Simultaneously with Subversion 1.4.5, TortoiseSVN 1.4.5 has been released.
TortoiseSVN 1.4.5 is linked against the Subversion library 1.4.5 which
contains an important security fix. Please update as soon as possible.
Here's the full advisory:
===========================================================================
On some platforms (e.g., Win32), svn client can create files in bad
places
Summary:
========
This vulnerability requires prior write access to the repository.
In Subversion 1.4.4 and earlier versions, on platforms where the
directory separator is "\" (or anything other than "/"), the client
libraries can allow files outside the working copy to be created
during a checkout or update. This could, in theory, be used to
place arbitrary code at arbitrary locations on the client machine,
for example, in system startup scripts.
Known vulnerable:
=================
Subversion clients <= 1.4.4 (including clients like TortoiseSVN)
Known fixed:
============
Subversion 1.4.5
TortoiseSVN 1.4.5
Details:
========
The Subversion client libraries fail to validate that filenames
obtained from the Subversion server during checkout do not contain
"..\". This allows the creation of files outside the checkout
directory. Users on operating systems where "\" is not used to
separate directory paths can commit files with "..\" in the path.
When these files are checked out onto systems where "\" is a
directory separator, hilarity may ensue. To reproduce:
On a UNIX system, create a file "..\DIRNAME/exploit.exe" and check
it into a repository on the top level. Then check out that
repository to a Win32 system. The file will appear outside of the
checkout directory and instead under "DIRNAME".
Severity:
=========
Med (arbitrary file creation on client, possibly over system startup
files)
An adversary with write access to the repository could create a file
at an arbitrary path on the victim's machines. This could be used
to install code on the system, for example by placing executable
code into the startup sequence.
The attacker first requires write access to the repository from
which the file will be checked out, and requires that others not
notice the commit of the dangerous file. Thus, at first glance it
might seem that some social engineering is necessary for a full
exploit. However, if the repository administrator is the attacker,
little or no social engineering is required.
References:
===========
CVE-2007-3846 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846)
http://crisp.cs.du.edu/?q=node/36
Reported by:
============
Nils Durner and Christian Grothoff, Colorado Research Institute for
Security and Privacy, http://crisp.cs.du.edu/.
Recommendation:
===============
Upgrade to TortoiseSVN 1.4.5.
http://tortoisesvn.net/downloads
Workarounds:
============
These workarounds apply only to the repository (server) side. They
cannot protect a client from a malicious repository administrator.
* Scan existing repositories for paths containing "\", rename them.
* Install a pre-commit hook that checks for "\" in filenames.
Below is such a hook script, indented by four spaces:
#!/bin/sh
### backslash-check.py: A Subversion pre-commit hook script to prevent
### files containing "\" from being added to the repository.
###
### See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846
### *** NOTE: ***
### Because Subversion hook scripts execute in a scrubbed environment,
### we use an absolute path to the svnlook binary. You might need to
### adjust it for your system.
SVNLOOK="/usr/bin/svnlook"
### You shouldn't need to change anything below this line.
REPOS=${1}
TXN=${2}
if ${SVNLOOK} changed -t ${TXN} ${REPOS} | grep -E "^A +.*\\\\"; then
echo "" >&2
echo "Cannot commit paths containing '\\':" >&2
echo "" >&2
# Show the actual paths:
${SVNLOOK} changed -t ${TXN} ${REPOS} \
| grep -E "^A +.*\\\\" | cut -c5- >&2
echo "" >&2
exit 1
else
exit 0
fi
And here's the changelog of TortoiseSVN 1.4.5:
Version 1.4.5
- BUG: The setting "unversioned files mark parent folder as modified"
for the overlays marked folders as modified even if the
unversioned files were ignored. (Stefan)
- BUG: The commit dialog wrongly showed added files in external folders.
(Tobias Schäfer)
- BUG: Selecting the 'to:' date in the log dialog didn't include the
selected date. (Stefan)
- BUG: Saving a file which did not exist failed or wasn't possible,
only "Save as" worked. (Stefan)
- BUG: Crash in the statistics dialog if for some reason the date of a
revision is not available. (Stefan)
- BUG: Thread leak in the status cache/handle lead in the
shell extension. (Stefan)
- BUG: Missing items got crawled over and over again in the status
cache. (Stefan)
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Tue Aug 28 06:27:30 2007