Bugzilla – Bug 60610
VUL-0: CVE-2004-0749: Subversion/mod_authz_svn
Last modified: 2021-09-27 14:42:30 UTC
From: Ben Reser <ben@reser.org> To: vendor-sec@lst.de Subject: [vendor-sec] Confidential Subversion/mod_authz_svn vulnerability +notification. This email is a confidential pre-notification of a security alert for Subversion. Please *do not forward* any part of this mail to anyone. The public announcement is not until September 22nd 2004 21:00 UTC, and we'd like to keep the information embargoed until then. You are receiving this mail because (we think) you run Subversion servers, and would want to have them patched before these security holes are made public on September 22nd, or package Subversion. What follows below is our advisory. As well there are 3 patchs against 1.0.x attached which are needed to fix this problem. Any questions please feel free to contact me. Summary: ======= mod_authz_svn, the Apache httpd module which does path-based authorization on Subversion repositories, is not correctly protecting all metadata on unreadable paths. This metadata leakage affects the mod_authz_svn module in all released versions of Subversion (through 1.0.7), as well as the 1.1-rc1, -rc2 and -rc3 release candidates. The leakage is fixed in the 1.0.8 and 1.1-rc4 release, as well as the upcoming 1.1 final release. Details: ======= If a Subversion commit affects paths that an administrator has marked "unreadable" using mod_authz_svn, then - "svn log -v" will list the existence of the unreadable paths; - "svn log -v" will show the commit's log message, which might be considered sensitive metadata in some situations; - "svn propget" is also able to fetch the log message of any commit; - "svn blame" and other commands that follow renames are able to acknowledge the existence of earlier versions of files that exist at unreadable locations. Severity: ======== Mild-to-medium severity, depending on your situation. This security issue is not about revealing the contents of protected files: it only reveals metadata about protected areas such as paths and log messages. This may or may not be important to your organization, depending on how you're using path-based authorization, and the sensitivity of the metadata. (Exception: in the case of "svn blame", and only in svn 1.1-rc2 and -rc3, it's possible that older unreadable versions of a file are being transported from server to client; the contents aren't displayed, but the data is still traveling over the network.) These issues only affects users of mod_authz_svn, not people using native httpd.conf directives (such as <Limit> or <LimitExcept>) directives to limit general readability on whole repositories. Workarounds: =========== * Use mod_authz_svn to restrict writes only, not reads. * Break unreadable areas into separate repositories, and use native apache httpd.conf directives to make them unreadable. References: ========== CAN-2004-0749: mod_authz_svn fails to protect metadata Recommendation: ============== We recommend an upgrade to 1.0.8 or 1.1.0-rc4.
<!-- SBZ_reproduce --> n/a
Created attachment 23673 [details] common.patch
Created attachment 23674 [details] get_logs.patch
Created attachment 23675 [details] revprop.patch
NOT PUBLIC YET. most likely it will be disclosed on September 22nd.
they gave the right hint: We recommend an upgrade to 1.0.8.
package and patchinfo was submitted yesterday to SLES9. waiting for the 1.0.8 release for 9.2
Issue is public: http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt so we can push updates out.
9.2 has 1.0.8 now.
CVE-2004-0749: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)