oss-sec mailing list archives

Re: CVE request for subversion

From: Hyrum Wright <hwright () apache org>
Date: Tue, 4 Jan 2011 10:19:39 -0500

On Tue, Jan 4, 2011 at 10:02 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:

Hello Kurt, Josh, vendors,

Josh Bressers wrote:


----- Original Message -----


Unspecified vulnerability in the server component in Apache Subversion
1.6.x before 1.6.15 allows remote attackers to cause a denial of
service via unknown vectors, related to a "several bug fixes,
including two which can cause client-initiated crashes on the server."

[1] http://svn.haxx.se/dev/archive-2010-11/0475.shtml


 Cc-ed Hyrum to shed more light into this one. [1] mentions two issues:
<begin quote>
...
several bug fixes, including two which can cause client-initiated
crashes on the server.
</end quote>

Further look at:
[2] http://svn.apache.org/repos/asf/subversion/tags/1.6.15/CHANGES

suggest:

A, "* prevent crash in mod_dav_svn when using SVNParentPath (r1033166)"
being the first one.
  Upstream changeset:
  http://svn.apache.org/viewvc?view=revision&revision=1033166

and after discussion with Joe Orton, Joe suggested:

B, * fix server-side memory leaks triggered by 'blame -g' (r1032808)
  References:
  http://svn.haxx.se/dev/archive-2010-11/0102.shtml
  Upstream changeset:
  http://svn.apache.org/viewvc?view=revision&revision=1032808

  being the second one as denial of service attack (by memory consumption)
against
  svnserve.

Questions:
----------
Hyrum, could you confirm A, and B, issues are those two, mentioned in [2]
to be able to cause client-initiated crashes on the server?


I can confirm that A and B are the two issues mentioned in [2].

I admit, this isn't obvious, so let's use CVE-2010-4539 for now.
We can split it if needed once more information is known.


Josh, since CVE-2010-4539 was assigned. Once Hyrum confirms, can
we consider CVE-2010-4539 to be a CVE identifier for A, issue
and request yet another / second one for B, issue?


We didn't initially reserve CVEs for these vulnerabilities, but will
be happy to update our documentation to reflect them.  (See
http://subversion.apache.org/security/ )   The two issues really are
orthogonal, so B should probably  not be included in a CVE for A.

I've CC'd dev () subversion apache org to help coordinate advisory authoring.

-Hyrum

Current thread:

CVE request for subversion Kurt Seifried (Jan 02)
- Re: CVE request for subversion Josh Bressers (Jan 03)
  - Re: CVE request for subversion Jan Lieskovsky (Jan 04)
    - Re: CVE request for subversion Hyrum Wright (Jan 04)
    - Re: CVE request for subversion Josh Bressers (Jan 05)
    - Re: CVE request for subversion Hyrum K Wright (Jan 08)
    - Re: CVE request for subversion Kurt Seifried (Jan 08)