Opened 7 years ago
Closed 7 years ago
#9599 closed enhancement (fixed)
subversion-1.9.7
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 8.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by )
Following on from git-2.14.1, subversion-1.9.7 has been released. This fixes CVE-2017-9800, from https://subversion.apache.org/security/CVE-2017-9800-advisory.txt :
Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url
Summary: ========
A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument.
A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.
The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
An exploit has been tested.
Known vulnerable: =================
Subversion clients 1.0.0 through 1.8.18 (inclusive) Subversion clients 1.9.0 through 1.9.6 (inclusive) Subversion client 1.10.0-alpha3
Subversion 1.10.0-alpha1 and 1.10.0-alpha2 are vulnerable, however, were never publicly released.
Known fixed: ============
Subversion 1.8.19 Subversion 1.9.7
Patches are available for 1.9, 1.8, 1.6. The patch for 1.9 applies to 1.10.0-alpha3 with an offset. The patch for 1.8 applies to 1.7 with an offset.
Clients that do not have access to an ssh client, and have no custom tunnels configured in their runtime configuration area [1], are not vulnerable.
Clients using Subversion's own runtime module loading for Repository Access (RA) modules are not vulnerable if the 'libsvn_ra_svn' module, which provides support for the svn+ssh:// and svn:// protocols is removed.
[1] http://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html#svn.advanced.confarea.layout
This link describes Subversion 1.7, but the description is correct for all other versions as well.
Details: ========
(see "Summary:" above)
Severity: =========
CVSSv3 Base Score: 9.9 (Critical) CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
When I built 1.9.6 the other week I got a test failure in [023/109] locks-test:
FAIL: lt-locks-test 14: lock/unlock when 'write-lock' couldn't be obtained
I suspect that one might be an issue with either gcc-7.1 or else newer headers, in which case it might might repeat in this version.
Change History (4)
comment:1 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
follow-up: 3 comment:2 by , 7 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 7 years ago
Replying to ken@…:
Actually, that lock test also fails on BLFS-8.0 on my server.
But on my latest build all the tests now pass.
Actually, that lock test also fails on BLFS-8.0 on my server.