Bug 923793 (CVE-2015-0202)

Summary: VUL-0: CVE-2015-0202: subversion: mod_dav_svn with FSFS repositories remotely triggerable excessive memory use with certain REPORT requests
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: mrueckert, stsp
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:61279:moderate
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Swamp Workflow Management 2015-03-23 23:00:33 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2015-03-24 08:42:59 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61279
Comment 4 Andreas Stieger 2015-03-31 12:28:48 UTC
Public via http://subversion.apache.org/security/CVE-2015-0202-advisory.txt
 Subversion HTTP servers with FSFS repositories are vulnerable to a
  remotely triggerable excessive memory use with certain REPORT requests.

Summary:
========

  Subversion's mod_dav_svn Apache HTTPD server module may use excessive
  amounts of memory when processing REPORT requests that require traversing
  through a large number of FSFS repository nodes (files and directories).

  This can lead to a DoS.  There are no known instances of this problem
  being observed in the wild, but an exploit has been tested.

Known vulnerable:
=================

  Subversion HTTPD servers 1.8.0 through 1.8.11 (inclusive)

Known fixed:
============

  Subversion 1.8.13
  svnserve (any version) is not vulnerable

  Subversion 1.8.12 was not publicly released.

Details:
========

  Subversion FSFS repositories cache different types of data for performance
  reasons.  An FSFS repository filesystem is structured as a direct acyclic
  graph (DAG), and it has a special cache for the DAG nodes.  Subversion 1.8.0
  added an additional level of caching for the DAG nodes, and the excessive
  memory use is a consequence of the cached nodes not being deallocated in
  a timely manner.

  HTTPD Server and Subversion use memory pools for allocations.  Certain
  REPORT requests can trigger a state when the cache keeps allocating new
  elements from a pool, but the previously allocated elements are not being
  deallocated.  This memory will be reclaimed eventually (once the request
  finishes or when the cache leaves the inappropriate state), but multiple
  parallel requests might ultimately exhaust all the available memory on the
  server.

Severity:
=========

  CVSSv2 Base Score: 5.0
  CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

  We consider this to be a medium risk vulnerability.  Repositories which
  allow for anonymous reads will be vulnerable without authentication.
  Unfortunately, no special configuration is required and all mod_dav_svn
  servers with FSFS repositories are vulnerable.  Apache HTTPD servers that
  block potentially expensive requests via mod_dontdothat module have a
  smaller attack surface, but are still vulnerable.

  Actual memory consumption (per request) depends on the layout and size
  of the particular repository, but is potentially unbounded.  The impact
  of using this memory varies wildly based on operating system and httpd
  configuration.  Some operating systems may kill off processes or crash
  if too much memory is used.  The Apache HTTPD configuration option of
  MaxRequestsPerChild may restart a process after a certain number of
  requests and limit the impact of accidental exercise of this issue.
  However, a determined attacker could repeat the requests and mitigate
  any countermeasures.

Recommendations:
================

  We recommend all users to upgrade to Subversion 1.8.13.  Users of
  Subversion 1.8.x who are unable to upgrade may apply the
  included patch.

  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  There is no effective configuration that can mitigate the issue entirely
  however the use of ulimit (or the equivalent) to set memory limits for
  processes may help prevent the impact affecting other services running on
  the same machine.

References:
===========

  CVE-2015-0202  (Subversion)

Reported by:
============

  Evgeny Kotkov, VisualSVN
Comment 5 Bernhard Wiedemann 2015-03-31 13:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (923793) was mentioned in
https://build.opensuse.org/request/show/293791 Factory / subversion
Comment 6 Bernhard Wiedemann 2015-03-31 14:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (923793) was mentioned in
https://build.opensuse.org/request/show/293792 13.2+13.1 / subversion
Comment 8 Tomáš Chvátal 2015-04-03 07:50:43 UTC
Ok, this one should be done. SLE<12 not affected from what I can see.
Comment 9 Swamp Workflow Management 2015-04-07 19:05:07 UTC
openSUSE-SU-2015:0672-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 916286,923793,923794,923795
CVE References: CVE-2015-0202,CVE-2015-0248,CVE-2015-0251
Sources used:
openSUSE 13.2 (src):    subversion-1.8.13-2.14.1
openSUSE 13.1 (src):    subversion-1.8.13-2.36.1
Comment 10 Andreas Stieger 2015-04-27 10:04:35 UTC
Releasing SLE 12 update
Comment 11 Swamp Workflow Management 2015-04-27 11:06:51 UTC
SUSE-SU-2015:0776-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 923793,923794,923795
CVE References: CVE-2015-0202,CVE-2015-0248,CVE-2015-0251
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    subversion-1.8.10-12.1
Comment 12 Swamp Workflow Management 2017-08-17 10:11:48 UTC
SUSE-SU-2017:2200-1: An update that solves 12 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1011552,1026936,1051362,897033,909935,911620,916286,923793,923794,923795,939514,939517,942819,958300,969159,976849,976850,977424,983938
CVE References: CVE-2014-3580,CVE-2014-8108,CVE-2015-0202,CVE-2015-0248,CVE-2015-0251,CVE-2015-3184,CVE-2015-3187,CVE-2015-5343,CVE-2016-2167,CVE-2016-2168,CVE-2016-8734,CVE-2017-9800
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    subversion-1.8.19-25.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    subversion-1.8.19-25.3.1