[gentoo-announce] [ GLSA 200406-07 ] Subversion: Remote heap overflow - gentoo-announce

From:	Kurt Lieber <klieber@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200406-07 ] Subversion: Remote heap overflow
Date:	Thu, 10 Jun 2004 23:15:30
Message-Id:	`20040610231602.GZ9639@mail.lieber.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200406-07

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: Subversion: Remote heap overflow

9

      Date: June 10, 2004

10

        ID: 200406-07

11

12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

13

14

Synopsis

15

========

16

17

Subversion is vulnerable to a remote Denial of Service that may be

18

exploitable to execute arbitrary code on the server running svnserve.

19

20

Background

21

==========

22

23

Subversion is a revision control system that aims to be a "compelling

24

replacement for CVS". It enjoys wide use in the open source community.

25

svnserve allows access to Subversion repositories using URIs with the

26

svn://, svn+ssh://, and other tunelled svn+*:// protocols.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /   Vulnerable   /                Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-util/subversion       <= 1.0.4                    >= 1.0.4-r1

35

36

Description

37

===========

38

39

The svn protocol parser trusts the indicated length of a URI string

40

sent by a client. This allows a client to specify a very long string,

41

thereby causing svnserve to allocate enough memory to hold that string.

42

This may cause a Denial of Service. Alternately, given a string that

43

causes an integer overflow in the variable holding the string length,

44

the server might allocate less memory than required, allowing a heap

45

overflow. This heap overflow may then be exploitable, allowing remote

46

code execution. The attacker does not need read or write access to the

47

Subversion repository being served, since even un-authenticated users

48

can send svn protocol requests.

49

50

Impact

51

======

52

53

Ranges from remote Denial of Service to potential arbitrary code

54

execution with privileges of the svnserve process.

55

56

Workaround

57

==========

58

59

Servers without svnserve running are not vulnerable. Disable svnserve

60

and use DAV for access instead.

61

62

Resolution

63

==========

64

65

All users should upgrade to the latest version of Subversion.

66

67

    # emerge sync

68

69

    # emerge -pv ">=dev-util/subversion-1.0.4-r1"

70

    # emerge ">=dev-util/subversion-1.0.4-r1"

71

72

References

73

==========

74

75

  [ 1 ] CAN-2004-0413

76

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0413

77

78

Availability

79

============

80

81

This GLSA and any updates to it are available for viewing at

82

the Gentoo Security Website:

83

84

     http://security.gentoo.org/glsa/glsa-200406-07.xml

85

86

Concerns?

87

=========

88

89

Security is a primary focus of Gentoo Linux and ensuring the

90

confidentiality and security of our users machines is of utmost

91

importance to us. Any security concerns should be addressed to

92

security@g.o or alternatively, you may file a bug at

93

http://bugs.gentoo.org.

94

95

License

96

=======

97

98

Copyright 2004 Gentoo Technologies, Inc; referenced text

99

belongs to its owner(s).

100

101

The contents of this document are licensed under the

102

Creative Commons - Attribution / Share Alike license.

103

104

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200406-07
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Subversion: Remote heap overflow
9	Date: June 10, 2004
10	ID: 200406-07
11
12	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
13
14	Synopsis
15	========
16
17	Subversion is vulnerable to a remote Denial of Service that may be
18	exploitable to execute arbitrary code on the server running svnserve.
19
20	Background
21	==========
22
23	Subversion is a revision control system that aims to be a "compelling
24	replacement for CVS". It enjoys wide use in the open source community.
25	svnserve allows access to Subversion repositories using URIs with the
26	svn://, svn+ssh://, and other tunelled svn+*:// protocols.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-util/subversion <= 1.0.4 >= 1.0.4-r1
35
36	Description
37	===========
38
39	The svn protocol parser trusts the indicated length of a URI string
40	sent by a client. This allows a client to specify a very long string,
41	thereby causing svnserve to allocate enough memory to hold that string.
42	This may cause a Denial of Service. Alternately, given a string that
43	causes an integer overflow in the variable holding the string length,
44	the server might allocate less memory than required, allowing a heap
45	overflow. This heap overflow may then be exploitable, allowing remote
46	code execution. The attacker does not need read or write access to the
47	Subversion repository being served, since even un-authenticated users
48	can send svn protocol requests.
49
50	Impact
51	======
52
53	Ranges from remote Denial of Service to potential arbitrary code
54	execution with privileges of the svnserve process.
55
56	Workaround
57	==========
58
59	Servers without svnserve running are not vulnerable. Disable svnserve
60	and use DAV for access instead.
61
62	Resolution
63	==========
64
65	All users should upgrade to the latest version of Subversion.
66
67	# emerge sync
68
69	# emerge -pv ">=dev-util/subversion-1.0.4-r1"
70	# emerge ">=dev-util/subversion-1.0.4-r1"
71
72	References
73	==========
74
75	[ 1 ] CAN-2004-0413
76	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0413
77
78	Availability
79	============
80
81	This GLSA and any updates to it are available for viewing at
82	the Gentoo Security Website:
83
84	http://security.gentoo.org/glsa/glsa-200406-07.xml
85
86	Concerns?
87	=========
88
89	Security is a primary focus of Gentoo Linux and ensuring the
90	confidentiality and security of our users machines is of utmost
91	importance to us. Any security concerns should be addressed to
92	security@g.o or alternatively, you may file a bug at
93	http://bugs.gentoo.org.
94
95	License
96	=======
97
98	Copyright 2004 Gentoo Technologies, Inc; referenced text
99	belongs to its owner(s).
100
101	The contents of this document are licensed under the
102	Creative Commons - Attribution / Share Alike license.
103
104	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce