Bug 60610 (CVE-2004-0749)

Summary:	VUL-0: CVE-2004-0749: Subversion/mod_authz_svn
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Olaf Hering <ohering>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	patch-request, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0749: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	common.patch get_logs.patch revprop.patch

Description Marcus Meissner 2004-09-20 15:53:23 UTC

From: Ben Reser <ben@reser.org>                                                  
To: vendor-sec@lst.de                                                            
Subject: [vendor-sec] Confidential Subversion/mod_authz_svn vulnerability        
+notification.                                                                   

This email is a confidential pre-notification of a security alert                
for Subversion.                                                                  

Please *do not forward* any part of this mail to anyone.  The public             
announcement is not until September 22nd 2004 21:00 UTC, and we'd like           
to keep the information embargoed until then.                                    

You are receiving this mail because (we think) you run Subversion                
servers, and would want to have them patched before these security               
holes are made public on September 22nd, or package Subversion.                  

What follows below is our advisory.  As well there are 3 patchs against          
1.0.x attached which are needed to fix this problem.  Any questions              
please feel free to contact me.                                                  

Summary:                                                                         
=======                                                                          

mod_authz_svn, the Apache httpd module which does path-based                     
authorization on Subversion repositories, is not correctly protecting            
all metadata on unreadable paths.                                                

This metadata leakage affects the mod_authz_svn module in all released           
versions of Subversion (through 1.0.7), as well as the 1.1-rc1, -rc2             
and -rc3 release candidates.  The leakage is fixed in the 1.0.8 and              
1.1-rc4 release, as well as the upcoming 1.1 final release.                      

Details:                                                                         
=======                                                                          

If a Subversion commit affects paths that an administrator has marked            
"unreadable" using mod_authz_svn, then                                           

   - "svn log -v" will list the existence of the unreadable paths;               
   - "svn log -v" will show the commit's log message, which might be             
                  considered sensitive metadata in some situations;              
   - "svn propget" is also able to fetch the log message of any commit;          
   - "svn blame" and other commands that follow renames are able to              
                  acknowledge the existence of earlier versions of               
                  files that exist at unreadable locations.                      

Severity:                                                                        
========                                                                         

Mild-to-medium severity, depending on your situation.                            

This security issue is not about revealing the contents of protected             
files: it only reveals metadata about protected areas such as paths              
and log messages.  This may or may not be important to your                      
organization, depending on how you're using path-based authorization,        
    and the sensitivity of the metadata.                                             

(Exception: in the case of "svn blame", and only in svn 1.1-rc2 and              
-rc3, it's possible that older unreadable versions of a file are being           
transported from server to client; the contents aren't displayed, but            
the data is still traveling over the network.)                                   

These issues only affects users of mod_authz_svn, not people using               
native httpd.conf directives (such as <Limit> or <LimitExcept>)                  
directives to limit general readability on whole repositories.                   

Workarounds:                                                                     
===========                                                                      

* Use mod_authz_svn to restrict writes only, not reads.                          

* Break unreadable areas into separate repositories, and use native              
  apache httpd.conf directives to make them unreadable.                          

References:                                                                      
==========                                                                       

  CAN-2004-0749: mod_authz_svn fails to protect metadata                         

Recommendation:                                                                  
==============                                                                   

We recommend an upgrade to 1.0.8 or 1.1.0-rc4.

Comment 1 Marcus Meissner 2004-09-20 15:53:23 UTC

<!-- SBZ_reproduce  -->
n/a

Comment 2 Marcus Meissner 2004-09-20 15:55:15 UTC

Created attachment 23673 [details]
common.patch

Comment 3 Marcus Meissner 2004-09-20 15:55:29 UTC

Created attachment 23674 [details]
get_logs.patch

Comment 4 Marcus Meissner 2004-09-20 15:55:46 UTC

Created attachment 23675 [details]
revprop.patch

Comment 5 Marcus Meissner 2004-09-20 15:57:19 UTC

 
NOT PUBLIC YET. 
 
most likely it will be disclosed on September 22nd.

Comment 6 Olaf Hering 2004-09-20 17:27:15 UTC

they gave the right hint:

We recommend an upgrade to 1.0.8.

Comment 7 Olaf Hering 2004-09-22 16:55:38 UTC

package and patchinfo was submitted yesterday to SLES9.
waiting for the 1.0.8 release for 9.2

Comment 8 Marcus Meissner 2004-09-27 19:55:49 UTC

Issue is public: 
 
http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt 
 
so we can push updates out.

Comment 9 Olaf Hering 2004-09-28 00:06:21 UTC

9.2 has 1.0.8 now.

Comment 10 Thomas Biege 2009-10-13 19:50:17 UTC

CVE-2004-0749: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)