[gentoo-announce] [ GLSA 201709-09 ] Subversion: Arbitrary code execution - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201709-09 ] Subversion: Arbitrary code execution
Date:	Sun, 17 Sep 2017 19:04:02
Message-Id:	`1792948.OyMXDtVKyE@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201709-09

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Subversion: Arbitrary code execution

9

     Date: September 17, 2017

10

     Bugs: #627480

11

       ID: 201709-09

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A command injection vulnerability in Subversion may allow remote

19

attackers to execute arbitrary code.

20

21

Background

22

==========

23

24

Subversion is a version control system intended to eventually replace

25

CVS. Like CVS, it has an optional client-server architecture (where the

26

server can be an Apache server running mod_svn, or an ssh program as in

27

CVS’s :ext: method). In addition to supporting the features found in

28

CVS, Subversion also provides support for moving and copying files and

29

directories.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package              /     Vulnerable     /            Unaffected

36

    -------------------------------------------------------------------

37

  1  dev-vcs/subversion           < 1.9.7                    >= 1.9.7 

38

                                                            *> 1.8.18 

39

40

Description

41

===========

42

43

Specially crafted 'ssh://...' URLs may allow the owner of the

44

repository to execute arbitrary commands on client's machine if those

45

commands are already installed on the client's system. This is

46

especially dangerous when the third-party repository has one or more

47

submodules with specially crafted 'ssh://...' URLs. Each time the

48

repository is recursively cloned or submodules are updated the payload

49

will be triggered.

50

51

Impact

52

======

53

54

A remote attacker, by enticing a user to clone a specially crafted

55

repository, could possibly execute arbitrary code with the privileges

56

of the process.

57

58

Workaround

59

==========

60

61

There are several alternative ways to fix this vulnerability. Please

62

refer to Subversion Team Announce for more details.

63

64

Resolution

65

==========

66

67

All Subversion 1.9.x users should upgrade to the latest version:

68

69

  # emerge --sync

70

  # emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.9.7"

71

72

All Subversion 1.8.x users should upgrade to the latest version:

73

74

  # emerge --sync

75

  # emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.8.18"

76

77

References

78

==========

79

80

[ 1 ] CVE-2017-9800

81

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9800

82

[ 2 ] Subversion Team Announce

83

      https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

84

85

Availability

86

============

87

88

This GLSA and any updates to it are available for viewing at

89

the Gentoo Security Website:

90

91

 https://security.gentoo.org/glsa/201709-09

92

93

Concerns?

94

=========

95

96

Security is a primary focus of Gentoo Linux and ensuring the

97

confidentiality and security of our users' machines is of utmost

98

importance to us. Any security concerns should be addressed to

99

security@g.o or alternatively, you may file a bug at

100

https://bugs.gentoo.org.

101

102

License

103

=======

104

105

Copyright 2017 Gentoo Foundation, Inc; referenced text

106

belongs to its owner(s).

107

108

The contents of this document are licensed under the

109

Creative Commons - Attribution / Share Alike license.

110

111

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201709-09
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Subversion: Arbitrary code execution
9	Date: September 17, 2017
10	Bugs: #627480
11	ID: 201709-09
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A command injection vulnerability in Subversion may allow remote
19	attackers to execute arbitrary code.
20
21	Background
22	==========
23
24	Subversion is a version control system intended to eventually replace
25	CVS. Like CVS, it has an optional client-server architecture (where the
26	server can be an Apache server running mod_svn, or an ssh program as in
27	CVS’s :ext: method). In addition to supporting the features found in
28	CVS, Subversion also provides support for moving and copying files and
29	directories.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 dev-vcs/subversion < 1.9.7 >= 1.9.7
38	*> 1.8.18
39
40	Description
41	===========
42
43	Specially crafted 'ssh://...' URLs may allow the owner of the
44	repository to execute arbitrary commands on client's machine if those
45	commands are already installed on the client's system. This is
46	especially dangerous when the third-party repository has one or more
47	submodules with specially crafted 'ssh://...' URLs. Each time the
48	repository is recursively cloned or submodules are updated the payload
49	will be triggered.
50
51	Impact
52	======
53
54	A remote attacker, by enticing a user to clone a specially crafted
55	repository, could possibly execute arbitrary code with the privileges
56	of the process.
57
58	Workaround
59	==========
60
61	There are several alternative ways to fix this vulnerability. Please
62	refer to Subversion Team Announce for more details.
63
64	Resolution
65	==========
66
67	All Subversion 1.9.x users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.9.7"
71
72	All Subversion 1.8.x users should upgrade to the latest version:
73
74	# emerge --sync
75	# emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.8.18"
76
77	References
78	==========
79
80	[ 1 ] CVE-2017-9800
81	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9800
82	[ 2 ] Subversion Team Announce
83	https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
84
85	Availability
86	============
87
88	This GLSA and any updates to it are available for viewing at
89	the Gentoo Security Website:
90
91	https://security.gentoo.org/glsa/201709-09
92
93	Concerns?
94	=========
95
96	Security is a primary focus of Gentoo Linux and ensuring the
97	confidentiality and security of our users' machines is of utmost
98	importance to us. Any security concerns should be addressed to
99	security@g.o or alternatively, you may file a bug at
100	https://bugs.gentoo.org.
101
102	License
103	=======
104
105	Copyright 2017 Gentoo Foundation, Inc; referenced text
106	belongs to its owner(s).
107
108	The contents of this document are licensed under the
109	Creative Commons - Attribution / Share Alike license.
110
111	http://creativecommons.org/licenses/by-sa/2.5