[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: TortoiseSVN 1.4.5 released

From: Ulf Zibis <Ulf.Zibis_at_CoSoCo.de>
Date: 2007-08-28 13:53:20 CEST

Hi TSVN-team,

what's about the nightly dev-builds. I just have installed :
TortoiseSVN 1.4.99, Build 10336 - 32 Bit -dev, 2007/08/10 12:01:23
Subversion 1.5.0, -dev
apr 1.2.9
apr-utils 1.2.8
berkeley db 4.4.20
neon 0.26.3
OpenSSL 0.9.8d 28 Sep 2006
zlib 1.2.3

Is this build just aware of the security fix?

I like the new features in the dev-builds, so am I secure on only
installing Subversion 1.4.5?
Which dev-build would you suggest as relatively stable?

Regards,
Ulf

Am 28.08.2007 06:30, Stefan Küng schrieb:
> Simultaneously with Subversion 1.4.5, TortoiseSVN 1.4.5 has been
> released.
>
> TortoiseSVN 1.4.5 is linked against the Subversion library 1.4.5 which
> contains an important security fix. Please update as soon as possible.
>
>
> Here's the full advisory:
>
> ===========================================================================
>
>
> On some platforms (e.g., Win32), svn client can create files in bad
> places
>
> Summary:
> ========
>
> This vulnerability requires prior write access to the repository.
>
> In Subversion 1.4.4 and earlier versions, on platforms where the
> directory separator is "\" (or anything other than "/"), the client
> libraries can allow files outside the working copy to be created
> during a checkout or update. This could, in theory, be used to
> place arbitrary code at arbitrary locations on the client machine,
> for example, in system startup scripts.
>
> Known vulnerable:
> =================
>
> Subversion clients <= 1.4.4 (including clients like TortoiseSVN)
>
> Known fixed:
> ============
>
> Subversion 1.4.5
> TortoiseSVN 1.4.5
>
> Details:
> ========
>
> The Subversion client libraries fail to validate that filenames
> obtained from the Subversion server during checkout do not contain
> "..\". This allows the creation of files outside the checkout
> directory. Users on operating systems where "\" is not used to
> separate directory paths can commit files with "..\" in the path.
> When these files are checked out onto systems where "\" is a
> directory separator, hilarity may ensue. To reproduce:
>
> On a UNIX system, create a file "..\DIRNAME/exploit.exe" and check
> it into a repository on the top level. Then check out that
> repository to a Win32 system. The file will appear outside of the
> checkout directory and instead under "DIRNAME".
>
> Severity:
> =========
>
> Med (arbitrary file creation on client, possibly over system startup
> files)
>
> An adversary with write access to the repository could create a file
> at an arbitrary path on the victim's machines. This could be used
> to install code on the system, for example by placing executable
> code into the startup sequence.
>
> The attacker first requires write access to the repository from
> which the file will be checked out, and requires that others not
> notice the commit of the dangerous file. Thus, at first glance it
> might seem that some social engineering is necessary for a full
> exploit. However, if the repository administrator is the attacker,
> little or no social engineering is required.
>
> References:
> ===========
>
> CVE-2007-3846 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846)
>
> http://crisp.cs.du.edu/?q=node/36
>
> Reported by:
> ============
>
> Nils Durner and Christian Grothoff, Colorado Research Institute for
> Security and Privacy, http://crisp.cs.du.edu/.
>
> Recommendation:
> ===============
>
> Upgrade to TortoiseSVN 1.4.5.
> http://tortoisesvn.net/downloads
>
> Workarounds:
> ============
>
> These workarounds apply only to the repository (server) side. They
> cannot protect a client from a malicious repository administrator.
>
> * Scan existing repositories for paths containing "\", rename them.
>
> * Install a pre-commit hook that checks for "\" in filenames.
> Below is such a hook script, indented by four spaces:
>
> #!/bin/sh
>
> ### backslash-check.py: A Subversion pre-commit hook script to
> prevent
> ### files containing "\" from being added to the repository.
> ###
> ### See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846
>
> ### *** NOTE: ***
> ### Because Subversion hook scripts execute in a scrubbed
> environment,
> ### we use an absolute path to the svnlook binary. You might need to
> ### adjust it for your system.
> SVNLOOK="/usr/bin/svnlook"
>
> ### You shouldn't need to change anything below this line.
> REPOS=${1}
> TXN=${2}
>
> if ${SVNLOOK} changed -t ${TXN} ${REPOS} | grep -E "^A +.*\\\\"; then
> echo "" >&2
> echo "Cannot commit paths containing '\\':" >&2
> echo "" >&2
> # Show the actual paths:
> ${SVNLOOK} changed -t ${TXN} ${REPOS} \
> | grep -E "^A +.*\\\\" | cut -c5- >&2
> echo "" >&2
> exit 1
> else
> exit 0
> fi
>
>
>
>
> And here's the changelog of TortoiseSVN 1.4.5:
> Version 1.4.5
> - BUG: The setting "unversioned files mark parent folder as modified"
> for the overlays marked folders as modified even if the
> unversioned files were ignored. (Stefan)
> - BUG: The commit dialog wrongly showed added files in external folders.
> (Tobias Schäfer)
> - BUG: Selecting the 'to:' date in the log dialog didn't include the
> selected date. (Stefan)
> - BUG: Saving a file which did not exist failed or wasn't possible,
> only "Save as" worked. (Stefan)
> - BUG: Crash in the statistics dialog if for some reason the date of a
> revision is not available. (Stefan)
> - BUG: Thread leak in the status cache/handle lead in the
> shell extension. (Stefan)
> - BUG: Missing items got crawled over and over again in the status
> cache. (Stefan)
>
> Stefan
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Tue Aug 28 13:50:40 2007

This is an archived mail posted to the TortoiseSVN Dev mailing list.