On Mon, Oct 22, 2012 at 08:58:49AM -0400, Parrish Knight wrote:
> The reported problem is with earlier versions of Subversion, but our
> security officer reports that the problem persists even after an
> upgrade.
>
> "Multiple integer overflows in the libsvn_delta library in Subversion
> before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users
> and remote Subversion servers to execute arbitrary code via an svndiff
> stream with large windows that trigger a heap-based buffer overflow, a
> related issue to CVE-2009-2412."
>
> http://www.orvant.com/vuln/detail/181334/CVE-2009-2411
If he can reproduce this problem even with patches applied, please
ask him to report this as a new security issue with a reproduction
recipe included. Please see
http://subversion.apache.org/docs/community-guide/issues.html#security
for details on reporting security issues.
That said, at the time I personally (as did several other developers)
reviewed and tested the fix for this issue, and could *not* trigger
the problem with the patches applied.
Are you sure the Subversion upgrade was done properly? Maybe the server
is still using a vulnerable version of libsvn_delta by accident?
How are you testing for this vulnerability? As far as I know an exploit
was circulated privately among developers for testing purposes but was
never made public. Did you write a new exploit or do you happen to have
a repository data set that triggers the problem reliably?
Please do not post reproduction recipes for security issues to this
list -- it is publicly archived. Instead, feel free to continue this
conversation via channels documented at
http://subversion.apache.org/docs/community-guide/issues.html#security
if you have some sort of sensitive data to share with us. Thanks.
Received on 2012-10-22 15:48:35 CEST