.4.x.
References:
===========
CVE-2013-4131 (Subversion)
Reported by:
============
Daniel Shahaf, Apache Infrastructure
Patches:
========
Patch for Subversion 1.7.x and 1.8.0:
[[[
Index: subversion/mod_dav_svn/repos.c
===================================================================
- --- subversion/mod_dav_svn/repos.c (revision 1503527)
+++ subversion/mod_dav_svn/repos.c (revision 1503528)
@@ -2408,21 +2408,12 @@
svn_boolean_t is_urlpath,
apr_pool_t *pool)
{
- - apr_size_t len;
- - char *tmp = apr_pstrdup(pool, path);
- -
- - len = strlen(tmp);
- -
- - if (len > 0)
+ if (*path != '\0') /* not an empty string */
{
- - /* Remove any trailing slash; else svn_path_dirname() asserts. */
- - if (tmp[len-1] == '/')
- - tmp[len-1] = '\0';
- -
if (is_urlpath)
- - return svn_urlpath__dirname(tmp, pool);
+ return svn_urlpath__dirname(path, pool);
else
- - return svn_fspath__dirname(tmp, pool);
+ return svn_fspath__dirname(path, pool);
}
return path;
@@ -2458,7 +2449,9 @@
parent->versioned = 1;
parent->hooks = resource->hooks;
parent->pool = resource->pool;
- - parent->uri = get_parent_path(resource->uri, TRUE, resource->pool);
+ parent->uri = get_parent_path(svn_urlpath__canonicalize(resource->uri,
+ resource->pool),
+ TRUE, resource->pool);
parent->info = parentinfo;
parentinfo->uri_path =
]]]
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUfCLlhLndAQH1ShLAQI+/hAAiiRfTwuKOdDL1//zj3P29FYAzZbOs9Eh
ScZ5KJBcSYJ1HWH94jtx/qKa1SC3pe7llTl0G4BkPCbhCle9reRyY5k7LFv22HpT
1cEOMJSrUGdaP2hkcIBRFGgzN0KqSy6Qd3vbu7o3pUQ4C+Yr66t3kVktjFGn9Cxw
cBQ9xUUK3rIU+H3yA9/Nx+fXL9bApTx8p1QDlVXjbigiubdwahusHHOe9YNxv6dq
gX85GkXZBQ3HUMpULectevxImrUYhiAzIOZ2vfOjovznEq5s6pUABm4i1YnOTw7Q
/EtCO/UQCEVBNUmDTLWaUxHnbWxFF8YB+23fyOW/IcP/GPhiDUfkDemzyI0h09yu
lX9FNsoj7b8P2YlH7va8tYyN3k1bzaW1kC9hdGd7QqpsAaoNcBy2et74cqfxvdMV
esqHVEAF0P6Xd7L3Cf1hCwjuBu310A4ZSWHRJh+wPtmi5cUgoXfJpm7oNoveajuw
WKFRECM2HC9m9iynG+hSOJvq+dYW1qZFKW7GMSFP2iaKPC0scy9aEHLGmFqzGc37
/JQy0ZDe6G0zrPkqghKbaAjzKbywjlxxrY9hQBJ/Wz6j6Lhm9JZo8uRQFm2WHWHG
Le0Y1x+HrwpTjhGsFZztM+u1MNSL0K4Bdx9GcB8lGbw5JQTb1wUANXifKfGRtkS6
Uedk6g1xMxs=
=Sgtv
-----END PGP SIGNATURE-----