[users@httpd] RE: EXT :Re: [users@httpd] RE: EXT :Re: [users@httpd] apache 2.2.25 and svn commit

["Brennan, Edward C (HII-Ingalls)" <ed...@hii-ingalls.com>]

Thanks, Ben.  So based on your response, I still don't know what caused the error.  I introduced apache 2.2.25 into my environment, and I get the error (which is why I posted to users@httpd, since I didn't introduce a new subversion).  But when I revert back to apache 2.2.22, I don't get the error.  I assumed the new software introduced the issue.  

Guess I can upgrade subversion, and put apache back to 2.2.25 and see if the error persists.

I appreciate your feedback.

-----Original Message-----
From: Ben Reser [mailto:ben@reser.org] 
Sent: Thursday, August 01, 2013 8:52 PM
To: users@httpd.apache.org
Subject: EXT :Re: [users@httpd] RE: EXT :Re: [users@httpd] apache 2.2.25 and svn commit

First of all this probably belongs on users@subversion.apache.org...

On Wed, Jul 31, 2013 at 1:43 PM, Brennan, Edward C (HII-Ingalls)
<ed...@hii-ingalls.com> wrote:
> Thank you.
>   I am trying to understand what the recommendation is here.  I am currently using SVN 1.6.6 and have apache 2.2.22 in production (reverted back from 2.2.25).  At this link:
> http://subversion.apache.org/security/CVE-2013-4131-advisory.txt

That issue is not applicable to 1.6.x.  Note the following bit from
the advisory you linked.

[[[
Known fixed:
============

  Subversion 1.8.1
  Subversion 1.7.11
  svnserve (any version) is not vulnerable.
  Subversion 1.6.x is not vulnerable.
]]]

> there is this blurb:
>
> Making a copy of the repository root is a valid Subversion operation.
>   However, a code change in Apache HTTPD 2.2.25/2.4.5 led to a codepath being
>   exercised for a revision root that was never before executed for a revision
>   root.  That code performs a hand-rolled path arithmetic instead of using the
>   internal path manipulation library, and thus passes an invalid path down to
>   a library function which runs an assert() validation on that path.
>
>   When assertions are enabled, the validation fails and kills the httpd
>   process.  When assertions are disabled, code would read beyond allocated
>   memory, which may lead to a segfault or undefined behavior.
>
>
> Is this what I'm running into when I perform a SVN Commit?

If you were running 1.7.0-1.7.10 or 1.8.0 (including rcs) then yes
that code would be run during a commit provided that you were doing a
copy or move from or to the repository root.  Somehow I suspect that's
not what you're doing based on what you've said so far.

> And the recommendations on that page:
>
> Recommendations:
> ================
>
>   We recommend all users to upgrade to Subversion 1.8.1 or 1.7.11.
>   Users who are unable to upgrade may apply the included patches.
>
>   New Subversion packages can be found at:
>   http://subversion.apache.org/packages.html
>
>   We remind users that we recommend upgrading Apache HTTPD to 2.2.25 (for
>   repositories served by HTTPD) due to an independent security issue fixed
>   in that HTTPD release: CVE-2013-1896.  See <http://s.apache.org/H1a> for
>   details about CVE-2013-1896, including a recommendation for those who serve
>   Subversion repositories with Apache HTTPD 2.4.x.
>
> So is this saying that while apache 2.2.25 introduced the issue, I should keep that version for the security vulnerability fix, and upgrade SVN to 1.8.1 or 1.7.11?

At a minimum you should upgrade to 1.6.23 as there are several
security issues that have been fixed in later 1.6.x releases that are
not addressed in the 1.6.6 version you're running now.  See this page
for the list of security issues:
http://subversion.apache.org/security/

However, I should point out that 1.6.x is no longer supported by the
Subversion project and you should upgrade to 1.7.11 or 1.8.1 at your
earliest convenience.  We will not be producing any further updates
for 1.6.x.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RE: EXT :Re: [users@httpd] RE: EXT :Re: [users@httpd] apache 2.2.25 and svn commit

[Ben Reser <be...@reser.org>]

On Thu, Aug 1, 2013 at 7:22 PM, Ben Reser <be...@reser.org> wrote:
> On Thu, Aug 1, 2013 at 7:04 PM, Brennan, Edward C (HII-Ingalls)
> <ed...@hii-ingalls.com> wrote:
>> Thanks, Ben.  So based on your response, I still don't know what caused the error.  I introduced apache 2.2.25 into my environment, and I get the error (which is why I posted to users@httpd, since I didn't introduce a new subversion).  But when I revert back to apache 2.2.22, I don't get the error.  I assumed the new software introduced the issue.
>
> I actually just tried to replicate the issue with svn 1.6.6 and httpd
> 2.2.25 here and I can't.

My attempt to replicate this must have been wrong because there
clearly is a problem here.  It's being caused by this change:

  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
     [Timothy Wood <tjw omnigroup.com>]

> Well as far as I know this is an unknown issue.  That doesn't mean
> upgrading svn won't fix it, just means I don't think we know about
> this.

Upgrading to new versions of SVN on the server side won't fix the
issue, however if both the client and the server are updated then the
problem will disappear because it only happens when we're using the
DeltaV based communication (referred to SVN devs as HTTPv1) as opposed
to HTTPv2 (no longer DeltaV compliant and specific to SVN).

You can see the problem even with a newer client and server if the
server is configured with:
  SVNAdvertiseV2Protocol off

Still digging to see why that change broke things.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RE: EXT :Re: [users@httpd] RE: EXT :Re: [users@httpd] apache 2.2.25 and svn commit

[Ben Reser <be...@reser.org>]

On Thu, Aug 1, 2013 at 7:04 PM, Brennan, Edward C (HII-Ingalls)
<ed...@hii-ingalls.com> wrote:
> Thanks, Ben.  So based on your response, I still don't know what caused the error.  I introduced apache 2.2.25 into my environment, and I get the error (which is why I posted to users@httpd, since I didn't introduce a new subversion).  But when I revert back to apache 2.2.22, I don't get the error.  I assumed the new software introduced the issue.

I actually just tried to replicate the issue with svn 1.6.6 and httpd
2.2.25 here and I can't.

Referring back to your original message:
> [Wed Jul 31 10:25:13 2013] [error] ... Unable to PUT new contents for /svn/!svn/wrk/.../svngctest/trunk/new%20folder/myDoc.txt.  [403, #0]
> [Wed Jul 31 10:25:13 2013] [error] ... Could not create file within the repository.  [404, #160013]
> [Wed Jul 31 10:25:13 2013] [error] ... File not found: transaction '37355-stw', path '/svngctest/trunk/new%20folder/myDoc.txt'  [404, #160013]

That's a really peculiar error.  Error 160013 is SVN_ERR_FS_NOT_FOUND.
 That error only occurs when a parent of a path you're trying to
commit isn't in the repo.  Which the client shouldn't let you even
send to the server.

> Guess I can upgrade subversion, and put apache back to 2.2.25 and see if the error persists.

Well as far as I know this is an unknown issue.  That doesn't mean
upgrading svn won't fix it, just means I don't think we know about
this.

If you decide to upgrade and you still have the problem please bring
the issue to the users@subversion.apache.org list.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org