1247252 – (CVE-2015-3187) CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz

Bug 1247252 (CVE-2015-3187) - CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz

Summary: CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidd...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-3187
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1242733 1250012 1250021 1250880 1252262
Blocks:	1247253
TreeView+	depends on / blocked

Reported:	2015-07-27 16:09 UTC by Vasyl Kaigorodov
Modified:	2023-05-12 10:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:	Subversion 1.8.14, Subversion 1.7.21
Clone Of:
Environment:
Last Closed:	2015-09-15 06:01:27 UTC
Embargoed:

Attachments	(Terms of Use)
svn1.8.13.patch (12.38 KB, text/plain) 2015-07-27 16:12 UTC, Vasyl Kaigorodov	no flags	Details
svn1.7.20.patch (12.42 KB, text/plain) 2015-07-27 16:12 UTC, Vasyl Kaigorodov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1633	0	normal	SHIPPED_LIVE	Moderate: subversion security update	2015-08-17 12:10:30 UTC
Red Hat Product Errata	RHSA-2015:1742	0	normal	SHIPPED_LIVE	Moderate: subversion security update	2015-09-08 17:09:57 UTC

Description Vasyl Kaigorodov 2015-07-27 16:09:54 UTC

Upstream has reported the below security vulnerability in Subversion:

Summary
=======

  Subversion servers, both httpd and svnserve, will reveal some paths
  that should be hidden by path-based authz.  When a node is copied
  from an unreadable location to a readable location the unreadable
  path may be revealed.  This vulnerablity only reveals the path, it
  does not reveal the contents of the path.

Known vulnerable
================

  Subversion 1.8.0 to 1.8.13
  Subversion 1.7.0 to 1.7.20
  All older versions

Known fixed
===========

  Subversion 1.8.14
  Subversion 1.7.21

Details
=======

  The function svn_repos_trace_node_locations() follows the history of
  a node through earlier revisions and shows any copies.  It should
  stop following history when an unreadable path is encountered but an
  implementation error causes the first unreadable path to be returned
  in some circumstances.  This only reveals the unreadable path, it
  does not reveal the content of the file or directory at that path.
  Any attempts to obtain the content will fail with an authorization
  error.

  Examples:

  1. After copying "unreadable-path" to "readable-path" then following
     the history of "readable-path" may reveal "unreadable-path".

  2. After copying "unreadable/some-path" to "readable/other-path"
     then following the history of "readable/other-path" may reveal
     "unreadable/some-path".

Acknowledgements:

Red Hat would like to thank Apache Software Foundation for reporting this issue. Upstream acknowledges C. Michael Pilato, CollabNet, as the original reporter.

Comment 1 Vasyl Kaigorodov 2015-07-27 16:12:15 UTC

Created attachment 1056678 [details]
svn1.8.13.patch

Comment 2 Vasyl Kaigorodov 2015-07-27 16:12:17 UTC

Created attachment 1056679 [details]
svn1.7.20.patch

Comment 9 Martin Prpič 2015-08-06 08:31:23 UTC

External References:

http://subversion.apache.org/security/CVE-2015-3187-advisory.txt

Comment 10 Martin Prpič 2015-08-06 08:33:36 UTC

Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1250880]

Comment 12 errata-xmlrpc 2015-08-17 08:11:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1633 https://rhn.redhat.com/errata/RHSA-2015-1633.html

Comment 13 errata-xmlrpc 2015-09-08 13:10:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1742 https://rhn.redhat.com/errata/RHSA-2015-1742.html

Comment 14 Huzaifa S. Sidhpurwala 2015-09-15 06:01:27 UTC

Statement:

This issue affects the version of subversion as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Note You need to log in before you can comment on or make changes to this bug.