Bug 1479686 - (CVE-2017-9800) CVE-2017-9800 subversion: Command injection through clients via malicious svn+ssh URLs
CVE-2017-9800 subversion: Command injection through clients via malicious svn...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170810,repo...
: Security
Depends On: 1479735 1479734 1480335
Blocks: 1479687
  Show dependency treegraph
 
Reported: 2017-08-09 03:54 EDT by Andrej Nemec
Modified: 2017-08-21 20:38 EDT (History)
6 users (show)

See Also:
Fixed In Version: subversion 1.8.18, subversion 1.9.7
Doc Type: If docs needed, set a value
Doc Text:
A shell command injection flaw related to the handling of "svn+ssh" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a "checkout" or "update" action on a malicious repository, or a legitimate repository containing a malicious commit.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-16 05:24:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-08-09 03:54:46 EDT
A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument.

A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.

The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
Comment 1 Andrej Nemec 2017-08-09 03:54:49 EDT
Acknowledgments:

Name: the Subversion Team
Comment 6 Stefan Cornelius 2017-08-10 14:23:51 EDT
Mitigation:

There are various methods available to mitigate this issue. For further information, please refer to the Subversion advisory available at:
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Comment 8 Stefan Cornelius 2017-08-10 14:27:35 EDT
Public via: https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Comment 9 Stefan Cornelius 2017-08-10 14:28:05 EDT
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1480335]
Comment 10 Stefan Cornelius 2017-08-11 08:15:12 EDT
External Reference:

https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Comment 11 errata-xmlrpc 2017-08-15 16:21:21 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2480 https://access.redhat.com/errata/RHSA-2017:2480

Note You need to log in before you can comment on or make changes to this bug.