1479686 – (CVE-2017-9800) CVE-2017-9800 subversion: Command injection through clients via malicious svn+ssh URLs

Bug 1479686 (CVE-2017-9800) - CVE-2017-9800 subversion: Command injection through clients via malicious svn+ssh URLs

Summary: CVE-2017-9800 subversion: Command injection through clients via malicious svn...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-9800
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1479734 1479735 1480335
Blocks:	1479687
TreeView+	depends on / blocked

Reported:	2017-08-09 07:54 UTC by Andrej Nemec
Modified:	2021-02-17 01:45 UTC (History)
CC List:	6 users (show)
Fixed In Version:	subversion 1.8.18, subversion 1.9.7
Doc Type:	If docs needed, set a value
Doc Text:	A shell command injection flaw related to the handling of "svn+ssh" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a "checkout" or "update" action on a malicious repository, or a legitimate repository containing a malicious commit.
Clone Of:
Environment:
Last Closed:	2017-08-16 09:24:35 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:2480	0	normal	SHIPPED_LIVE	Important: subversion security update	2017-08-16 00:20:30 UTC

Description Andrej Nemec 2017-08-09 07:54:46 UTC

A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument.

A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.

The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

Comment 1 Andrej Nemec 2017-08-09 07:54:49 UTC

Acknowledgments:

Name: the Subversion Team

Comment 6 Stefan Cornelius 2017-08-10 18:23:51 UTC

Mitigation:

There are various methods available to mitigate this issue. For further information, please refer to the Subversion advisory available at:
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

Comment 8 Stefan Cornelius 2017-08-10 18:27:35 UTC

Public via: https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

Comment 9 Stefan Cornelius 2017-08-10 18:28:05 UTC

Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1480335]

Comment 10 Stefan Cornelius 2017-08-11 12:15:12 UTC

External Reference:

https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

Comment 11 errata-xmlrpc 2017-08-15 20:21:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2480 https://access.redhat.com/errata/RHSA-2017:2480

Note You need to log in before you can comment on or make changes to this bug.