Bug 1479686 (CVE-2017-9800)

Summary: CVE-2017-9800 subversion: Command injection through clients via malicious svn+ssh URLs
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cperry, jorton, kbost, security-response-team, slawomir, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: subversion 1.8.18, subversion 1.9.7 Doc Type: If docs needed, set a value
Doc Text:
A shell command injection flaw related to the handling of "svn+ssh" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a "checkout" or "update" action on a malicious repository, or a legitimate repository containing a malicious commit.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-16 09:24:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1479734, 1479735, 1480335    
Bug Blocks: 1479687    

Description Andrej Nemec 2017-08-09 07:54:46 UTC 
A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument.

A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.

The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
Comment 1 Andrej Nemec 2017-08-09 07:54:49 UTC 
Acknowledgments:

Name: the Subversion Team
Comment 6 Stefan Cornelius 2017-08-10 18:23:51 UTC 
Mitigation:

There are various methods available to mitigate this issue. For further information, please refer to the Subversion advisory available at:
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Comment 8 Stefan Cornelius 2017-08-10 18:27:35 UTC 
Public via: https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Comment 9 Stefan Cornelius 2017-08-10 18:28:05 UTC 
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1480335]
Comment 10 Stefan Cornelius 2017-08-11 12:15:12 UTC 
External Reference:

https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Comment 11 errata-xmlrpc 2017-08-15 20:21:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2480 https://access.redhat.com/errata/RHSA-2017:2480