You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Boris Lytochkin <ly...@yandex-team.ru> on 2013/05/15 12:08:57 UTC
svnserve DoS attack (1.7.8)
Hi.
It is possible to force svnserve daemon to exit using trivial (and valid) TCP session:
14:04:18.277961 IP6 fdef::1.34130 > fd87:e01f:53ee:1203:6672:6565:57fa:eb29.3690: Flags [S], seq 3296066821, win 17880, options [mss 1220,nop,nop,sackOK,nop,wscale 7], length 0
14:04:18.278001 IP6 fd87:e01f:53ee:1203:6672:6565:57fa:eb29.3690 > fdef::1.34130: Flags [S.], seq 2136980559, ack 3296066822, win 65535, options [mss 1220,nop,wscale 6,sackOK,eol], length 0
14:04:18.278081 IP6 fdef::1.34130 > fd87:e01f:53ee:1203:6672:6565:57fa:eb29.3690: Flags [.], ack 1, win 140, length 0
14:04:18.278112 IP6 fdef::1.34130 > fd87:e01f:53ee:1203:6672:6565:57fa:eb29.3690: Flags [R.], seq 1, ack 1, win 140, length 0
There is a possibility that apr_socket_accept() will return ECONNABORTED for such connection attempt.
[16:03:57]:
/usr/ports/devel/subversion/work/subversion-1.7.8/subversion/svn>/usr/local/bin/svnserve --foreground -d -R -r /home/freebsd-svn
svnserve: E000053: Can't accept client connection: Software caused connection abort
[16:30:01]:
Patch against this situation is trivial enough:
--- subversion/svnserve/main.c~ 2012-10-16 08:03:13.000000000 +0400
+++ subversion/svnserve/main.c 2013-05-15 13:51:13.887976422 +0400
@@ -928,7 +928,7 @@
connection_pool) == APR_CHILD_DONE)
;
}
- if (APR_STATUS_IS_EINTR(status))
+ if (APR_STATUS_IS_EINTR(status) || APR_STATUS_IS_ECONNABORTED(status))
{
svn_pool_destroy(connection_pool);
continue;
p/s. This e-mail must be treated as VALIDATION e-mail per http://subversion.apache.org/reporting-issues.html bug reporting guide.
--
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671
Re: svnserve DoS attack (1.7.8)
Posted by Daniel Shahaf <da...@apache.org>.
On Sun, May 19, 2013 at 11:18:49AM +0200, Stefan Sperling wrote:
> On Wed, May 15, 2013 at 02:08:57PM +0400, Boris Lytochkin wrote:
> > It is possible to force svnserve daemon to exit using trivial (and valid) TCP session:
>
> Thanks for your bug report and patch, Boris.
> We'll release updates soon that include a fix for this issue.
>
For the record, the fix will be included in 1.6.22, 1.7.9, 1.8.0-rc3, 1.8.0.
> Our guidelines for reporting security issues are here:
> http://subversion.apache.org/security/
This issue has been assigned the identifier CVE-2013-2112. It will be added to
the public list in due course.
Re: svnserve DoS attack (1.7.8)
Posted by Daniel Shahaf <da...@apache.org>.
On Sun, May 19, 2013 at 11:18:49AM +0200, Stefan Sperling wrote:
> In the future, please report security problems to the security@ list.
> I've just noticed that security@ is not listed on our mailing-lists.html
> page. I'll try to fix that ASAP.
Boris indicates he just did what the Big Yellow Box in
http://subversion.apache.org/reporting-issues instructed him to; I think we
have to update that page too, not only the /mailing-lists page.
Re: svnserve DoS attack (1.7.8)
Posted by Stefan Sperling <st...@elego.de>.
On Wed, May 15, 2013 at 02:08:57PM +0400, Boris Lytochkin wrote:
> It is possible to force svnserve daemon to exit using trivial (and valid) TCP session:
Thanks for your bug report and patch, Boris.
We'll release updates soon that include a fix for this issue.
In the future, please report security problems to the security@ list.
I've just noticed that security@ is not listed on our mailing-lists.html
page. I'll try to fix that ASAP.
Our guidelines for reporting security issues are here:
http://subversion.apache.org/security/
Thanks again!