[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: ssh+svn vs. bash security bug?

From: Stefan Sperling <stsp_at_elego.de>
Date: Wed, 24 Sep 2014 19:28:51 +0300

On Wed, Sep 24, 2014 at 11:06:13AM -0500, Les Mikesell wrote:
> Does the recently announced bash bug:
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> affect the security of the way people generally configure svn+ssh access?
>
> --
> Les Mikesell
 
From what I understand after reading about the problem briefly:

In an svn+ssh setup svn clients run 'svnserve -t' by default.
But there is no reason this could not be changed to '/bin/bash' by
an attacker.

Note that forcing a command in the authorized_keys file will *not*
work around the problem: http://seclists.org/oss-sec/2014/q3/651

It should be possible to mitigate this attack vector by having
svnserve run in an environment that doesn't have bash available,
either with no bash binary at all on the system, or within a chroot.
Received on 2014-09-24 18:29:24 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.