Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn caused by integer overflow when parsing skel-encoded request bodies. Summary: ======== Subversion's httpd servers are vulnerable to a remotely triggerable heap-based buffer overflow and out-of-bounds read caused by an integer overflow when parsing skel-encoded request bodies. This allows remote attackers with write access to a repository to cause a denial of service or possibly execute arbitrary code under the context of the httpd process. 32-bit server versions are vulnerable to both the denial-of-service attack and possible arbitrary code execution. 64-bit server versions are only vulnerable to the denial-of-service attack. Known vulnerable: ================= Subversion httpd servers 1.7.0 to 1.8.14 (inclusive) Subversion httpd servers 1.9.0 through 1.9.2 (inclusive) Subversion svnserve servers (any version) are not vulnerable Known fixed: ============ Subversion 1.8.15 Subversion 1.9.3 Details: ======== The Subversion http://-based protocol used for communicating with a Subversion mod_dav_svn server has two versions, v1 and v2. The v2 protocol was added in Subversion 1.7.0. As a part of the commit happening over v2 protocol, the client sends a POST request with the request body containing data encoded in a special `skeleton' (or `skel') format. The parser of skel-encoded request bodies in mod_dav_svn contains a flaw that allows the attacker to write memory past the end of a heap buffer with a specially crafted request that causes an arithmetic overflow in 32-bit server versions. 64-bit server versions are not vulnerable to the heap-based buffer overflow, but can be forced into allocating huge amounts of memory, thus, the successful attack on them would cause denial-of-service conditions. Exploiting this vulnerability requires the attacker to be authenticated and to have write access to a repository on the targeted server. Severity: ========= CVSSv2 Base Score: 4.6 CVSSv2 Base Vector: AV:N/AC:H/Au:S/C:P/I:P/A:P We consider this to be a medium risk vulnerability. In order to take advantage of this attack the attacker would require write access to the repository. Most configurations require authentication to commit changes and so anonymous users would not be able to use this attack in these cases. With the write access, the denial of service attack is reasonably easy to carry out, while exploiting the heap overflow is more difficult, depending upon how skilled the attacker is and upon the specifics of the platform. In case of the denial of service attack, a remote attacker may be able to crash a Subversion server. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users to upgrade to Subversion 1.9.3. Users of Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html No workaround is available. References: =========== CVE-2015-5343 (Subversion) Reported by: ============ Ivan Zhakov, VisualSVN Patches: ======== Patch for Subversion 1.8.14: [[[ Index: subversion/mod_dav_svn/util.c =================================================================== --- subversion/mod_dav_svn/util.c (revision 1714525) +++ subversion/mod_dav_svn/util.c (working copy) @@ -778,7 +778,12 @@ if (content_length) { - buf = svn_stringbuf_create_ensure(content_length, pool); + /* Do not allocate more than 1 MB until we receive request body. */ + apr_size_t alloc_len = 1 * 1024 *1024; + if (content_length < alloc_len) + alloc_len = (apr_size_t) content_length; + + buf = svn_stringbuf_create_ensure(alloc_len, pool); } else { ]]] Patch for Subversion 1.9.2: [[[ Index: subversion/mod_dav_svn/util.c =================================================================== --- subversion/mod_dav_svn/util.c (revision 1714391) +++ subversion/mod_dav_svn/util.c (working copy) @@ -775,7 +775,12 @@ if (content_length) { - buf = svn_stringbuf_create_ensure(content_length, pool); + /* Do not allocate more than 1 MB until we receive request body. */ + apr_size_t alloc_len = 1 * 1024 *1024; + if (content_length < alloc_len) + alloc_len = (apr_size_t) content_length; + + buf = svn_stringbuf_create_ensure(alloc_len, pool); } else { ]]]