Subversion's mod_dav_svn is vulnerable to memory corruption

Summary:
========

  While looking up path-based authorization rules, mod_dav_svn servers
  may attempt to use memory which has already been freed.

Known vulnerable:
=================

  Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive).

  Servers that do not use mod_dav_svn are not affected.

Known fixed:
============

  Subversion httpd servers 1.14.2.
  Subversion httpd servers 1.10.8.

Details:
========

  Server modules for Apache HTTP server (httpd), such as mod_dav_svn,
  implement several hooks that httpd calls at various times.

  One of these, post_config, may be called more than once during module
  initialization. The number of calls and the purpose of each call
  depend on whether the module is loaded at httpd startup or during a
  later reload of httpd's configuration.

  When httpd loads a module at startup, it performs a configuration
  check at which time it calls the module's post_config hook for
  validation purposes. Later, httpd calls the hook again; this is the
  "real" initialization call.

  In contrast, when httpd loads a module at a later stage, due to
  reloading its own configuration, it calls the post_config hook only
  once.

  In vulnerable versions of Subversion, the post_config hook
  implementation does not take these semantics into account. As a
  result, it always treats the first call as the "real" call and
  performs initialization, including caching of pointers which are used
  later. When the call is in fact for validation only, those pointers
  subsequently become invalid when the memory allocation pools into
  which they point are cleared.

  Subsequent operations on the freed (and possibly reused) memory may
  lead to a segfault crash.

  The affected pointers are used by Subversion when serving requests
  which require a lookup of path-based authorization (authz) rules.
  However, even servers which do not make use of authz should be upgraded.
  The invalid pointers are always present in the running program and could
  be abused via other unknown attack vectors.

Severity:
=========

  CVSSv3.1 Base Score: 7.5 (High)

  CVSSv3.1 Base Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  Exploitation results in denial of service by crashing the HTTPD worker
  handling the request. The impact of this differs depending on how the
  Apache HTTPD server is configured, including the choice of MPM (Multi-
  Processing-Module). If the worker shares its memory address space with
  the main thread, as is the case with e.g. the Event MPM, the entire
  HTTPD server process will terminate. If the pre-fork MPM is used, the
  worker will terminate but the HTTPD server will stay up, and service
  availability will depend on how frequently the attacker is able to
  send malicious requests which target the vulnerability.

Recommendations:
================

  We recommend all users to upgrade to a known fixed release of the
  Subversion server.

  Users who are unable to upgrade may apply the patch included below.

References:
===========

  CVE-2022-24070 (Subversion)

  Bug 4480 (Subversion): https://issues.apache.org/jira/browse/SVN-4880
  Bug 65861 (httpd): https://bz.apache.org/bugzilla/show_bug.cgi?id=65861
  
  https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife

Reported by:
============

  Thomas Weißschuh, cis-solutions.eu

Patch:
========

  Patch against Subversion 1.14.1 and 1.10.7:
[[[
Index: subversion/libsvn_repos/authz.c
===================================================================
--- subversion/libsvn_repos/authz.c	(revision 1894733)
+++ subversion/libsvn_repos/authz.c	(revision 1894734)
@@ -130,6 +130,30 @@
 static svn_object_pool__t *filtered_pool = NULL;
 static svn_atomic_t authz_pool_initialized = FALSE;
 
+/*
+ * Ensure that we will initialize authz again if the pool which
+ * our authz caches depend on is cleared.
+ *
+ * HTTPD may run pre/post config hooks multiple times and clear
+ * its global configuration pool which our authz pools depend on.
+ * This happens in a non-threaded context during HTTPD's intialization
+ * and HTTPD's main loop, so it is safe to reset static variables here.
+ * (And any applications which cleared this pool while SVN threads
+ * were running would crash no matter what.)
+ *
+ * See issue #4880, "Use-after-free of object-pools in
+ * subversion/libsvn_repos/authz.c when used as httpd module"
+ */
+static apr_status_t
+deinit_authz(void *data)
+{
+  /* The two object pools run their own cleanup handlers. */
+  authz_pool = NULL;
+  filtered_pool = NULL;
+  authz_pool_initialized = FALSE;
+  return APR_SUCCESS;
+}
+
 /* Implements svn_atomic__err_init_func_t. */
 static svn_error_t *
 synchronized_authz_initialize(void *baton, apr_pool_t *pool)
@@ -143,6 +167,7 @@
   SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
   SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
 
+  apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
   return SVN_NO_ERROR;
 }
 
]]]