Remotely triggerable heap overflow and out-of-bounds read caused by integer overflow in the svn:// protocol parser. Summary: ======== Subversion servers and clients are vulnerable to a remotely triggerable heap-based buffer overflow and out-of-bounds read caused by an integer overflow in the svn:// protocol parser. This allows remote attackers to cause a denial of service or possibly execute arbitrary code under the context of the targeted process. Known vulnerable: ================= Subversion 1.9.0 through 1.9.2 (inclusive) Only servers and clients using svn:// protocol are vulnerable Subversion httpd servers and clients (any version) are not vulnerable Known fixed: ============ Subversion 1.9.3 Details: ======== The svnserve svn:// protocol strings are sent as a length followed by the string data. The protocol parsing logic contains a flaw that allows an attacker to write memory past the end of a heap buffer with a specially crafted request that causes an arithmetic overflow. Since the flaw is in the parsing of the protocol, exploiting this vulnerability against an svnserve server does not require authentication from the remote attacker. The parsing code with the flaw is shared by both the svnserve server and clients using the svn://, svn+ssh:// and other tunneled svn+*:// methods. Severity: ========= CVSSv2 Base Score: 9 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C We consider this to be a high risk vulnerability. An exploit exists and has been tested to work against this vulnerability. The denial of service attack is reasonably easy to carry out, while exploiting the heap overflow is more difficult, depending upon how skilled the attacker is and upon the specifics of the platform. We do not believe the exploit is being actively used in the wild at this time. Recommendations: ================ We recommend all users of Subversion 1.9.x to upgrade to Subversion 1.9.3. Users of Subversion 1.9.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No workaround is available. References: =========== CVE-2015-5259 (Subversion) Reported by: ============ Ivan Zhakov, VisualSVN Patches: ======== Patch for Subversion 1.9.2: [[[ Index: subversion/libsvn_ra_svn/marshal.c =================================================================== --- subversion/libsvn_ra_svn/marshal.c (revision 1714391) +++ subversion/libsvn_ra_svn/marshal.c (working copy) @@ -944,6 +944,7 @@ apr_size_t len = (apr_size_t)len64; apr_size_t readbuf_len; char *dest; + apr_size_t buflen; /* We can't store strings longer than the maximum size of apr_size_t, * so check for wrapping */ @@ -951,8 +952,9 @@ return svn_error_create(SVN_ERR_RA_SVN_MALFORMED_DATA, NULL, _("String length larger than maximum")); + buflen = conn->read_end - conn->read_ptr; /* Shorter strings can be copied directly from the read buffer. */ - if (conn->read_ptr + len <= conn->read_end) + if (len <= buflen) { item->kind = SVN_RA_SVN_STRING; item->u.string = svn_string_ncreate(conn->read_ptr, len, pool); ]]]