A shell command injection flaw related to the handling of "svn+ssh" URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a "checkout" or "update" action on a malicious repository, or a legitimate repository containing a malicious commit.
A Subversion client sometimes connects to URLs provided by the repository. This happens in two primary cases: during 'checkout', 'export', 'update', and 'switch', when the tree being downloaded contains svn:externals properties; and when using 'svnsync sync' with one URL argument.
A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.
The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
Name: the Subversion Team
There are various methods available to mitigate this issue. For further information, please refer to the Subversion advisory available at:
Public via: https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Created subversion tracking bugs for this issue:
Affects: fedora-all [bug 1480335]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:2480 https://access.redhat.com/errata/RHSA-2017:2480