Ben Reser deserves a huge thank you here.
It's not obvious from the announcement, but a lot of behind-the-scenes
work went into analyzing this vulnerability, coordinating with various
security lists, pre-notifying major sites running Subversion, etc.
The 1.0.3 release is just the tip of a very large iceberg. Ben
cheerfully took on a ton of unexpected work in doing this.
If you see this guy in your town, please buy him a beer!
-Karl
Ben Reser <ben@reser.org> writes:
> Subversion 1.0.3 is ready. Grab it from:
>
> http://subversion.tigris.org/files/documents/15/13430/subversion-1.0.3.tar.gz
> http://subversion.tigris.org/files/documents/15/13432/subversion-1.0.3.tar.bz2
>
> The MD5 checksums are:
>
> 1d5722a515be8f1aa6cfb779d99c6a11 subversion-1.0.3.tar.gz
> a8961f86a2bbd8deb59b2b62db303461 subversion-1.0.3.tar.bz2
>
>
> Subversion versions up to and including 1.0.2 have a buffer overflow in
> the date parsing code.
>
> Both client and server are vulnerable. The server is vulnerable over
> both httpd/DAV and svnserve (that is, over http://, https://, svn://,
> svn+ssh:// and other tunneled svn+*:// methods).
>
> Additionally, clients with shared working copies, or permissions that
> allow files in the administrative area of the working copy to be
> written by other users, are potentially exploitable.
>
> Severity:
> =========
>
> Severity ranges from "Denial of Service" to, potentially, "Arbitrary
> Code Execution", depending upon how skilled the attacker is and the
> ABI specifics of your platform.
>
> The server vulnerabilities can be triggered without write/commit access
> to the repository. So repositories with anonymous/public read access
> are vulnerable.
>
> Workarounds:
> ============
>
> There are no workarounds except to disallow public access. Even then
> you'd still be vulnerable to attack by someone who still has access
> (perhaps you trust those people, though).
>
> Recommendations:
> ================
>
> We recommend all users upgrade to 1.0.3.
>
> References:
> ===========
>
> CAN-2004-0397: subversion sscanf stack overflow via revision date
> in REPORT query
>
> Note:
> =====
>
> There was a similar vulnerability in the Neon HTTP library up to and
> including version 0.24.5. Because Subversion ships with Neon, we have
> included (in Subversion 1.0.3) Neon 0.24.6, which is being released
> simultaneously. Subversion does not actually invoke the vulnerable code
> in Neon; we are updating our copy of Neon simply as a reassuring
> gesture, so people don't worry. See CAN-2004-0398 for details.
>
> Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
> Thanks,
> -The Subversion Team
>
> --------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in date parsing. (CAN-2004-0397)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed May 19 17:13:56 2004