[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion 1.0.5 released. *SECURITY FIX*

From: Branko Čibej <brane_at_xbc.nu>
Date: 2004-06-11 11:50:11 CEST

The Win32 binary packages are available:

  http://subversion.tigris.org/files/documents/15/14088/svn-win32-1.0.5.zip
  http://subversion.tigris.org/files/documents/15/14086/svn-win32-1.0.5_dev.zip
  http://subversion.tigris.org/files/documents/15/14085/svn-win32-1.0.5_pdb.zip
  http://subversion.tigris.org/files/documents/15/14087/svn-win32-1.0.5_py.zip

The MD5 checksums are:

  62cdbba85f6c15ce9e58cffcec5b3a65 *svn-win32-1.0.5.zip
  2bd1fb7c3e11a2a421dc577392c69e9f *svn-win32-1.0.5_dev.zip
  99eef5e2baf1646356adde0163ea9268 *svn-win32-1.0.5_pdb.zip
  85c5c8aa98cace24d6740befa29c2004 *svn-win32-1.0.5_py.zip

The developers' documentation now includes header dependency graphs.

    Brane

P.S.: The unofficial build wit the ASP.NET fix is in http://www.xbc.nu/svn/.

Ben Reser wrote:

>Subversion 1.0.5 is ready. Grab it from:
>
> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.gz
> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.bz2
>
>The MD5 checksums are:
>
> 96856d7e1a6b056a17833d10d3cd7623 subversion-1.0.5.tar.gz
> 8e8288fee061f5278ec201fc5e5e141c subversion-1.0.5.tar.bz2
>
>
>Subversion versions up to and including 1.0.4 have a potential
>Denial of Service and Heap Overflow issue related to the parsing of
>strings in the 'svn://' family of access protocols.
>
>This affects only sites running svnserve. It does not affect
>'http://' access -- repositories served only by Apache/mod_dav_svn
>do not have this vulnerability.
>
>Details:
>========
>
>The svn protocol sends strings as a length followed by the string. The
>parser would trust that the sender was providing an accurate length of
>the string and would allocate sufficent memory to store the entire
>string. This would allow the sender of a string to Denial of Service
>the other side by suggesting that the string is very large.
>Additionally, if the size given is large enough it may cause the integer
>holding the size to wrap, thus allocating less memory than the string
>length and resulting in a heap overflow.
>
>The parsing code with the flaw is shared by both the svnserve server and
>clients using the svn://, svn+ssh:// and other tunneled svn+*://
>methods.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>Since the error is in the parsing of the protocol, including the parsing
>of authentication, the server vulnerabilities can be triggered without
>read or write access to the repository. So any svnserve process that an
>attacker can connect to is vulnerable even if they do not have read or
>write access.
>
>The Denial of Service attack is reasonably easy to carry out, while
>exploiting the heap overflow is more difficult. There are no known
>exploits in the wild at the time of this advisory.
>
>Workarounds:
>============
>
>Disable svnserve and use DAV (http://) instead.
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.5.
>
>References:
>===========
>
>CAN-2004-0413: Subversion svn:// protocol string parsing error.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in svn protocol string parsing. (CAN-2004-0413)
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 11 11:51:00 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.