Subversion HTTP servers up to 1.5.9 (inclusive) or 1.6.15 (inclusive) are vulnerable to a remotely triggerable NULL-pointer dereference. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if a lock token is sent in a HTTP request by a Subversion client which has not authenticated to the server. This can lead to a DoS (an exploit has been tested). Known vulnerable: ================= Subversion HTTPD servers <= 1.6.15 Subversion HTTPD servers <= 1.5.9 Known fixed: ============ Subversion 1.6.16 svnserve (any version) is not vulnerable. Details: ======== Subversion requires an authenticated user name when a lock on a file is obtained by a client, e.g. when a user runs the 'svn lock' command. If a client is not authenticated and sends a lock token in a request, a call to the svn_fs_get_access() function will return a NULL pointer instead of a pointer to an svn_fs_access_t object. Due to a programming error the mod_dav_svn server module failed to validate this pointer variable before dereferencing it. This bug only applies to httpd-based Subversion servers which allow anonymous read access. If the server requires authentication for read-only operations, it is not vulnerable to this bug. Severity: ========= A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Recommendations: ================ We recommend all users to upgrade to Subversion 1.6.16. Users of Subversion 1.5.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html References: =========== CVE-2011-0715 (Subversion) Reported by: ============ Philip Martin, WANdisco, Inc. Patches: ======== This patch applies to Subversion 1.6.x (apply with patch -p0 < patchfile): [[[ Index: subversion/mod_dav_svn/version.c =================================================================== --- subversion/mod_dav_svn/version.c (revision 1071565) +++ subversion/mod_dav_svn/version.c (working copy) @@ -1172,11 +1172,13 @@ dav_svn__push_locks(dav_resource *resource, svn_error_t *serr; serr = svn_fs_get_access(&fsaccess, resource->info->repos->fs); - if (serr) + if (serr || !fsaccess) { /* If an authenticated user name was attached to the request, then dav_svn_get_resource() should have already noticed and created an fs_access_t in the filesystem. */ + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token(s) in request, but " "missing an user name", HTTP_BAD_REQUEST, resource->info->r); Index: subversion/mod_dav_svn/repos.c =================================================================== --- subversion/mod_dav_svn/repos.c (revision 1071565) +++ subversion/mod_dav_svn/repos.c (working copy) @@ -1923,8 +1923,10 @@ get_resource(request_rec *r, dav_locktoken_list *list = ltl; serr = svn_fs_get_access(&access_ctx, repos->fs); - if (serr) + if (serr || !access_ctx) { + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token is in request, " "but no user name", HTTP_BAD_REQUEST, r); ]]] This patch applies to Subversion 1.5.x: [[[ Index: subversion/mod_dav_svn/version.c =================================================================== --- subversion/mod_dav_svn/version.c (revision 1071565) +++ subversion/mod_dav_svn/version.c (working copy) @@ -1155,11 +1155,13 @@ dav_svn__push_locks(dav_resource *resource, svn_error_t *serr; serr = svn_fs_get_access(&fsaccess, resource->info->repos->fs); - if (serr) + if (serr || !fsaccess) { /* If an authenticated user name was attached to the request, then dav_svn_get_resource() should have already noticed and created an fs_access_t in the filesystem. */ + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token(s) in request, but " "missing an user name", HTTP_BAD_REQUEST, resource->info->r); Index: subversion/mod_dav_svn/repos.c =================================================================== --- subversion/mod_dav_svn/repos.c (revision 1071565) +++ subversion/mod_dav_svn/repos.c (working copy) @@ -1773,8 +1773,10 @@ get_resource(request_rec *r, dav_locktoken_list *list = ltl; serr = svn_fs_get_access(&access_ctx, repos->fs); - if (serr) + if (serr || !access_ctx) { + if (serr == NULL) + serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); return dav_svn__sanitize_error(serr, "Lock token is in request, " "but no user name", HTTP_BAD_REQUEST, r); ]]]