Bugzilla – Bug 958300
VUL-0: CVE-2015-5343: subversion: Heap overflow and out-of-bounds read in mod_dav_svn
Last modified: 2017-08-17 14:43:44 UTC
embargoed, via security CRD: 2015-12-15 Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn caused by integer overflow when parsing skel-encoded request bodies. Summary: ======== Subversion's httpd servers are vulnerable to a remotely triggerable heap-based buffer overflow and out-of-bounds read caused by an integer overflow when parsing skel-encoded request bodies. This allows remote attackers with write access to a repository to cause a denial of service or possibly execute arbitrary code under the context of the httpd process. 32-bit server versions are vulnerable to both the denial-of-service attack and possible arbitrary code execution. 64-bit server versions are only vulnerable to the denial-of-service attack. Known vulnerable: ================= Subversion httpd servers 1.7.0 to 1.8.14 (inclusive) Subversion httpd servers 1.9.0 through 1.9.2 (inclusive) Subversion svnserve servers (any version) are not vulnerable Known fixed: ============ Subversion 1.8.15 Subversion 1.9.3 Details: ======== The Subversion http://-based protocol used for communicating with a Subversion mod_dav_svn server has two versions, v1 and v2. The v2 protocol was added in Subversion 1.7.0. As a part of the commit happening over v2 protocol, the client sends a POST request with the request body containing data encoded in a special `skeleton' (or `skel') format. The parser of skel-encoded request bodies in mod_dav_svn contains a flaw that allows the attacker to write memory past the end of a heap buffer with a specially crafted request that causes an arithmetic overflow in 32-bit server versions. 64-bit server versions are not vulnerable to the heap-based buffer overflow, but can be forced into allocating huge amounts of memory, thus, the successful attack on them would cause denial-of-service conditions. Exploiting this vulnerability requires the attacker to be authenticated and to have write access to a repository on the targeted server. Severity: ========= CVSSv2 Base Score: 4.6 CVSSv2 Base Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P We consider this to be a medium risk vulnerability. In order to take advantage of this attack the attacker would require write access to the repository. Most configurations require authentication to commit changes and so anonymous users would not be able to use this attack in these cases. With the write access, the denial of service attack is reasonably easy to carry out, while exploiting the heap overflow is more difficult, depending upon how skilled the attacker is and upon the specifics of the platform. In case of the denial of service attack, a remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users to upgrade to Subversion 1.9.3. Users of Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No workaround is available. References: =========== CVE-2015-5343 (Subversion) Reported by: Ivan Zhakov, VisualSVN
bugbot adjusting priority
CCing Apache Subversion PMC member Stefan Sperling. For openSUSE... For 1.8.x: devel:tools:scm:svn:1.8/subversion The pre-release tarball is running all tests in: home:AndreasStieger:branches:devel:tools:scm:svn:1.8/subversion For 1.9.x: devel:tools:scm:svn/subversion The pre-release tarall is running all tests in: home:AndreasStieger:branches:devel:tools:scm:svn/subversion
SLE12 submitted.
public at http://subversion.apache.org/security/CVE-2015-5343-advisory.txt
This is an autogenerated message for OBS integration: This bug (958300) was mentioned in https://build.opensuse.org/request/show/349086 13.2+13.1 / subversion
openSUSE-SU-2015:2362-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 958300 CVE References: CVE-2015-5343 Sources used: openSUSE 13.2 (src): subversion-1.8.15-2.23.1 openSUSE 13.1 (src): subversion-1.8.15-2.42.1
openSUSE-SU-2015:2363-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 939514,939517,958300 CVE References: CVE-2015-3184,CVE-2015-3187,CVE-2015-5343 Sources used: openSUSE Leap 42.1 (src): subversion-1.8.10-6.1
me did sle12 andreas did opensuse Is anything missing or can this be closed?
We are happy in terms of submissions just now, the update is in the QA queue
SUSE-SU-2016:0043-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 958300 CVE References: CVE-2015-5343 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): subversion-1.8.10-18.2 SUSE Linux Enterprise Software Development Kit 12 (src): subversion-1.8.10-18.2
all fixed
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938 CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): subversion-1.8.19-25.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): subversion-1.8.19-25.3.1