#9599: subversion-1.9.7
-------------------------+-----------------------
 Reporter:  ken@…        |       Owner:  ken@…
     Type:  enhancement  |      Status:  assigned
 Priority:  high         |   Milestone:  8.1
Component:  BOOK         |     Version:  SVN
 Severity:  normal       |  Resolution:
 Keywords:               |
-------------------------+-----------------------

Old description:

> Following on from git-2.14.1, subversion-1.9.7 has been released. I
> presume this fixes CVE-2017-9800 (no details at the moment).
>
> When I built 1.9.6 the other week I got a test failure in [023/109]
> locks-test:
> {{{
> FAIL:  lt-locks-test 14: lock/unlock when 'write-lock' couldn't be
> obtained
> }}}
>
> I suspect that one might be an issue with either gcc-7.1 or else newer
> headers, in which case it might might repeat in this version.

New description:

 Following on from git-2.14.1, subversion-1.9.7 has been released. This
 fixes CVE-2017-9800, from
 [https://subversion.apache.org/security/CVE-2017-9800-advisory.txt] :
   Arbitrary code execution on clients through malicious svn+ssh URLs in
   svn:externals and svn:sync-from-url

 Summary:
 ========

   A Subversion client sometimes connects to URLs provided by the
 repository.
   This happens in two primary cases: during 'checkout', 'export',
 'update', and
   'switch', when the tree being downloaded contains svn:externals
 properties;
   and when using 'svnsync sync' with one URL argument.

   A maliciously constructed svn+ssh:// URL would cause Subversion clients
 to
   run an arbitrary shell command.  Such a URL could be generated by a
 malicious
   server, by a malicious user committing to a honest server (to attack
 another
   user of that server's repositories), or by a proxy server.

   The vulnerability affects all clients, including those that use file://,
   http://, and plain (untunneled) svn://.

   An exploit has been tested.

 Known vulnerable:
 =================

   Subversion clients 1.0.0 through 1.8.18 (inclusive)
   Subversion clients 1.9.0 through 1.9.6 (inclusive)
   Subversion client 1.10.0-alpha3

   Subversion 1.10.0-alpha1 and 1.10.0-alpha2 are vulnerable,
   however, were never publicly released.

 Known fixed:
 ============

   Subversion 1.8.19
   Subversion 1.9.7

   Patches are available for 1.9, 1.8, 1.6.  The patch for 1.9 applies
   to 1.10.0-alpha3 with an offset.  The patch for 1.8 applies to 1.7
   with an offset.

   Clients that do not have access to an ssh client, and have no custom
 tunnels
   configured in their runtime configuration area [1], are not vulnerable.

   Clients using Subversion's own runtime module loading for Repository
 Access
   (RA) modules are not vulnerable if the 'libsvn_ra_svn' module, which
 provides
   support for the svn+ssh:// and svn:// protocols is removed.

   [1] http://svnbook.red-
 bean.com/en/1.7/svn.advanced.confarea.html#svn.advanced.confarea.layout
       This link describes Subversion 1.7, but the description is correct
 for
       all other versions as well.

 Details:
 ========

   (see "Summary:" above)

 Severity:
 =========

   CVSSv3 Base Score: 9.9 (Critical)
   CVSSv3 Base Vector:
 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

 {{{

 }}}

 When I built 1.9.6 the other week I got a test failure in [023/109] locks-
 test:
 {{{
 FAIL:  lt-locks-test 14: lock/unlock when 'write-lock' couldn't be
 obtained
 }}}

 I suspect that one might be an issue with either gcc-7.1 or else newer
 headers, in which case it might might repeat in this version.

--

Comment (by ken@…):

 Actually, that lock test also fails on BLFS-8.0 on my server.

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/9599#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to