On 2020-01-23 18:40:56 +0000, Daniel Shahaf wrote:
> Vincent Lefevre wrote on Thu, 23 Jan 2020 15:50 +0100:
> > On 2020-01-23 12:44:02 +0100, Joerg Wunsch wrote:
> > > If the automounter already yields ENOENT for the ../.svn directory
> > > probe, everything is not going to be a problem. I think the point here
> > > is the automounter (eventually, after "thinking" about it for about 1
> > > s) offers a successful stat() result for ../.svn (probably because
> > > that directory *might be* a possible mount point for the automounter)
> > > but then yields EIO when trying to access anything within that
> > > ficticous directory (because nothing is actually mounted there).
> > Do you mean that Subversion tries to go higher in the hierarchy
> > without checking the owner of the directory? If it does, this is
> > a security issue.
> How so? What's the attacker model? What can someone leverage this
> feature of Subversion to do that they couldn't do without it?
I don't know all the various possibilities, but there's at least a
denial of service:
zira:/tmp> mkdir vinc17
zira:/tmp> cd vinc17
zira:/tmp/vinc17> svn co file:///home/vinc17/repos wc
svn: E200030: sqlite[S1]: no such table: wcroot
That's with an attacker who creates a .svn directory in /tmp and
an empty wc.db file in it.
On systems without symlink restriction in world-writable directories,
I was wondering whether there could be a way to create files in the
user's home directory. My attempt yielded a sqlite error because
O_NOFOLLOW was used, which is a good thing.
But I'm also wondering whether there could be some leak in wc.db
in case the user does a "svn up" from a wrong directory (such as
/tmp/vinc17 above, with an attacker creating a .svn directory in
/tmp with a URL of a private repository belonging to the user).
A small error like this should never become a security issue.
Vincent Lefèvre <email@example.com> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Received on 2020-04-07 22:00:39 CEST