Bug 662030 - VUL-0: subversion unspecified overflow/crash
VUL-0: subversion unspecified overflow/crash
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
E-mail List
maint:released:11.2:38309 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-03 10:10 UTC by Sebastian Krahmer
Modified: 2013-12-13 13:05 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2011-01-03 10:10:20 UTC
From: Kurt Seifried
To: oss-security


Unspecified vulnerability in the server component in Apache Subversion
1.6.x before 1.6.15 allows remote attackers to cause a denial of
service via unknown vectors, related to a "several bug fixes,
including two which can cause client-initiated crashes on the server."

http://svn.haxx.se/dev/archive-2010-11/0475.shtml
Comment 1 Dirk Mueller 2011-01-03 10:32:49 UTC
CVE? this sounds like a duplicate of bnc#649861
Comment 2 Sebastian Krahmer 2011-01-03 10:58:55 UTC
There was no CVE yet. I think it could be different:

CVE 2010 3315 was about SVNPathAuthz short_circuit,
while the current changelog mentions SVNParentPath
(although both are in mod_dav_svn).
Comment 3 Sebastian Krahmer 2011-01-04 07:44:17 UTC
CVE-2010-4539
Comment 4 Sebastian Krahmer 2011-01-04 09:25:59 UTC
SWAMP seems to miss making an entry about it!

MaintenanceTracker-38005
Comment 5 Sebastian Krahmer 2011-01-04 15:17:20 UTC
Via OSS-sec:

>----- Original Message -----
>>Unspecified vulnerability in the server component in Apache Subversion
>>1.6.x before 1.6.15 allows remote attackers to cause a denial of
>>service via unknown vectors, related to a "several bug fixes,
>>including two which can cause client-initiated crashes on the server."
>>
>> [1] http://svn.haxx.se/dev/archive-2010-11/0475.shtml

  Cc-ed Hyrum to shed more light into this one. [1] mentions two issues:
<begin quote>
...
several bug fixes, including two which can cause client-initiated
crashes on the server.
</end quote>

Further look at:
[2] http://svn.apache.org/repos/asf/subversion/tags/1.6.15/CHANGES

suggest:

A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)"
being the first one.
   Upstream changeset:
   http://svn.apache.org/viewvc?view=revision&revision=1033166

and after discussion with Joe Orton, Joe suggested:

B, * fix server-side memory leaks triggered by 'blame -g' (r1032808)
   References:
   http://svn.haxx.se/dev/archive-2010-11/0102.shtml
   Upstream changeset:
   http://svn.apache.org/viewvc?view=revision&revision=1032808

   being the second one as denial of service attack (by memory consumption)
   against
   svnserve.

Questions:
----------
Hyrum, could you confirm A, and B, issues are those two, mentioned in [2]
to be able to cause client-initiated crashes on the server?

>I admit, this isn't obvious, so let's use CVE-2010-4539 for now.
>We can split it if needed once more information is known.

Josh, since CVE-2010-4539 was assigned. Once Hyrum confirms, can
we consider CVE-2010-4539 to be a CVE identifier for A, issue
and request yet another / second one for B, issue?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 6 Sebastian Krahmer 2011-01-05 07:48:55 UTC
> Questions:
> ----------
> Hyrum, could you confirm A, and B, issues are those two, mentioned in [2]
> to be able to cause client-initiated crashes on the server?

I can confirm that A and B are the two issues mentioned in [2].

>> I admit, this isn't obvious, so let's use CVE-2010-4539 for now.
>> We can split it if needed once more information is known.
>
> Josh, since CVE-2010-4539 was assigned. Once Hyrum confirms, can
> we consider CVE-2010-4539 to be a CVE identifier for A, issue
> and request yet another / second one for B, issue?

We didn't initially reserve CVEs for these vulnerabilities, but will
be happy to update our documentation to reflect them.  (See
http://subversion.apache.org/security/ )   The two issues really are
orthogonal, so B should probably  not be included in a CVE for A.

I've CC'd dev@subversion.apache.org to help coordinate advisory authoring.

-Hyrum
Comment 7 Dirk Mueller 2011-01-19 14:41:36 UTC
CVE-2010-4644 fixed for sle11-sp1, 11.2, 11.3 and STABLE
CVE-2010-4539 fixed for sle10-sp3, sle11-sp1, 11.2, 11.3 and STABLE
Comment 8 Thomas Biege 2011-01-20 12:55:00 UTC
CVE-2010-4644: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Resource Management Errors (CWE-399)

CVE-2010-4539: CVSS v2 Base Score: 4.3 (low) (AV:N/AC:M/Au:N/C:N/I:N/A:P): Resource Management Errors (CWE-399)
Comment 9 Swamp Workflow Management 2011-02-25 08:18:09 UTC
Update released for: libsvn_auth_gnome_keyring-1-0, libsvn_auth_gnome_keyring-1-0-debuginfo, libsvn_auth_kwallet-1-0, libsvn_auth_kwallet-1-0-debuginfo, subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-perl-debuginfo, subversion-python, subversion-python-debuginfo, subversion-ruby, subversion-ruby-debuginfo, subversion-server, subversion-server-debuginfo, subversion-tools, subversion-tools-debuginfo
Products:
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)
Comment 10 Thomas Biege 2011-02-25 08:18:58 UTC
released
Comment 11 Swamp Workflow Management 2011-02-25 11:01:30 UTC
Update released for: cvs2svn, subversion, subversion-debuginfo, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools, viewcvs
Products:
SLE-DESKTOP 10-SP3 (i386, x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Comment 12 Swamp Workflow Management 2011-02-25 11:11:34 UTC
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
Comment 13 Swamp Workflow Management 2013-12-13 13:05:08 UTC
openSUSE-SU-2013:1869-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 528714,649861,662030,713919,788015,794676,830031,836245,850747
CVE References: CVE-2010-3315,CVE-2010-4539,CVE-2010-4644,CVE-2013-1884,CVE-2013-4131,CVE-2013-4505,CVE-2013-4558
Sources used:
openSUSE 11.4 (src):    subversion-1.7.14-59.1