You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Ben Reser <be...@reser.org> on 2004/06/10 20:08:30 UTC
Subversion 1.0.5 released. *SECURITY FIX*
Subversion 1.0.5 is ready. Grab it from:
http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.gz
http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.bz2
The MD5 checksums are:
96856d7e1a6b056a17833d10d3cd7623 subversion-1.0.5.tar.gz
8e8288fee061f5278ec201fc5e5e141c subversion-1.0.5.tar.bz2
Subversion versions up to and including 1.0.4 have a potential
Denial of Service and Heap Overflow issue related to the parsing of
strings in the 'svn://' family of access protocols.
This affects only sites running svnserve. It does not affect
'http://' access -- repositories served only by Apache/mod_dav_svn
do not have this vulnerability.
Details:
========
The svn protocol sends strings as a length followed by the string. The
parser would trust that the sender was providing an accurate length of
the string and would allocate sufficent memory to store the entire
string. This would allow the sender of a string to Denial of Service
the other side by suggesting that the string is very large.
Additionally, if the size given is large enough it may cause the integer
holding the size to wrap, thus allocating less memory than the string
length and resulting in a heap overflow.
The parsing code with the flaw is shared by both the svnserve server and
clients using the svn://, svn+ssh:// and other tunneled svn+*://
methods.
Severity:
=========
Severity ranges from "Denial of Service" to, potentially, "Arbitrary
Code Execution", depending upon how skilled the attacker is and the
ABI specifics of your platform.
Since the error is in the parsing of the protocol, including the parsing
of authentication, the server vulnerabilities can be triggered without
read or write access to the repository. So any svnserve process that an
attacker can connect to is vulnerable even if they do not have read or
write access.
The Denial of Service attack is reasonably easy to carry out, while
exploiting the heap overflow is more difficult. There are no known
exploits in the wild at the time of this advisory.
Workarounds:
============
Disable svnserve and use DAV (http://) instead.
Recommendations:
================
We recommend all users upgrade to 1.0.5.
References:
===========
CAN-2004-0413: Subversion svn:// protocol string parsing error.
Questions, comments, and bug reports to users_at_subversion.tigris.org.
Thanks,
-The Subversion Team
--------------------8-<-------cut-here---------8-<-----------------------
User-visible-changes:
* fixed: security bug in svn protocol string parsing. (CAN-2004-0413)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.5 released. *SECURITY FIX*
Posted by Patrick Mayweg <ma...@qint.de>.
The Win32 javahl binding binary package is available:
http://subversion.tigris.org/files/documents/15/14079/svn-win32-1.0.5_javahl.zip
The MD5 checksum is:
1ff36d390e62fe5cf51e5dc41ad55fad *svn-win32-1.0.5_javahl.zip
Patrick
Branko Čibej wrote:
>The Win32 binary packages are available:
>
> http://subversion.tigris.org/files/documents/15/14088/svn-win32-1.0.5.zip
> http://subversion.tigris.org/files/documents/15/14086/svn-win32-1.0.5_dev.zip
> http://subversion.tigris.org/files/documents/15/14085/svn-win32-1.0.5_pdb.zip
> http://subversion.tigris.org/files/documents/15/14087/svn-win32-1.0.5_py.zip
>
>The MD5 checksums are:
>
> 62cdbba85f6c15ce9e58cffcec5b3a65 *svn-win32-1.0.5.zip
> 2bd1fb7c3e11a2a421dc577392c69e9f *svn-win32-1.0.5_dev.zip
> 99eef5e2baf1646356adde0163ea9268 *svn-win32-1.0.5_pdb.zip
> 85c5c8aa98cace24d6740befa29c2004 *svn-win32-1.0.5_py.zip
>
>The developers' documentation now includes header dependency graphs.
>
> Brane
>
>
>P.S.: The unofficial build wit the ASP.NET fix is in http://www.xbc.nu/svn/.
>
>
>Ben Reser wrote:
>
>
>
>>Subversion 1.0.5 is ready. Grab it from:
>>
>> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.gz
>> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.bz2
>>
>>The MD5 checksums are:
>>
>> 96856d7e1a6b056a17833d10d3cd7623 subversion-1.0.5.tar.gz
>> 8e8288fee061f5278ec201fc5e5e141c subversion-1.0.5.tar.bz2
>>
>>
>>Subversion versions up to and including 1.0.4 have a potential
>>Denial of Service and Heap Overflow issue related to the parsing of
>>strings in the 'svn://' family of access protocols.
>>
>>This affects only sites running svnserve. It does not affect
>>'http://' access -- repositories served only by Apache/mod_dav_svn
>>do not have this vulnerability.
