mod_dav_svn assertion triggered by non-canonical URLs in autoversioning
commits.
Summary:
========
When SVNAutoversioning is enabled via
SVNAutoversioning on
commits can be made by single HTTP requests such as MKCOL and
PUT. If Subversion is built with assertions enabled any such
requests that have non-canonical URLs, such as URLs with a
trailing /, may trigger an assert. An assert will cause the
Apache process to abort.
Known vulnerable:
=================
mod_dav_svn 1.7.11 through 1.7.13
mod_dav_svn 1.8.1 through 1.8.4
Known fixed:
============
mod_dav_svn 1.7.14
mod_dav_svn 1.8.5
Details:
========
Given a repository located at http://example.com/repos the assert can
be triggered by commands like:
curl -X PUT http://example.com/repos/A/
curl -X MKCOL http://example.com/repos/A/../B
The assert happens after the commit has happened in the repository
and will not occur if the commit is rejected.
Severity:
=========
CVSSv2 Base Score: 3.5
CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P
We consider this to be a low risk vulnerability.
The attacker needs to have commit access to the repository to
exploit the vulnerability.
Most Subversion servers do not have autoversioning enabled.
In order for there to be any impact assertions must have been enabled when
mod_dav_svn was built. In this case if assertions are disabled there is no
impact. They are enabled by default on *nix and disabled on Windows.
The assertion will cause the http server process to abort. Apache httpd
servers using a prefork MPM will simply start a new process to replace
the process that died. Servers using threaded MPMs may be processing other
requests in the same process as the process that the attack causes to die.
In either case there is an increased processing impact of restarting a
process and the cost of per process caches being lost.
Recommendations:
================
We recommend all users upgrade mod_dav_svn to Subversion 1.8.5 or 1.7.14 or
newer.
Disabling SVNAutoversioning will avoid the problem.
Building Subversion with assertions disabled will avoid the problem.
This can be done using the --disable-debug option to configure on *nix and
by using a Release build profile on Windows.
References:
===========
CVE-2013-4558 (Subversion)
Reported by:
============
Philip Martin, WANdisco
Patches:
========
Patch for Subversion 1.7.x and 1.8.x:
[[[
Index: subversion/mod_dav_svn/repos.c
===================================================================
--- subversion/mod_dav_svn/repos.c (revision 1539596)
+++ subversion/mod_dav_svn/repos.c (working copy)
@@ -2456,9 +2456,12 @@ get_parent_resource(const dav_resource *resource,
parent->info = parentinfo;
parentinfo->uri_path =
- svn_stringbuf_create(get_parent_path(resource->info->uri_path->data,
- TRUE, resource->pool),
- resource->pool);
+ svn_stringbuf_create(
+ get_parent_path(
+ svn_urlpath__canonicalize(resource->info->uri_path->data,
+ resource->pool),
+ TRUE, resource->pool),
+ resource->pool);
parentinfo->repos = resource->info->repos;
parentinfo->root = resource->info->root;
parentinfo->r = resource->info->r;
]]]