Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server. Subversion svn:// connections, including svn+ssh:// and svn+<custom>://, use a custom network protocol [1] with Lisp-like syntax. The code implementing the protocol has dedicated codepaths for serialization of revision numbers into protocol integers. A particular client query could cause the server to attempt to reply with a revision number whose value is the invalid revision number constant `SVN_INVALID_REVNUM`, thereby triggering an assertion failure in the the serialization layer. Reference: 1. https://svn.apache.org/repos/asf/subversion/tags/1.10.0/subversion/libsvn_ra_svn/protocol
Statement: An authenticated user can cause subversion server (svnserve) process to crash by sending a well-formed read-only request which produces a particular answer. Exploitation results in denial of service by crashing an svnserve process. The impact of this differs depending on how svnserve is launched, including the different run modes selected by options such as "svnserve -d", "svnserve -T -d", "svnserve -t", and "svnserve -i". mod_dav_svn is not affected by this flaw.
Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1735578]
External References: https://subversion.apache.org/security/CVE-2018-11782-advisory.txt
Acknowledgments: Name: the Subversion project (Apache Software Foundation) Upstream: Ace Olszowka (Build Master at Computers Unlimited)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3972 https://access.redhat.com/errata/RHSA-2020:3972
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11782
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4712 https://access.redhat.com/errata/RHSA-2020:4712