Bug 958299 (CVE-2015-5259) - VUL-0: CVE-2015-5259: subversion: Heap overflow and out-of-bounds read in svn:// protocol parser
Summary: VUL-0: CVE-2015-5259: subversion: Heap overflow and out-of-bounds read in svn...
Status: RESOLVED FIXED
Alias: CVE-2015-5259
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Major
Target Milestone: ---
Assignee: Tomáš Chvátal
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-08 09:40 UTC by Marcus Meissner
Modified: 2016-02-04 16:23 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-12-08 09:40:11 UTC 
embargoed, via security

CRD: 2015-12-15

  Remotely triggerable heap overflow and out-of-bounds read caused by
  integer overflow in the svn:// protocol parser.

Summary:
========

  Subversion servers and clients are vulnerable to a remotely triggerable
  heap-based buffer overflow and out-of-bounds read caused by an integer
  overflow in the svn:// protocol parser.

  This allows remote attackers to cause a denial of service or possibly
  execute arbitrary code under the context of the targeted process.

Known vulnerable:
=================

  Subversion 1.9.0 through 1.9.2 (inclusive)

  Only servers and clients using svn:// protocol are vulnerable
  Subversion httpd servers and clients (any version) are not vulnerable

Known fixed:
============

  Subversion 1.9.3

Details:
========

  The svnserve svn:// protocol strings are sent as a length followed by
  the string data.  The protocol parsing logic contains a flaw that allows
  an attacker to write memory past the end of a heap buffer with a specially
  crafted request that causes an arithmetic overflow.

  Since the flaw is in the parsing of the protocol, exploiting this
  vulnerability against an svnserve server does not require authentication
  from the remote attacker.

  The parsing code with the flaw is shared by both the svnserve server and
  clients using the svn://, svn+ssh:// and other tunneled svn+*:// methods.

Severity:
=========

  CVSSv2 Base Score: 9
  CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C

  We consider this to be a high risk vulnerability.  An exploit exists and
  has been tested to work against this vulnerability.

  The denial of service attack is reasonably easy to carry out, while
  exploiting the heap overflow is more difficult, depending upon how skilled
  the attacker is and upon the specifics of the platform.  We do not believe
  the exploit is being actively used in the wild at this time.

Recommendations:
================

  We recommend all users of Subversion 1.9.x to upgrade to Subversion 1.9.3.
  Users of Subversion 1.9.x who are unable to upgrade may apply the included
  patch.

  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  No workaround is available.

References:
===========

  CVE-2015-5259  (Subversion)

Reported by:
============

  Ivan Zhakov, VisualSVN
Comment 3 Swamp Workflow Management 2015-12-08 23:00:15 UTC 
bugbot adjusting priority
Comment 4 Andreas Stieger 2015-12-11 13:08:55 UTC 
CCing Apache Subversion PMC member Stefan Sperling.

For openSUSE...

For 1.8.x: devel:tools:scm:svn:1.8/subversion
The pre-release tarball is running all tests in:
home:AndreasStieger:branches:devel:tools:scm:svn:1.8/subversion

For 1.9.x: devel:tools:scm:svn/subversion
The pre-release tarall is running all tests in:
home:AndreasStieger:branches:devel:tools:scm:svn/subversion
Comment 5 Andreas Stieger 2015-12-15 16:56:00 UTC 
Public at http://subversion.apache.org/security/CVE-2015-5259-advisory.txt
Comment 6 Andreas Stieger 2016-02-04 16:23:19 UTC 
fixed