[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion 1.0.5 released. *SECURITY FIX*

From: Patrick Mayweg <mayweg_at_qint.de>
Date: 2004-06-11 12:02:29 CEST

The Win32 javahl binding binary package is available:

  http://subversion.tigris.org/files/documents/15/14079/svn-win32-1.0.5_javahl.zip

The MD5 checksum is:

   1ff36d390e62fe5cf51e5dc41ad55fad *svn-win32-1.0.5_javahl.zip

Patrick

Branko Čibej wrote:

>The Win32 binary packages are available:
>
> http://subversion.tigris.org/files/documents/15/14088/svn-win32-1.0.5.zip
> http://subversion.tigris.org/files/documents/15/14086/svn-win32-1.0.5_dev.zip
> http://subversion.tigris.org/files/documents/15/14085/svn-win32-1.0.5_pdb.zip
> http://subversion.tigris.org/files/documents/15/14087/svn-win32-1.0.5_py.zip
>
>The MD5 checksums are:
>
> 62cdbba85f6c15ce9e58cffcec5b3a65 *svn-win32-1.0.5.zip
> 2bd1fb7c3e11a2a421dc577392c69e9f *svn-win32-1.0.5_dev.zip
> 99eef5e2baf1646356adde0163ea9268 *svn-win32-1.0.5_pdb.zip
> 85c5c8aa98cace24d6740befa29c2004 *svn-win32-1.0.5_py.zip
>
>The developers' documentation now includes header dependency graphs.
>
> Brane
>
>
>P.S.: The unofficial build wit the ASP.NET fix is in http://www.xbc.nu/svn/.
>
>
>Ben Reser wrote:
>
>
>
>>Subversion 1.0.5 is ready. Grab it from:
>>
>> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.gz
>> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.bz2
>>
>>The MD5 checksums are:
>>
>> 96856d7e1a6b056a17833d10d3cd7623 subversion-1.0.5.tar.gz
>> 8e8288fee061f5278ec201fc5e5e141c subversion-1.0.5.tar.bz2
>>
>>
>>Subversion versions up to and including 1.0.4 have a potential
>>Denial of Service and Heap Overflow issue related to the parsing of
>>strings in the 'svn://' family of access protocols.
>>
>>This affects only sites running svnserve. It does not affect
>>'http://' access -- repositories served only by Apache/mod_dav_svn
>>do not have this vulnerability.
>>
>>Details:
>>========
>>
>>The svn protocol sends strings as a length followed by the string. The
>>parser would trust that the sender was providing an accurate length of
>>the string and would allocate sufficent memory to store the entire
>>string. This would allow the sender of a string to Denial of Service
>>the other side by suggesting that the string is very large.
>>Additionally, if the size given is large enough it may cause the integer
>>holding the size to wrap, thus allocating less memory than the string
>>length and resulting in a heap overflow.
>>
>>The parsing code with the flaw is shared by both the svnserve server and
>>clients using the svn://, svn+ssh:// and other tunneled svn+*://
>>methods.
>>
>>Severity:
>>=========
>>
>>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>>Code Execution", depending upon how skilled the attacker is and the
>>ABI specifics of your platform.
>>
>>Since the error is in the parsing of the protocol, including the parsing
>>of authentication, the server vulnerabilities can be triggered without
>>read or write access to the repository. So any svnserve process that an
>>attacker can connect to is vulnerable even if they do not have read or
>>write access.
>>
>>The Denial of Service attack is reasonably easy to carry out, while
>>exploiting the heap overflow is more difficult. There are no known
>>exploits in the wild at the time of this advisory.
>>
>>Workarounds:
>>============
>>
>>Disable svnserve and use DAV (http://) instead.
>>
>>Recommendations:
>>================
>>
>>We recommend all users upgrade to 1.0.5.
>>
>>References:
>>===========
>>
>>CAN-2004-0413: Subversion svn:// protocol string parsing error.
>>
>>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>>
>>Thanks,
>>-The Subversion Team
>>
>>--------------------8-<-------cut-here---------8-<-----------------------
>>
>>User-visible-changes:
>>* fixed: security bug in svn protocol string parsing. (CAN-2004-0413)
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 11 12:03:19 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.