Bug 929090 (CVE-2013-1847)

Summary: CVE-2013-1847 Subversion (mod_dav_svn): DoS (crash) via LOCK requests against a non-existent URL
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkaluza, jlieskov, jorton, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Subversion 1.6.21, Subversion 1.7.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-18 13:13:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 947369, 947370, 947372, 947374, 948813    
Bug Blocks: 929099    
Attachments:
Description Flags
patch-against-1.6.20
none
patch-against-1.7.8 none

Description Huzaifa S. Sidhpurwala 2013-03-29 08:51:01 UTC 
It was found that Subversion's mod_dav_svn Apache HTTPD server module will crash in some circumstances when a LOCK request is made against a non-existent URL. This can lead to DoS.

The vulnerability can be triggered by doing a LOCK request against a URL for a path that does not exist in the repository or an invalid activity URL where authentication is not required for the LOCK method.

Acknowledgements:

Red Hat would like to thank the Apache Subversion project for reporting this issue. Upstream acknowledges Philip Martin and Ben Reser as the original reporter of this flaw.
Comment 1 Huzaifa S. Sidhpurwala 2013-03-29 08:52:06 UTC 
Created attachment 717972 [details]
patch-against-1.6.20
Comment 2 Huzaifa S. Sidhpurwala 2013-03-29 08:52:30 UTC 
Created attachment 717973 [details]
patch-against-1.7.8
Comment 5 Huzaifa S. Sidhpurwala 2013-04-04 09:09:21 UTC 
This issue affects the version of subversion as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the version of subversion as shipped with Fedora 17 and Fedora 18.
Comment 6 Jan Lieskovsky 2013-04-05 12:47:37 UTC 
External References:

http://subversion.apache.org/security/CVE-2013-1847-advisory.txt
Comment 7 Jan Lieskovsky 2013-04-05 12:48:04 UTC 
Announcements:
http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E (v1.7.9)

http://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvSTMLbn4q_KM3Ph2UOeSiPGhEK4%3DSvwEjaHW_GUGkYWPQ%40mail.gmail.com%3E (v1.6.21)
Comment 8 Jan Lieskovsky 2013-04-05 12:59:24 UTC 
Created subversion tracking bugs for this issue

Affects: fedora-all [bug 948813]
Comment 10 errata-xmlrpc 2013-04-11 17:49:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2013:0737 https://rhn.redhat.com/errata/RHSA-2013-0737.html