Malicious SVN clients can crash mod_dav_svn. Summary: ======== Malicious SVN clients can trigger a crash in mod_dav_svn by omitting the root path from a recursive directory listing request. Known vulnerable: ================= Subversion 1.10.0 up to, and including, 1.10.3. Subversion 1.11.0. Known fixed: ============ Subversion 1.10.4. Subversion 1.11.1. Details: ======== Subversion 1.10.0 introduced server-side support for recursive directory listing operations. The implementation in mod_dav_svn failed to validate the root path of the directory listing provided by the client. If the client omits the root path, mod_dav_svn will deference an uninitialized pointer variable and crash the HTTPD worker process handling the request. Severity: ========= CVSSv3 Base Score: 5.3 (Medium) CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Subversion servers using the HTTP protocol and allow anonymous read access are vulnerable to an unauthenticated denial of service attack. If read access requires authentication, a denial of service attack can only be performed by an authenticated user. Recommendations: ================ We recommend that all users upgrade to Subversion 1.10.4 or 1.11.1. References: =========== CVE-2018-11803 Reported by: ============ Ivan Zhakov Patches: ======== Patch for Subversion 1.11.0: [[[ Index: subversion/mod_dav_svn/reports/list.c =================================================================== --- subversion/mod_dav_svn/reports/list.c (revision 1829240) +++ subversion/mod_dav_svn/reports/list.c (working copy) @@ -201,7 +201,7 @@ dav_svn__authz_read_baton arb; const dav_svn_repos *repos = resource->info->repos; int ns; - const char *full_path; + const char *full_path = NULL; svn_boolean_t path_info_only; svn_fs_root_t *root; svn_depth_t depth = svn_depth_unknown; @@ -280,6 +280,12 @@ /* else unknown element; skip it */ } + if (! full_path) + { + return dav_svn__new_error_svn(resource->pool, HTTP_BAD_REQUEST, 0, 0, + "Request was missing the path argument"); + } + /* Build authz read baton */ arb.r = resource->info->r; arb.repos = resource->info->repos; ]]] Patch for Subversion 1.10.3: [[[ Index: subversion/mod_dav_svn/reports/list.c =================================================================== --- subversion/mod_dav_svn/reports/list.c (revision 1829240) +++ subversion/mod_dav_svn/reports/list.c (working copy) @@ -201,7 +201,7 @@ dav_svn__authz_read_baton arb; const dav_svn_repos *repos = resource->info->repos; int ns; - const char *full_path; + const char *full_path = NULL; svn_boolean_t path_info_only; svn_fs_root_t *root; svn_depth_t depth = svn_depth_unknown; @@ -280,6 +280,12 @@ /* else unknown element; skip it */ } + if (! full_path) + { + return dav_svn__new_error_svn(resource->pool, HTTP_BAD_REQUEST, 0, 0, + "Request was missing the path argument"); + } + /* Build authz read baton */ arb.r = resource->info->r; arb.repos = resource->info->repos; ]]]