Bug 850667 - (CVE-2013-4505) VUL-0: CVE-2013-4505: subversion: mod_dontdothat does not restrict requests from serf based clients
(CVE-2013-4505)
VUL-0: CVE-2013-4505: subversion: mod_dontdothat does not restrict requests f...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
. maint:released:sle11-sp2:55823 mai...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-15 12:35 UTC by Victor Pereira
Modified: 2014-01-27 09:50 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-11-15 12:35:21 UTC
CVE-2013-4505 and CVE-2013-4558:

mod_dontdothat allows you to block update REPORT requests against
certain
  paths in the repository.  It expects the paths in the REPORT request
  to be absolute URLs.  Serf based clients send relative URLs instead
  of absolute URLs in many cases.  As a result these clients are not
blocked
  as configured by mod_dontdothat.

Known vulnerable:
=================

  mod_dontdothat 1.4.0 through 1.7.13
  mod_dontdothat 1.8.0 through 1.8.4

  Note that mod_dontdothat was in contrib until 1.7.3 and contrib is not
  included in Subversion source tarballs since 1.7.0, so Subversion 1.7.0
  through 1.7.2 did not included mod_dontdothat (it was still available
  from the repository tags for those versions under contrib).

Known fixed:
============

  mod_dontdothat 1.7.14
  mod_dontdothat 1.8.5
Comment 3 Michal Vyskocil 2013-11-18 13:06:11 UTC
Hi, why are there two CVEs?

I've found all relevant upstream commits for 1.8.x:

https://github.com/apache/subversion/commit/5f1948467a0bb1e8d352aee7cc638c68ee2ca285

https://github.com/apache/subversion/commit/83e7f2efe56b6d00ceaa9cd9549b84cf6c23d4f7

hope that 1.7 won't be that much different.
Comment 7 Victor Pereira 2013-11-19 10:26:13 UTC
CVE-2013-4558  is related with mod_dav_svn:


When SVNAutoversioning is enabled via

    SVNAutoversioning on

  commits can be made by single HTTP requests such as MKCOL and
  PUT.  If Subversion is built with assertions enabled any such
  requests that have non-canonical URLs, such as URLs with a
  trailing /, may trigger an assert.  An assert will cause the
  Apache process to abort.


Known vulnerable:
=================

  mod_dav_svn 1.7.0 through 1.7.13
  mod_dav_svn 1.8.0 through 1.8.4

Known fixed:
============

  mod_dav_svn 1.7.14
  mod_dav_svn 1.8.5

Recommendations:
================

  We recommend all users upgrade mod_dav_svn to Subversion 1.8.5 or
1.7.14 or
  newer.

  Disabling SVNAutoversioning will avoid the problem.

  Building Subversion with assertions disabled will avoid the problem.
  This can be done using the -disable-debug option to configure on
*nix and
  by using a Release buld profile on Windows.
Comment 8 Michal Vyskocil 2013-11-22 14:27:04 UTC
Hi,

I've been looking into issue, but moda_dav_svn have changed between 1.6.17 in SP2 and 1.7.14. There are two changes between 1.7.13 and 1.7.14

 * mod_dav_svn: Prevent crashes with some 3rd party modules (r1537360 et al)
 * mod_dav_svn: canonicalize paths properly (r1542071)

Code from r1537360[1] fixes dav_svn__translate_name, introduced by[2] which is not in sle11 version of sle. And followup commits 1542042[3] and 1541790[4] do mostly the same.

[1] https://github.com/apache/subversion/commit/354439f004af51c3b09966283ea484f107a81134
[2] https://github.com/apache/subversion/commit/2773387d3e67ea5504b7944474973c9bf2393650
[3] https://github.com/apache/subversion/commit/2651095ad9cbc6589e896eed3f631571f12622e5
[4] https://github.com/apache/subversion/commit/bed9114938b0517a672b355ba2b3651127a1c35a

I would recommend to use only [5] as this is what should prevent the assertion.

[5] https://github.com/apache/subversion/commit583d13e9c5bd9131b623f5c25751757cc9b128e9

Can you make an eyeshot on that?
Comment 9 Michal Vyskocil 2013-11-26 14:49:05 UTC
submitted with canonical path patch for mod_dav_svn
Comment 12 Swamp Workflow Management 2013-12-07 18:05:28 UTC
openSUSE-SU-2013:1836-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 850667,850747
CVE References: CVE-2013-4505,CVE-2013-4558
Sources used:
openSUSE 13.1 (src):    subversion-1.8.5-2.11.1
Comment 13 Swamp Workflow Management 2013-12-12 17:04:46 UTC
openSUSE-SU-2013:1860-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 850667,850747
CVE References: CVE-2013-4505,CVE-2013-4558
Sources used:
openSUSE 12.3 (src):    subversion-1.7.14-2.22.1
openSUSE 12.2 (src):    subversion-1.7.14-4.30.1
Comment 14 Swamp Workflow Management 2013-12-17 11:37:50 UTC
The SWAMPID for this issue is 55549.
This issue was rated as moderate.
Please submit fixed packages until 2013-12-31.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 15 Sebastian Krahmer 2013-12-17 11:40:47 UTC
Is SLE11-SP3 not needed?
Comment 16 Michal Vyskocil 2013-12-17 11:43:13 UTC
There is no SUSE:SLE-11-SP3:GA/subversion, so SP2 submission will be used on SP3.
Comment 21 Marcus Meissner 2014-01-24 11:08:59 UTC
rekleased
Comment 22 Swamp Workflow Management 2014-01-25 01:16:18 UTC
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
Comment 23 Swamp Workflow Management 2014-01-25 01:46:57 UTC
Update released for: subversion, subversion-debuginfo, subversion-debugsource, subversion-devel, subversion-perl, subversion-python, subversion-server, subversion-tools
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 24 Swamp Workflow Management 2014-01-25 05:04:23 UTC
SUSE-SU-2014:0129-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 850667
CVE References: CVE-2013-4505,CVE-2013-4558
Sources used:
SUSE Studio Onsite 1.3 (src):    subversion-1.6.17-1.25.1
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    subversion-1.6.17-1.25.1
SUSE Linux Enterprise Software Development Kit 11 SP2 (src):    subversion-1.6.17-1.25.1