You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Vincent Lefevre <vi...@vinc17.net> on 2020/04/07 20:00:27 UTC

location of .svn and security issues (was: Subversion fails to checkout new working set when $HOME is automounted)

On 2020-01-23 18:40:56 +0000, Daniel Shahaf wrote:
> Vincent Lefevre wrote on Thu, 23 Jan 2020 15:50 +0100:
> > On 2020-01-23 12:44:02 +0100, Joerg Wunsch wrote:
> > > If the automounter already yields ENOENT for the ../.svn directory
> > > probe, everything is not going to be a problem. I think the point here
> > > is the automounter (eventually, after "thinking" about it for about 1
> > > s) offers a successful stat() result for ../.svn (probably because
> > > that directory *might be* a possible mount point for the automounter)
> > > but then yields EIO when trying to access anything within that
> > > ficticous directory (because nothing is actually mounted there).  
> > 
> > Do you mean that Subversion tries to go higher in the hierarchy
> > without checking the owner of the directory? If it does, this is
> > a security issue.
> 
> How so?  What's the attacker model?  What can someone leverage this
> feature of Subversion to do that they couldn't do without it?

I don't know all the various possibilities, but there's at least a
denial of service:

zira:/tmp> mkdir vinc17
zira:/tmp> cd vinc17
zira:/tmp/vinc17> svn co file:///home/vinc17/repos wc
svn: E200030: sqlite[S1]: no such table: wcroot
zira:/tmp/vinc17[1]>

That's with an attacker who creates a .svn directory in /tmp and
an empty wc.db file in it.

On systems without symlink restriction in world-writable directories,
I was wondering whether there could be a way to create files in the
user's home directory. My attempt yielded a sqlite error because
O_NOFOLLOW was used, which is a good thing.

But I'm also wondering whether there could be some leak in wc.db
in case the user does a "svn up" from a wrong directory (such as
/tmp/vinc17 above, with an attacker creating a .svn directory in
/tmp with a URL of a private repository belonging to the user).
A small error like this should never become a security issue.

-- 
Vincent Lefèvre <vi...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)