Bugzilla – Bug 909935
VUL-0: CVE-2014-3580, CVE-2014-8108: subversion: remotely triggerable segfault DoS vulnerabilities
Last modified: 2017-08-17 14:38:44 UTC
CRD: 2014-12-15, 17:00 UTC -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 NotDashEscaped: You need GnuPG to verify this message This email is a confidential pre-notification for multiple security alerts for Subversion clients: * CVE-2014-3580 * CVE-2014-8108 Please *do not forward* any part of this mail to anyone. The public announcement is not until 15 December 2014 17:00 UTC, and we'd like to keep the information embargoed until then. You are receiving this mail because (we think) you distribute software that uses the Subversion libraries or that you host a Subversion installation used by a large number of users. We believe that you might want to have your software patched by the time these security holes are made public on 15 December. If you no longer maintain Subversion-related packages or hosting, please reply to this mail indicating who the appropriate contact would be for your organization. Below are the advisories, followed by patches to fix the problems. The Subversion patches apply to Subversion 1.7.18 and Subversion 1.8.10. Subversion 1.7.19 and 1.8.11 will will be published on 15 December, including the patches below, as well as other stability and bug fixes. You can get an advance copy of the source distribution here: https://dist.apache.org/repos/dist/dev/subversion/?p=7401 Here are the full advisories: {{{ mod_dav_svn is vulnerable to a remotely triggerable segfault DoS vulnerability with certain invalid REPORT requests. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module will crash when it receives a REPORT request for some invalid formatted special URIs. This can lead to a DoS. There are no known instances of this problem being exploited in the wild. Known vulnerable: ================= Subversion HTTPD servers 1.0.0 through 1.7.18 (inclusive) Subversion HTTPD servers 1.8.0 through 1.8.10 (inclusive) Known fixed: ============ Subversion 1.7.19 Subversion 1.8.11 Details: ======== Subversion's HTTP support is implemented as an interaction between mod_dav and mod_dav_svn. mod_dav asks mod_dav_svn to fill a resource struct when a request is made. When the resource doesn't exist in the repository the repository path is calculated as a NULL. Later mod_dav calls into mod_dav_svn to actually handle the request and Subversion attempts to use the repostiory path which is NULL, resulting in the SEGFAULT. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Repositories which allow for anonymous reads will be vulnerable without authentication. Unfortunately, no special configuration is required and all mod_dav_svn servers are vulnerable. A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.11. Users of Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No known workarounds are available. References: =========== CVE-2014-3580 (Subversion) Reported by: ============ Evgeny Kotkov, VisualSVN Patches: ======== Patch against 1.7.18: [[[ Index: subversion/mod_dav_svn/reports/deleted-rev.c =================================================================== --- subversion/mod_dav_svn/reports/deleted-rev.c (revision 1624477) +++ subversion/mod_dav_svn/reports/deleted-rev.c (working copy) @@ -56,6 +56,9 @@ dav_svn__get_deleted_rev_report(const dav_resource dav_error *derr = NULL; /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0, Index: subversion/mod_dav_svn/reports/file-revs.c =================================================================== --- subversion/mod_dav_svn/reports/file-revs.c (revision 1624477) +++ subversion/mod_dav_svn/reports/file-revs.c (working copy) @@ -251,6 +251,9 @@ dav_svn__file_revs_report(const dav_resource *reso arb.repos = resource->info->repos; /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); /* ### This is done on other places, but the document element is in this namespace, so is this necessary at all? */ Index: subversion/mod_dav_svn/reports/get-location-segments.c =================================================================== --- subversion/mod_dav_svn/reports/get-location-segments.c (revision 1624477) +++ subversion/mod_dav_svn/reports/get-location-segments.c (working copy) @@ -123,6 +123,9 @@ dav_svn__get_location_segments_report(const dav_re struct location_segment_baton location_segment_baton; /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { Index: subversion/mod_dav_svn/reports/get-locations.c =================================================================== --- subversion/mod_dav_svn/reports/get-locations.c (revision 1624477) +++ subversion/mod_dav_svn/reports/get-locations.c (working copy) @@ -106,6 +106,9 @@ dav_svn__get_locations_report(const dav_resource * sizeof(svn_revnum_t)); /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { Index: subversion/mod_dav_svn/reports/log.c =================================================================== --- subversion/mod_dav_svn/reports/log.c (revision 1624477) +++ subversion/mod_dav_svn/reports/log.c (working copy) @@ -307,6 +307,9 @@ dav_svn__log_report(const dav_resource *resource, = apr_array_make(resource->pool, 1, sizeof(const char *)); /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { Index: subversion/mod_dav_svn/reports/mergeinfo.c =================================================================== --- subversion/mod_dav_svn/reports/mergeinfo.c (revision 1624477) +++ subversion/mod_dav_svn/reports/mergeinfo.c (working copy) @@ -67,6 +67,9 @@ dav_svn__get_mergeinfo_report(const dav_resource * = apr_array_make(resource->pool, 0, sizeof(const char *)); /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { ]]] Patch against 1.8.10: [[[ Index: subversion/mod_dav_svn/reports/deleted-rev.c =================================================================== --- subversion/mod_dav_svn/reports/deleted-rev.c (revision 1624477) +++ subversion/mod_dav_svn/reports/deleted-rev.c (working copy) @@ -56,6 +56,9 @@ dav_svn__get_deleted_rev_report(const dav_resource dav_error *derr = NULL; /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0, Index: subversion/mod_dav_svn/reports/file-revs.c =================================================================== --- subversion/mod_dav_svn/reports/file-revs.c (revision 1624477) +++ subversion/mod_dav_svn/reports/file-revs.c (working copy) @@ -254,6 +254,9 @@ dav_svn__file_revs_report(const dav_resource *reso arb.repos = resource->info->repos; /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); /* ### This is done on other places, but the document element is in this namespace, so is this necessary at all? */ Index: subversion/mod_dav_svn/reports/get-location-segments.c =================================================================== --- subversion/mod_dav_svn/reports/get-location-segments.c (revision 1624477) +++ subversion/mod_dav_svn/reports/get-location-segments.c (working copy) @@ -123,6 +123,9 @@ dav_svn__get_location_segments_report(const dav_re struct location_segment_baton location_segment_baton; /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { Index: subversion/mod_dav_svn/reports/get-locations.c =================================================================== --- subversion/mod_dav_svn/reports/get-locations.c (revision 1624477) +++ subversion/mod_dav_svn/reports/get-locations.c (working copy) @@ -106,6 +106,9 @@ dav_svn__get_locations_report(const dav_resource * sizeof(svn_revnum_t)); /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { Index: subversion/mod_dav_svn/reports/inherited-props.c =================================================================== --- subversion/mod_dav_svn/reports/inherited-props.c (revision 1624477) +++ subversion/mod_dav_svn/reports/inherited-props.c (working copy) @@ -63,6 +63,9 @@ dav_svn__get_inherited_props_report(const dav_reso apr_pool_t *iterpool; /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { Index: subversion/mod_dav_svn/reports/log.c =================================================================== --- subversion/mod_dav_svn/reports/log.c (revision 1624477) +++ subversion/mod_dav_svn/reports/log.c (working copy) @@ -307,6 +307,9 @@ dav_svn__log_report(const dav_resource *resource, = apr_array_make(resource->pool, 1, sizeof(const char *)); /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { Index: subversion/mod_dav_svn/reports/mergeinfo.c =================================================================== --- subversion/mod_dav_svn/reports/mergeinfo.c (revision 1624477) +++ subversion/mod_dav_svn/reports/mergeinfo.c (working copy) @@ -67,6 +67,9 @@ dav_svn__get_mergeinfo_report(const dav_resource * = apr_array_make(resource->pool, 0, sizeof(const char *)); /* Sanity check. */ + if (!resource->info->repos_path) + return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, + "The request does not specify a repository path"); ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); if (ns == -1) { ]]] }}} {{{ mod_dav_svn is vulnerable to a remotely triggerable segfault DoS vulnerability for requests with no existant virtual transaction names. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module will crash when it receives a request for some invalid formatted special URIs. This can lead to a DoS. There are no known instances of this problem being exploited in the wild. Known vulnerable: ================= Subversion HTTPD servers 1.7.0 through 1.7.18 (inclusive) Subversion HTTPD servers 1.8.0 through 1.8.10 (inclusive) Known fixed: ============ Subversion 1.7.19 Subversion 1.8.11 Details: ======== Subversion 1.7.0 and newer added new protocol variant to the HTTP support. One of the changes in this new protocol was that the client no longer had to generate the UUID by which transactions would be referred to. However, there were circumstances where clients needed to provide their own names for transactions and so it has support for virtual transaction names. These transaction names are then mapped to the servers internal transaction id much as was done in the old protocol. New special URIs were provided to allow the client to access the transactions by these virtual transaction names. Making a request for a URI that refers to a non-existant virtual transaction name results in the lookup for the internal transaction id to be NULL. Subsequent uses of the transaction id do not properly validate that the id is valid and result in a SEGFAULT. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Repositories which allow for anonymous reads will be vulnerable without authentication. Unfortunately, no special configuration is required and all mod_dav_svn servers that support the new protocol variant are vulnerable. A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.11. Users of Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No known workarounds are available. References: =========== CVE-2014-8108 (Subversion) Reported by: ============ Evgeny Kotkov, VisualSVN Patches: ======== Patch against 1.7.18: [[[ Index: subversion/mod_dav_svn/repos.c =================================================================== --- subversion/mod_dav_svn/repos.c (revision 1624477) +++ subversion/mod_dav_svn/repos.c (working copy) @@ -506,6 +506,9 @@ parse_vtxnstub_uri(dav_resource_combined *comb, if (parse_txnstub_uri(comb, path, label, use_checked_in)) return TRUE; + if (!comb->priv.root.txn_name) + return TRUE; + comb->priv.root.vtxn_name = comb->priv.root.txn_name; comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.vtxn_name); @@ -574,6 +577,9 @@ parse_vtxnroot_uri(dav_resource_combined *comb, if (parse_txnroot_uri(comb, path, label, use_checked_in)) return TRUE; + if (!comb->priv.root.txn_name) + return TRUE; + comb->priv.root.vtxn_name = comb->priv.root.txn_name; comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.vtxn_name); @@ -919,6 +925,10 @@ prep_working(dav_resource_combined *comb) point. */ if (txn_name == NULL) { + if (!comb->priv.root.activity_id) + return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0, + "The request did not specify an activity ID"); + txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.activity_id); if (txn_name == NULL) @@ -1029,9 +1039,14 @@ prep_working(dav_resource_combined *comb) static dav_error * prep_activity(dav_resource_combined *comb) { - const char *txn_name = dav_svn__get_txn(comb->priv.repos, - comb->priv.root.activity_id); + const char *txn_name; + if (!comb->priv.root.activity_id) + return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0, + "The request did not specify an activity ID"); + + txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.activity_id); + comb->priv.root.txn_name = txn_name; comb->res.exists = txn_name != NULL; ]]] Patch against 1.8.10: [[[ Index: subversion/mod_dav_svn/repos.c =================================================================== --- subversion/mod_dav_svn/repos.c (revision 1624477) +++ subversion/mod_dav_svn/repos.c (working copy) @@ -508,6 +508,9 @@ parse_vtxnstub_uri(dav_resource_combined *comb, if (parse_txnstub_uri(comb, path, label, use_checked_in)) return TRUE; + if (!comb->priv.root.txn_name) + return TRUE; + comb->priv.root.vtxn_name = comb->priv.root.txn_name; comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.vtxn_name); @@ -576,6 +579,9 @@ parse_vtxnroot_uri(dav_resource_combined *comb, if (parse_txnroot_uri(comb, path, label, use_checked_in)) return TRUE; + if (!comb->priv.root.txn_name) + return TRUE; + comb->priv.root.vtxn_name = comb->priv.root.txn_name; comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.vtxn_name); @@ -921,6 +927,10 @@ prep_working(dav_resource_combined *comb) point. */ if (txn_name == NULL) { + if (!comb->priv.root.activity_id) + return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0, + "The request did not specify an activity ID"); + txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.activity_id); if (txn_name == NULL) @@ -1031,9 +1041,14 @@ prep_working(dav_resource_combined *comb) static dav_error * prep_activity(dav_resource_combined *comb) { - const char *txn_name = dav_svn__get_txn(comb->priv.repos, - comb->priv.root.activity_id); + const char *txn_name; + if (!comb->priv.root.activity_id) + return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0, + "The request did not specify an activity ID"); + + txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.activity_id); + comb->priv.root.txn_name = txn_name; comb->res.exists = txn_name != NULL; ]]] }}} -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJUi3BAAAoJEGLUj60WoN4Bi8sQAKO5GshgZhjYZj5ma9dfkSRz Yb2KhJUCg3pnlaWv4MLC00Y48Dw+24TDtPeGiqvuwYXqwgYufPEd/+toMA+Xs7F3 3P5O6f61fJ6RLVLniAvyzXsFRx1bNDOZN0sEKPmnKfuQXCfxGx4gMQiV82w8NVXB oPGRSEDi0jYH4+vmKCjZUHZsD/pUtmWrnvtMlWpSLVcpML6EhXJJDVljacbQxbFx zyRLlAU8P4JM7V+kppYRZAl2ii/MVToX4VIMTYjHWITNQaARP2wr0lSZWFh05PqP qWrCvxIGAen79ZdwV7t7vrk0E5f0OljX6blfFrM7gSHObYAV0e2AolwZNA83omSU vOzFkTYebW0EEU5iRsPRhuMhmCnXYcdU9ZXaaKLGl4LttKyS9/JgThGvfoFeNFg5 mmTi3aeqlF1qDuLseUrBwNchV1xya9gnbwcY9gukldND+SVgU1jclQ8axiKFXtfr s680Bu64PTfiqccP0n9IvPiIeb84fRc63hGZyZpJu+OgsEG6pwslYku5zNDJY30+ YNJUNvmBJQL3KJevF8wou9xCC9CKwFrMOMI7KBUdlzHdx3vEg3jiH98CAC3dzcQK NEpRMMKThoK1NcPf+BOuXjxxc8TeNXzET1imIvL4zvRdQe4n69xUXMj4o763Hlx1 FWNuWUGB68Ux6Yl/ReIV =6whj -----END PGP SIGNATURE-----
bugbot adjusting priority
public
This is an autogenerated message for OBS integration: This bug (909935) was mentioned in https://build.opensuse.org/request/show/265818 Factory / subversion
Fixed for openSUSE: https://build.opensuse.org/request/show/265818 Maintenance request for openSUSE 12.3, 13.1, 13.2: https://build.opensuse.org/request/show/265853 Affects SLE.
openSUSE-SU-2014:1725-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 909935 CVE References: CVE-2014-3580,CVE-2014-8108 Sources used: openSUSE 13.2 (src): subversion-1.8.11-2.7.1 openSUSE 13.1 (src): subversion-1.8.11-2.33.1 openSUSE 12.3 (src): subversion-1.7.19-2.40.1
SLE-12 affected, SLE-11: seem affected too.
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-02-04. https://swamp.suse.de/webswamp/wf/60149
SUSE-SU-2015:0153-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 909935 CVE References: CVE-2014-3580,CVE-2014-8108 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): subversion-1.8.10-4.1
SUSE-SU-2015:0155-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 909935,910376 CVE References: CVE-2014-3580,CVE-2014-8108 Sources used: SUSE Studio Onsite 1.3 (src): subversion-1.6.17-1.31.3
SUSE-SU-2015:0155-2: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 909935,910376 CVE References: CVE-2014-3580,CVE-2014-8108 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): subversion-1.6.17-1.31.3
released
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938 CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): subversion-1.8.19-25.3.1