Bug 939517 (CVE-2015-3187) - VUL-1: CVE-2015-3187: subversion: svn_repos_trace_node_locations() reveals paths hidden by authz
Summary: VUL-1: CVE-2015-3187: subversion: svn_repos_trace_node_locations() reveals pa...
Status: RESOLVED FIXED
Alias: CVE-2015-3187
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:NVD:CVE-2015-3187:4.0:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-27 10:36 UTC by Johannes Segitz
Modified: 2017-08-17 14:39 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-07-27 10:36:34 UTC 
Summary
=======

  Subversion servers, both httpd and svnserve, will reveal some paths
  that should be hidden by path-based authz.  When a node is copied
  from an unreadable location to a readable location the unreadable
  path may be revealed.  This vulnerablity only reveals the path, it
  does not reveal the contents of the path.

Known vulnerable
================

  Subversion 1.8.0 to 1.8.13
  Subversion 1.7.0 to 1.7.20
  All older versions

Known fixed
===========

  Subversion 1.8.14
  Subversion 1.7.21

Details
=======

  The function svn_repos_trace_node_locations() follows the history of
  a node through earlier revisions and shows any copies.  It should
  stop following history when an unreadable path is encountered but an
  implementation error causes the first unreadable path to be returned
  in some circumstances.  This only reveals the unreadable path, it
  does not reveal the content of the file or directory at that path.
  Any attempts to obtain the content will fail with an authorization
  error.

  Examples:

  1. After copying "unreadable-path" to "readable-path" then following
     the history of "readable-path" may reveal "unreadable-path".

  2. After copying "unreadable/some-path" to "readable/other-path"
     then following the history of "readable/other-path" may reveal
     "unreadable/some-path".

Severity
========

  CVSSv2 Base Score: 3.5
  CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N

Recommendations
===============

  All Subversion servers using path-based authz to deny read access
  to sensitive paths should be upgraded.

References
==========

  CVE-2015-3187 (Subversion)

Reported by
===========

  C. Michael Pilato, CollabNet
Comment 1 Johannes Segitz 2015-07-27 10:36:59 UTC 
Created attachment 642018 [details]
patch for 1.7.20
Comment 2 Johannes Segitz 2015-07-27 10:37:17 UTC 
Created attachment 642019 [details]
patch for 1.8.13
Comment 4 Swamp Workflow Management 2015-07-27 21:59:44 UTC 
bugbot adjusting priority
Comment 5 Andreas Stieger 2015-07-28 09:48:24 UTC 
Adding to CC a community member who is a member of the upstream project and aware of the advisory and embargoed information.
Comment 6 Bernhard Wiedemann 2015-08-06 12:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (939517) was mentioned in
https://build.opensuse.org/request/show/320903 Factory / subversion
https://build.opensuse.org/request/show/320904 13.2 / subversion
Comment 8 Bernhard Wiedemann 2015-08-06 13:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (939517) was mentioned in
https://build.opensuse.org/request/show/320911 13.1 / subversion
Comment 9 Bernhard Wiedemann 2015-08-06 14:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (939517) was mentioned in
https://build.opensuse.org/request/show/320945 Factory / subversion
Comment 10 Johannes Segitz 2015-08-12 08:16:53 UTC 
public
Comment 11 Swamp Workflow Management 2015-08-18 08:10:22 UTC 
openSUSE-SU-2015:1401-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 939514,939517
CVE References: CVE-2015-3184,CVE-2015-3187
Sources used:
openSUSE 13.2 (src):    subversion-1.8.14-2.17.1
openSUSE 13.1 (src):    subversion-1.8.14-2.39.1
Comment 12 Marcus Meissner 2015-09-01 15:53:31 UTC 
released
Comment 13 Swamp Workflow Management 2015-09-01 16:10:29 UTC 
SUSE-SU-2015:1473-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 939514,939517
CVE References: CVE-2015-3184,CVE-2015-3187
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    subversion-1.8.10-15.1
Comment 14 Swamp Workflow Management 2015-12-25 16:11:06 UTC 
openSUSE-SU-2015:2363-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 939514,939517,958300
CVE References: CVE-2015-3184,CVE-2015-3187,CVE-2015-5343
Sources used:
openSUSE Leap 42.1 (src):    subversion-1.8.10-6.1
Comment 16 Swamp Workflow Management 2016-06-07 15:08:23 UTC 
SUSE-SU-2016:1511-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 939517,976849,976850
CVE References: CVE-2015-3187,CVE-2016-2167,CVE-2016-2168
Sources used:
SUSE Studio Onsite 1.3 (src):    subversion-1.6.17-1.35.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    subversion-1.6.17-1.35.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    subversion-1.6.17-1.35.1
Comment 17 Swamp Workflow Management 2017-08-17 10:12:30 UTC 
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938
CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    subversion-1.8.19-25.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    subversion-1.8.19-25.3.1