Bug 1247252 – CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1247252 - (CVE-2015-3187) CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz

Summary:	CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidd...

Status:	CLOSED ERRATA

Aliases:	CVE-2015-3187

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20150805,reported=2...
Keywords:	Security

Depends On:	1242733 1250012 1250021 1250880 1252262
Blocks:	1247253
	Show dependency tree / graph

Reported:	2015-07-27 12:09 EDT by Vasyl Kaigorodov
Modified:	2016-01-22 08:31 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	Subversion 1.8.14, Subversion 1.7.21
Doc Type:	Bug Fix
Doc Text:	It was found that when an SVN server (both svnserve and httpd with the mod_dav_svn module) searched the history of a file or a directory, it would disclose its location in the repository if that file or directory was not readable (for example, if it had been moved).
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-09-15 02:01:27 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
svn1.8.13.patch (12.38 KB, text/plain) 2015-07-27 12:12 EDT, Vasyl Kaigorodov	no flags	Details
svn1.7.20.patch (12.42 KB, text/plain) 2015-07-27 12:12 EDT, Vasyl Kaigorodov	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1633	normal	SHIPPED_LIVE	Moderate: subversion security update	2015-08-17 08:10:30 EDT
Red Hat Product Errata	RHSA-2015:1742	normal	SHIPPED_LIVE	Moderate: subversion security update	2015-09-08 13:09:57 EDT

Groups: None (edit)

Description Vasyl Kaigorodov 2015-07-27 12:09:54 EDT

Upstream has reported the below security vulnerability in Subversion:

Summary
=======

  Subversion servers, both httpd and svnserve, will reveal some paths
  that should be hidden by path-based authz.  When a node is copied
  from an unreadable location to a readable location the unreadable
  path may be revealed.  This vulnerablity only reveals the path, it
  does not reveal the contents of the path.

Known vulnerable
================

  Subversion 1.8.0 to 1.8.13
  Subversion 1.7.0 to 1.7.20
  All older versions

Known fixed
===========

  Subversion 1.8.14
  Subversion 1.7.21

Details
=======

  The function svn_repos_trace_node_locations() follows the history of
  a node through earlier revisions and shows any copies.  It should
  stop following history when an unreadable path is encountered but an
  implementation error causes the first unreadable path to be returned
  in some circumstances.  This only reveals the unreadable path, it
  does not reveal the content of the file or directory at that path.
  Any attempts to obtain the content will fail with an authorization
  error.

  Examples:

  1. After copying "unreadable-path" to "readable-path" then following
     the history of "readable-path" may reveal "unreadable-path".

  2. After copying "unreadable/some-path" to "readable/other-path"
     then following the history of "readable/other-path" may reveal
     "unreadable/some-path".

Acknowledgements:

Red Hat would like to thank Apache Software Foundation for reporting this issue. Upstream acknowledges C. Michael Pilato, CollabNet, as the original reporter.

Comment 1 Vasyl Kaigorodov 2015-07-27 12:12:15 EDT

Created attachment 1056678 [details]
svn1.8.13.patch

Comment 2 Vasyl Kaigorodov 2015-07-27 12:12:17 EDT

Created attachment 1056679 [details]
svn1.7.20.patch

Comment 9 Martin Prpič 2015-08-06 04:31:23 EDT

External References:

http://subversion.apache.org/security/CVE-2015-3187-advisory.txt

Comment 10 Martin Prpič 2015-08-06 04:33:36 EDT

Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1250880]

Comment 12 errata-xmlrpc 2015-08-17 04:11:04 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1633 https://rhn.redhat.com/errata/RHSA-2015-1633.html

Comment 13 errata-xmlrpc 2015-09-08 09:10:24 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1742 https://rhn.redhat.com/errata/RHSA-2015-1742.html

Comment 14 Huzaifa S. Sidhpurwala 2015-09-15 02:01:27 EDT

Statement:

This issue affects the version of subversion as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Note You need to log in before you can comment on or make changes to this bug.