Bug 1205134 (CVE-2015-0202)

Summary:
========

  Subversion's mod_dav_svn Apache HTTPD server module may use excessive
  amounts of memory when processing REPORT requests that require traversing
  through a large number of FSFS repository nodes (files and directories).

  This can lead to a DoS.  There are no known instances of this problem
  being observed in the wild, but an exploit has been tested.

Details:
========

  Subversion FSFS repositories cache different types of data for performance
  reasons.  An FSFS repository filesystem is structured as a direct acyclic
  graph (DAG), and it has a special cache for the DAG nodes.  Subversion 1.8.0
  added an additional level of caching for the DAG nodes, and the excessive
  memory use is a consequence of the cached nodes not being deallocated in
  a timely manner.

  HTTPD Server and Subversion use memory pools for allocations.  Certain
  REPORT requests can trigger a state when the cache keeps allocating new
  elements from a pool, but the previously allocated elements are not being
  deallocated.  This memory will be reclaimed eventually (once the request
  finishes or when the cache leaves the inappropriate state), but multiple
  parallel requests might ultimately exhaust all the available memory on the
  server.

Severity:
=========

  CVSSv2 Base Score: 5.0
  CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

  We consider this to be a medium risk vulnerability.  Repositories which
  allow for anonymous reads will be vulnerable without authentication.
  Unfortunately, no special configuration is required and all mod_dav_svn
  servers with FSFS repositories are vulnerable.  Apache HTTPD servers that
  block potentially expensive requests via mod_dontdothat module have a
  smaller attack surface, but are still vulnerable.

  Actual memory consumption (per request) depends on the layout and size
  of the particular repository, but is potentially unbounded.  The impact
  of using this memory varies wildly based on operating system and httpd
  configuration.  Some operating systems may kill off processes or crash
  if too much memory is used.  The Apache HTTPD configuration option of
  MaxRequestsPerChild may restart a process after a certain number of
  requests and limit the impact of accidental exercise of this issue.
  However, a determined attacker could repeat the requests and mitigate
  any countermeasures.

Recommendations:
================

  There is no effective configuration that can mitigate the issue entirely
  however the use of ulimit (or the equivalent) to set memory limits for
  processes may help prevent the impact affecting other services running on
  the same machine.

Statement:

Not vulnerable. This issue did not affect the versions of subversion as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for additional level of caching for the DAG nodes, which cause excessive memory use due to the cached nodes not being deallocated in a timely manner.

Acknowledgements:

Red Hat would like to thank the Apache Software Foundation for reporting this issue. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter.