Bug 986194 (CVE-2013-4131)

Summary: CVE-2013-4131 subversion: DoS (assertion failure, crash) in mod_dav_svn when handling certain MOVE, COPY, or DELETE HTTP requests
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Subversion 1.8.1, Subversion 1.7.11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-02 17:50:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 988144, 988145    
Bug Blocks: 986200    

Description Jan Lieskovsky 2013-07-19 08:12:38 UTC 
A denial of service flaw was found in the way mod_dav_svn module of Subversion (SVN), a concurrent version control system, used to process certain MOVE, COPY, or DELETE HTTP requests (requests that originated or targeted against a revision root). A remote attacker, with commit access / privileges could use this flaw to cause denial of service (depending on the Apache httpd web server configuration either child assertion failure or crash [prefork MPM configuration] or failure to handle other requests, originally scheduled to be handled within the same thread [threaded MPM configuration] due to a process termination) by issuing a specially-crafted SVN commit request.

Vulnerable package versions:
* Subversion HTTPD servers 1.7.0 through 1.7.10 (inclusive)
* Subversion HTTPD servers 1.8.0 (including 1.8.0 release candidates).
* svnserve (any version) is not vulnerable.
* Subversion 1.6.x is not vulnerable.
Comment 2 Jan Lieskovsky 2013-07-19 08:16:03 UTC 
This issue did NOT affect the versions of the subversion package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the subversion package, as shipped with Fedora release of 17, 18, and 19.
Comment 4 Jan Lieskovsky 2013-07-19 08:17:57 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of subversion, as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 5 Jan Lieskovsky 2013-07-19 08:20:34 UTC 
Acknowledgements:

Red Hat would like to thank Ben Reser of Apache Subversion project for reporting this issue. Upstream acknowledges Daniel Shahaf of Apache Infrastructure as the original issue reporter.
Comment 8 Vincent Danen 2013-07-24 20:35:32 UTC 
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 988145]
Comment 9 Jan Lieskovsky 2013-07-25 09:37:24 UTC 
External References:

http://subversion.apache.org/security/CVE-2013-4131-advisory.txt
Comment 10 Fedora Update System 2013-08-02 03:30:56 UTC 
subversion-1.7.11-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-08-15 02:33:02 UTC 
subversion-1.7.11-1.fc18.1 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.