>>
>>Details:
>>========
>>
>>The svn protocol sends strings as a length followed by the string. The
>>parser would trust that the sender was providing an accurate length of
>>the string and would allocate sufficent memory to store the entire
>>string. This would allow the sender of a string to Denial of Service
>>the other side by suggesting that the string is very large.
>>Additionally, if the size given is large enough it may cause the integer
>>holding the size to wrap, thus allocating less memory than the string
>>length and resulting in a heap overflow.
>>
>>The parsing code with the flaw is shared by both the svnserve server and
>>clients using the svn://, svn+ssh:// and other tunneled svn+*://
>>methods.
>>
>>Severity:
>>=========
>>
>>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>>Code Execution", depending upon how skilled the attacker is and the
>>ABI specifics of your platform.
>>
>>Since the error is in the parsing of the protocol, including the parsing
>>of authentication, the server vulnerabilities can be triggered without
>>read or write access to the repository. So any svnserve process that an
>>attacker can connect to is vulnerable even if they do not have read or
>>write access.
>>
>>The Denial of Service attack is reasonably easy to carry out, while
>>exploiting the heap overflow is more difficult. There are no known
>>exploits in the wild at the time of this advisory.
>>
>>Workarounds:
>>============
>>
>>Disable svnserve and use DAV (http://) instead.
>>
>>Recommendations:
>>================
>>
>>We recommend all users upgrade to 1.0.5.
>>
>>References:
>>===========
>>
>>CAN-2004-0413: Subversion svn:// protocol string parsing error.
>>
>>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>>
>>Thanks,
>>-The Subversion Team
>>
>>--------------------8-<-------cut-here---------8-<-----------------------
>>
>>User-visible-changes:
>>* fixed: security bug in svn protocol string parsing. (CAN-2004-0413)
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.5 released. *SECURITY FIX*
Posted by Branko Čibej <br...@xbc.nu>.
The Win32 binary packages are available:
http://subversion.tigris.org/files/documents/15/14088/svn-win32-1.0.5.zip
http://subversion.tigris.org/files/documents/15/14086/svn-win32-1.0.5_dev.zip
http://subversion.tigris.org/files/documents/15/14085/svn-win32-1.0.5_pdb.zip
http://subversion.tigris.org/files/documents/15/14087/svn-win32-1.0.5_py.zip
The MD5 checksums are:
62cdbba85f6c15ce9e58cffcec5b3a65 *svn-win32-1.0.5.zip
2bd1fb7c3e11a2a421dc577392c69e9f *svn-win32-1.0.5_dev.zip
99eef5e2baf1646356adde0163ea9268 *svn-win32-1.0.5_pdb.zip
85c5c8aa98cace24d6740befa29c2004 *svn-win32-1.0.5_py.zip
The developers' documentation now includes header dependency graphs.
Brane
P.S.: The unofficial build wit the ASP.NET fix is in http://www.xbc.nu/svn/.
Ben Reser wrote:
>Subversion 1.0.5 is ready. Grab it from:
>
> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.gz
> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.bz2
>
>The MD5 checksums are:
>
> 96856d7e1a6b056a17833d10d3cd7623 subversion-1.0.5.tar.gz
> 8e8288fee061f5278ec201fc5e5e141c subversion-1.0.5.tar.bz2
>
>
>Subversion versions up to and including 1.0.4 have a potential
>Denial of Service and Heap Overflow issue related to the parsing of
>strings in the 'svn://' family of access protocols.
>
>This affects only sites running svnserve. It does not affect
>'http://' access -- repositories served only by Apache/mod_dav_svn
>do not have this vulnerability.
>
>Details:
>========
>
>The svn protocol sends strings as a length followed by the string. The
>parser would trust that the sender was providing an accurate length of
>the string and would allocate sufficent memory to store the entire
>string. This would allow the sender of a string to Denial of Service
>the other side by suggesting that the string is very large.
>Additionally, if the size given is large enough it may cause the integer
>holding the size to wrap, thus allocating less memory than the string
>length and resulting in a heap overflow.
>
>The parsing code with the flaw is shared by both the svnserve server and
>clients using the svn://, svn+ssh:// and other tunneled svn+*://
>methods.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>Since the error is in the parsing of the protocol, including the parsing
>of authentication, the server vulnerabilities can be triggered without
>read or write access to the repository. So any svnserve process that an
>attacker can connect to is vulnerable even if they do not have read or
>write access.
>
>The Denial of Service attack is reasonably easy to carry out, while
>exploiting the heap overflow is more difficult. There are no known
>exploits in the wild at the time of this advisory.
