Bug 54774 (CVE-2004-0397)

Summary: VUL-0: CVE-2004-0397: Overflow in subversion and neon
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Olaf Hering <ohering>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P1 - Urgent CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0397: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: the neon fix
the subversion fix
ne wpatch from author. we should probably use this.
neon patchfile for box
subversion patchfile for box

Description Sebastian Krahmer 2004-05-03 17:33:14 UTC 
Date: Sun, 2 May 2004 17:37:04 +0200
From: Stefan Esser <s.esser@e-matters.de>
To: vendor-sec@lst.de, joe@manyfish.co.uk, gstein@apache.org,
    brian@collab.net
Cc: s.esser@e-matters.de
Subject: [vendor-sec] CVS Pserver / Subversion / Neon remote vulnerabilities
Parts/Attachments:
   1 Shown    77 lines  Text
   2   OK     21 lines  Text
   3   OK     12 lines  Text
   4   OK     12 lines  Text
----------------------------------------

Hi to everyone addressed,

today I have to inform you about 3 vulnerabilities which are
from my point of view a serious threat.

The 3 vulnerabilities in question are:

1) CVS 1.12.7 (and older) pserver remote heap overflow

      Malformed "Entry" Lines in combination with Is-modified and Unchanged
      can be used to overflow malloc()ed memory. This was proofen to be
      exploitable.

2) Subversion 1.0.1 (and older) remote stack overflow

      A malicious revision date in a DAV/2 REPORT query, or a malicious
      revision date in a subversion get-dated-rev request can overflow
      the stack because of unsafe usage of sscanf(). 


      THIS is even exploitable with several stack overflow protectors,
      because overflowing one of the function parameters can be used
      to store an arbitrary value of 32-64 bits to any memory position
      within one of the called subfunctions. So it is f.e. possible
      to overwrite ONLY stored eip of the inner subfunction, before
      the stackoverflow is detected... 
      
      This was also proofen to be exploitable through DAV/2 REPORT
      but due to the nature of utf-8 strings it is somewhat harder to
      exploit.
      
3) Neon 0.24.5 (and older) remote stack overflow

      This vulnerability was NOT researched yet (because of lack of time)
      but it was found the same day as subversion and here also sscanf()
      is used in an unsafe manner. This will result in an overflow of
      a static heap varibale. I havent checked the layout yet. But I guess
      somehow it is exploitable.

Attached are fixes for these vulnerabilities. I hope the CVS, SVN and NEON
vendors can check their validity fast. Especially the CVS patch should be
checked. I believe it is okay but maybe Derek Price can verify that it does
not kill functionallity.

Due to the fact that CVS and NEON/SVN are meanwhile widely used I want to
contact some big CVS/SVN repositories before going public with this. f.e.
Samba just switched from CVS to SVN but still runs both afaik. This means
they are doubly vulnerable. I would like to know from you, who should get
prior notified.

Additionally I suggest these fixes do not go into publicy reachable CVS/SVN
trees before we have not notified some big repositories. Especially the 
CVS pserver bug could be known in the blackhat community for 1-2 years. At
least I heard from a trusted source that there is a pserver exploit. I have
no idea if this the bug I just found but I strongly believe the source is
not lieing. 

Oh well and it would also be good if all three things can be released at 
the same time. Especially neon+svn would be handy because they are connected
anyway...

Yours,
Stefan Esser
Comment 1 Sebastian Krahmer 2004-05-03 17:33:14 UTC 
<!-- SBZ_reproduce  -->
Will attach fix. Since you are maintainer for subversion and neon,
I will not make sepparate entries.
Comment 2 Sebastian Krahmer 2004-05-03 17:34:21 UTC 
Created attachment 18914 [details]
the neon fix

...
Comment 3 Sebastian Krahmer 2004-05-03 17:34:50 UTC 
Created attachment 18915 [details]
the subversion fix

...
Comment 4 Sebastian Krahmer 2004-05-04 19:45:15 UTC 
CAN-2004-0398
Comment 5 Sebastian Krahmer 2004-05-04 20:03:49 UTC 
Created attachment 18994 [details]
ne wpatch from author. we should probably use this.

...
Comment 6 Olaf Hering 2004-05-04 23:06:53 UTC 
Is there a release date?
Comment 7 Sebastian Krahmer 2004-05-05 16:44:37 UTC 
No, not yet. But would be good to have packages ready and tested
when they announce it :-)
Comment 8 Sebastian Krahmer 2004-05-07 16:28:43 UTC 
Any news here yet?
Comment 9 Olaf Hering 2004-05-07 21:57:17 UTC 
I will update it this weekend.
Comment 10 Olaf Hering 2004-05-10 00:14:43 UTC 
packages submitted to:
8.1/neon
8.1/subversion
8.2/neon
8.2/subversion
9.0/neon
9.0/subversion
9.1/neon
9.1/subversion
Comment 11 Sebastian Krahmer 2004-05-10 17:49:41 UTC 
So there is no maintenance issue?
Going to submit patchinfos...
Comment 12 Sebastian Krahmer 2004-05-10 18:03:40 UTC 
Created attachment 19282 [details]
neon patchfile for box

...
Comment 13 Sebastian Krahmer 2004-05-10 18:04:14 UTC 
Created attachment 19283 [details]
subversion patchfile for box

...
Comment 14 Olaf Hering 2004-05-10 20:10:47 UTC 
neon and subversion is not part of sles8
Comment 15 Sebastian Krahmer 2004-05-19 17:14:55 UTC 
CAN-2004-0397: subversion sscanf stack overflow via revision date in REPORT
query
...
CAN-2004-0398: libneon sscanf overflow via ne_rfc1036_parse
Comment 16 Sebastian Krahmer 2004-05-19 20:04:53 UTC 
packgaes approved, and annoucned in SA-2004:013
Comment 17 Peter Poeml 2004-05-19 20:16:40 UTC 
packages pub/projects/apache got the fix today
as well (resp. pub/people/poeml, which is linked from
http://subversion.tigris.org/project_packages.html)
Comment 18 Thomas Biege 2009-10-13 20:21:47 UTC 
CVE-2004-0397: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)