Subversion HTTP servers 1.7.0 to 1.7.8 (inclusive) are vulnerable to a remotely triggerable segfault DoS vulnerability. Summary: ======== Subversion's mod_dav_svn Apache HTTPD server module will crash when a log REPORT request receives a limit that is out of the allowed range. This can lead to a DoS. There are no known instances of this problem being used as a DoS in the wild. Known vulnerable: ================= Subversion HTTPD servers 1.7.0 through 1.7.8 (inclusive) Known fixed: ============ Subversion 1.7.9 svnserve (any version) is not vulnerable Details: ======== The vulnerability can be triggered by doing a log REPORT request with a limit outside the allowed range. For example where http://127.0.0.1:8080/repo is the root of a repository: curl -X REPORT --data-binary @log_report 'http://127.0.0.1:8080/repo/!svn/bc/1/' Where a file exists named log_report and has the following contents: 0 1 9223372036854775807 The limit is defined as an int, which is generally a 32-bit value. Prior to 1.7.0 such a request would have caused the limit to wrap and not necessarily reflected what the requestor intended. In 1.7.0 code was added to detect this and reject out of range values as errors. However, the error code ends up causing the attempted use of a variable that has not been set, resulting in the segfault. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Configurations which allow anonymous read access to the repository will be vulnerable to this without authentication. A remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the REPORT request from the attacker. Recommendations: ================ We recommend all users to upgrade to Subversion 1.7.9. Users of Subversion 1.7.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html There is no httpd configuration that can counter this issue. References: =========== CVE-2013-1884 (Subversion) Reported by: ============ Greg McMullin, Stefan Fuhrmann, Philip Martin & Ben Reser, WANdisco Patches: ======== Patch against 1.7.8: [[[ Index: subversion/mod_dav_svn/reports/log.c =================================================================== --- subversion/mod_dav_svn/reports/log.c (revision 1459527) +++ subversion/mod_dav_svn/reports/log.c (working copy) @@ -341,10 +341,9 @@ dav_svn__log_report(const dav_resource *resource, dav_xml_get_cdata(child, resource->pool, 1)); if (serr) { - derr = dav_svn__convert_err(serr, HTTP_BAD_REQUEST, + return dav_svn__convert_err(serr, HTTP_BAD_REQUEST, "Malformed CDATA in element " "\"limit\"", resource->pool); - goto cleanup; } } else if (strcmp(child->name, "discover-changed-paths") == 0) ]]]