>
>Workarounds:
>============
>
>Disable svnserve and use DAV (http://) instead.
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.5.
>
>References:
>===========
>
>CAN-2004-0413: Subversion svn:// protocol string parsing error.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in svn protocol string parsing. (CAN-2004-0413)
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.5 released. *SECURITY FIX*
Posted by "Jostein Chr. Andersen" <jo...@josander.net>.
The Windows Installer made from */svn-win32-1.0.5.zip is here:
http://subversion.tigris.org/files/documents/15/14089/svn-1.0.5-setup.exe
Jostein
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Subversion 1.0.5 released. *SECURITY FIX*
Posted by "Jostein Chr. Andersen" <jo...@josander.net>.
The Windows Installer made from */svn-win32-1.0.5.zip is here:
http://subversion.tigris.org/files/documents/15/14089/svn-1.0.5-setup.exe
Jostein
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion 1.0.5 released. *SECURITY FIX*
Posted by Branko Čibej <br...@xbc.nu>.
The Win32 binary packages are available:
http://subversion.tigris.org/files/documents/15/14088/svn-win32-1.0.5.zip
http://subversion.tigris.org/files/documents/15/14086/svn-win32-1.0.5_dev.zip
http://subversion.tigris.org/files/documents/15/14085/svn-win32-1.0.5_pdb.zip
http://subversion.tigris.org/files/documents/15/14087/svn-win32-1.0.5_py.zip
The MD5 checksums are:
62cdbba85f6c15ce9e58cffcec5b3a65 *svn-win32-1.0.5.zip
2bd1fb7c3e11a2a421dc577392c69e9f *svn-win32-1.0.5_dev.zip
99eef5e2baf1646356adde0163ea9268 *svn-win32-1.0.5_pdb.zip
85c5c8aa98cace24d6740befa29c2004 *svn-win32-1.0.5_py.zip
The developers' documentation now includes header dependency graphs.
Brane
P.S.: The unofficial build wit the ASP.NET fix is in http://www.xbc.nu/svn/.
Ben Reser wrote:
>Subversion 1.0.5 is ready. Grab it from:
>
> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.gz
> http://subversion.tigris.org/tarballs/subversion-1.0.5.tar.bz2
>
>The MD5 checksums are:
>
> 96856d7e1a6b056a17833d10d3cd7623 subversion-1.0.5.tar.gz
> 8e8288fee061f5278ec201fc5e5e141c subversion-1.0.5.tar.bz2
>
>
>Subversion versions up to and including 1.0.4 have a potential
>Denial of Service and Heap Overflow issue related to the parsing of
>strings in the 'svn://' family of access protocols.
>
>This affects only sites running svnserve. It does not affect
>'http://' access -- repositories served only by Apache/mod_dav_svn
>do not have this vulnerability.
>
>Details:
>========
>
>The svn protocol sends strings as a length followed by the string. The
>parser would trust that the sender was providing an accurate length of
>the string and would allocate sufficent memory to store the entire
>string. This would allow the sender of a string to Denial of Service
>the other side by suggesting that the string is very large.
>Additionally, if the size given is large enough it may cause the integer
>holding the size to wrap, thus allocating less memory than the string
>length and resulting in a heap overflow.
>
>The parsing code with the flaw is shared by both the svnserve server and
>clients using the svn://, svn+ssh:// and other tunneled svn+*://
>methods.
>
>Severity:
>=========
>
>Severity ranges from "Denial of Service" to, potentially, "Arbitrary
>Code Execution", depending upon how skilled the attacker is and the
>ABI specifics of your platform.
>
>Since the error is in the parsing of the protocol, including the parsing
>of authentication, the server vulnerabilities can be triggered without
>read or write access to the repository. So any svnserve process that an
>attacker can connect to is vulnerable even if they do not have read or
>write access.
>
>The Denial of Service attack is reasonably easy to carry out, while
>exploiting the heap overflow is more difficult. There are no known
>exploits in the wild at the time of this advisory.
>
>Workarounds:
>============
>
>Disable svnserve and use DAV (http://) instead.
>
>Recommendations:
>================
>
>We recommend all users upgrade to 1.0.5.
>
>References:
>===========
>
>CAN-2004-0413: Subversion svn:// protocol string parsing error.
>
>Questions, comments, and bug reports to users_at_subversion.tigris.org.
>
>Thanks,
>-The Subversion Team
>
>--------------------8-<-------cut-here---------8-<-----------------------
>
> User-visible-changes:
> * fixed: security bug in svn protocol string parsing. (CAN-2004-0413)
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org