Bug 1479686 (CVE-2017-9800) - CVE-2017-9800 subversion: Command injection through clients via malicious svn+ssh URLs
Summary: CVE-2017-9800 subversion: Command injection through clients via malicious svn...
Status: CLOSED ERRATA
Alias: CVE-2017-9800
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170810,repo...
Keywords: Security
Depends On: 1479734 1479735 1480335
Blocks: 1479687
TreeView+ depends on / blocked
 
Reported: 2017-08-09 07:54 UTC by Andrej Nemec
Modified: 2017-08-22 00:38 UTC (History)
6 users (show)

(edit)
A shell command injection flaw related to the handling of "svn+ssh" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a "checkout" or "update" action on a malicious repository, or a legitimate repository containing a malicious commit.
Clone Of:
(edit)
Last Closed: 2017-08-16 09:24:35 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2480 normal SHIPPED_LIVE Important: subversion security update 2017-08-16 00:20:30 UTC

Description Andrej Nemec 2017-08-09 07:54:46 UTC
A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument.

A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.

The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

Comment 1 Andrej Nemec 2017-08-09 07:54:49 UTC
Acknowledgments:

Name: the Subversion Team

Comment 6 Stefan Cornelius 2017-08-10 18:23:51 UTC
Mitigation:

There are various methods available to mitigate this issue. For further information, please refer to the Subversion advisory available at:
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

Comment 8 Stefan Cornelius 2017-08-10 18:27:35 UTC
Public via: https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

Comment 9 Stefan Cornelius 2017-08-10 18:28:05 UTC
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1480335]

Comment 10 Stefan Cornelius 2017-08-11 12:15:12 UTC
External Reference:

https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

Comment 11 errata-xmlrpc 2017-08-15 20:21:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2480 https://access.redhat.com/errata/RHSA-2017:2480


Note You need to log in before you can comment on or make changes to this bug.