[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

TortoiseSVN 1.4.5 released

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: 2007-08-28 06:30:06 CEST

Simultaneously with Subversion 1.4.5, TortoiseSVN 1.4.5 has been released.

TortoiseSVN 1.4.5 is linked against the Subversion library 1.4.5 which
contains an important security fix. Please update as soon as possible.

Here's the full advisory:

===========================================================================

   On some platforms (e.g., Win32), svn client can create files in bad
places

Summary:
========

   This vulnerability requires prior write access to the repository.

   In Subversion 1.4.4 and earlier versions, on platforms where the
   directory separator is "\" (or anything other than "/"), the client
   libraries can allow files outside the working copy to be created
   during a checkout or update. This could, in theory, be used to
   place arbitrary code at arbitrary locations on the client machine,
   for example, in system startup scripts.

Known vulnerable:
=================

   Subversion clients <= 1.4.4 (including clients like TortoiseSVN)

Known fixed:
============

   Subversion 1.4.5
   TortoiseSVN 1.4.5

Details:
========

   The Subversion client libraries fail to validate that filenames
   obtained from the Subversion server during checkout do not contain
   "..\". This allows the creation of files outside the checkout
   directory. Users on operating systems where "\" is not used to
   separate directory paths can commit files with "..\" in the path.
   When these files are checked out onto systems where "\" is a
   directory separator, hilarity may ensue. To reproduce:

   On a UNIX system, create a file "..\DIRNAME/exploit.exe" and check
   it into a repository on the top level. Then check out that
   repository to a Win32 system. The file will appear outside of the
   checkout directory and instead under "DIRNAME".

Severity:
=========

   Med (arbitrary file creation on client, possibly over system startup
files)

   An adversary with write access to the repository could create a file
   at an arbitrary path on the victim's machines. This could be used
   to install code on the system, for example by placing executable
   code into the startup sequence.

   The attacker first requires write access to the repository from
   which the file will be checked out, and requires that others not
   notice the commit of the dangerous file. Thus, at first glance it
   might seem that some social engineering is necessary for a full
   exploit. However, if the repository administrator is the attacker,
   little or no social engineering is required.

References:
===========

   CVE-2007-3846 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846)

   http://crisp.cs.du.edu/?q=node/36

Reported by:
============

   Nils Durner and Christian Grothoff, Colorado Research Institute for
   Security and Privacy, http://crisp.cs.du.edu/.

Recommendation:
===============

   Upgrade to TortoiseSVN 1.4.5.
   http://tortoisesvn.net/downloads

Workarounds:
============

   These workarounds apply only to the repository (server) side. They
   cannot protect a client from a malicious repository administrator.

   * Scan existing repositories for paths containing "\", rename them.

   * Install a pre-commit hook that checks for "\" in filenames.
     Below is such a hook script, indented by four spaces:

     #!/bin/sh

     ### backslash-check.py: A Subversion pre-commit hook script to prevent
     ### files containing "\" from being added to the repository.
     ###
     ### See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846

     ### *** NOTE: ***
     ### Because Subversion hook scripts execute in a scrubbed environment,
     ### we use an absolute path to the svnlook binary. You might need to
     ### adjust it for your system.
     SVNLOOK="/usr/bin/svnlook"

     ### You shouldn't need to change anything below this line.
     REPOS=${1}
     TXN=${2}

     if ${SVNLOOK} changed -t ${TXN} ${REPOS} | grep -E "^A +.*\\\\"; then
       echo "" >&2
       echo "Cannot commit paths containing '\\':" >&2
       echo "" >&2
       # Show the actual paths:
       ${SVNLOOK} changed -t ${TXN} ${REPOS} \
          | grep -E "^A +.*\\\\" | cut -c5- >&2
       echo "" >&2
       exit 1
     else
       exit 0
     fi

And here's the changelog of TortoiseSVN 1.4.5:
Version 1.4.5
- BUG: The setting "unversioned files mark parent folder as modified"
        for the overlays marked folders as modified even if the
        unversioned files were ignored. (Stefan)
- BUG: The commit dialog wrongly showed added files in external folders.
        (Tobias Schäfer)
- BUG: Selecting the 'to:' date in the log dialog didn't include the
        selected date. (Stefan)
- BUG: Saving a file which did not exist failed or wasn't possible,
        only "Save as" worked. (Stefan)
- BUG: Crash in the statistics dialog if for some reason the date of a
        revision is not available. (Stefan)
- BUG: Thread leak in the status cache/handle lead in the
        shell extension. (Stefan)
- BUG: Missing items got crawled over and over again in the status
        cache. (Stefan)

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: users-help@tortoisesvn.tigris.org
Received on Tue Aug 28 06:27:34 2007

This is an archived mail posted to the TortoiseSVN Users mailing list.