Subversion before 1.6.23 and 1.7.x before 1.7.10 allows remote authenticated users to cause a denial of service (FSFS repository corruption) via a newline character in a file name.

This update of subversion fixes two potential DoS vulnerabilities (bug#821505, CVE-2013-1968, CVE-2013-2112).

Server-side bugfixes :

   - fix FSFS repository corruption due to newline in     filename (issue #4340)
  - fix svnserve exiting when a client connection is aborted     (r1482759) Other tool improvements and bugfixes :

   - fix argument processing in contrib hook scripts     (r1485350)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of subversion includes several bug and security fixes.

  - update to 1.7.10 [bnc#821505] CVE-2013-1968     CVE-2013-2088 CVE-2013-2112

  - Client-side bugfixes :

  - fix 'svn revert' 'no such table: revert_list' spurious     error

  - fix 'svn diff' doesn't show some locally added files

  - fix changelist filtering when --changelist values aren't     UTF8

  - fix 'svn diff --git' shows wrong copyfrom

  - fix 'svn diff -x-w' shows wrong changes

  - fix 'svn blame' sometimes shows every line as modified

  - fix regression in 'svn status -u' output for externals

  - fix file permissions change on commit of file with     keywords

  - improve some fatal error messages

  - fix externals not removed when working copy is made     shallow

  - Server-side bugfixes :

  - fix repository corruption due to newline in filename

  - fix svnserve exiting when a client connection is aborted

  - fix svnserve memory use after clear

  - fix repository corruption on power/disk failure on     Windows

  - Developer visible changes :

  - make get-deps.sh compatible with Solaris /bin/sh

  - fix infinite recursion bug in get-deps.sh

  - fix uninitialised output parameter of     svn_fs_commit_txn()

  - Bindings :

  - fix JavaHL thread-safety bug

Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP.

A flaw was found in the way the mod_dav_svn module handled OPTIONS requests. A remote attacker with read access to an SVN repository served via HTTP could use this flaw to cause the httpd process that handled such a request to crash. (CVE-2014-0032)

A flaw was found in the way Subversion handled file names with newline characters when the FSFS repository format was used. An attacker with commit access to an SVN repository could corrupt a revision by committing a specially crafted file. (CVE-2013-1968)

A flaw was found in the way the svnserve tool of Subversion handled remote client network connections. An attacker with read access to an SVN repository served via svnserve could use this flaw to cause the svnserve daemon to exit, leading to a denial of service.
(CVE-2013-2112)

All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol.

A flaw was found in the way the mod_dav_svn module handled OPTIONS requests. A remote attacker with read access to an SVN repository served via HTTP could use this flaw to cause the httpd process that handled such a request to crash. (CVE-2014-0032)

A flaw was found in the way Subversion handled file names with newline characters when the FSFS repository format was used. An attacker with commit access to an SVN repository could corrupt a revision by committing a specially crafted file. (CVE-2013-1968)

A flaw was found in the way the svnserve tool of Subversion handled remote client network connections. An attacker with read access to an SVN repository served via svnserve could use this flaw to cause the svnserve daemon to exit, leading to a denial of service.
(CVE-2013-2112)

After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol.

From Red Hat Security Advisory 2014:0255 :

Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP.

A flaw was found in the way the mod_dav_svn module handled OPTIONS requests. A remote attacker with read access to an SVN repository served via HTTP could use this flaw to cause the httpd process that handled such a request to crash. (CVE-2014-0032)

A flaw was found in the way Subversion handled file names with newline characters when the FSFS repository format was used. An attacker with commit access to an SVN repository could corrupt a revision by committing a specially crafted file. (CVE-2013-1968)

A flaw was found in the way the svnserve tool of Subversion handled remote client network connections. An attacker with read access to an SVN repository served via svnserve could use this flaw to cause the svnserve daemon to exit, leading to a denial of service.
(CVE-2013-2112)

All subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, for the update to take effect, you must restart the httpd daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are serving Subversion repositories via the svn:// protocol.

The remote host is affected by the vulnerability described in GLSA-201309-11 (Subversion: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Subversion. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could cause a Denial of Service condition or obtain       sensitive information. A local attacker could escalate his privileges to       the user running svnserve.
  Workaround :

    There is no known workaround at this time.

This update includes the latest release of Apache Subversion 1.7, version 1.7.11. Several security vulnerabilities are fixed in this update :

Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion on some requests made against a revision root. This can lead to a DoS. If assertions are disabled it will trigger a read overflow which may cause a segmentation fault or undefined behavior. Commit access is required to exploit this. (CVE-2013-4131)

If a filename which contains a newline character (ASCII 0x0a) is committed to a repository using the FSFS format, the resulting revision is corrupt. This can lead to disruption for users of the repository. (CVE-2013-1968)

Subversion's contrib/ directory contains two example hook scripts, which use 'svnlook changed' to examine a revision or transaction and then pass those paths as arguments to further 'svnlook' commands, without properly escaping the command-line. (CVE-2013-2088)

Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. This can lead to disruption for users of the server. (CVE-2013-2112)

The following client-side bugs were fixed in the 1.7.10 release :

  - fix 'svn revert' 'no such table: revert_list' spurious     error

    - fix 'svn diff' doesn't show some locally added files

    - fix changelist filtering when --changelist values       aren't UTF8

    - fix 'svn diff --git' shows wrong copyfrom

    - fix 'svn diff -x-w' shows wrong changes

    - fix 'svn blame' sometimes shows every line as modified

    - fix regression in 'svn status -u' output for externals

    - fix file permissions change on commit of file with       keywords

    - improve some fatal error messages

    - fix externals not removed when working copy is made       shallow

The following server-side bugs are fixed :

  - fix repository corruption due to newline in filename

    - fix svnserve exiting when a client connection is       aborted

    - fix svnserve memory use after clear

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of subversion fixes two potential DoS vulnerabilities (bug#821505, CVE-2013-1968 / CVE-2013-2112).

  - Server-side bugfixes :

  - fix FSFS repository corruption due to newline in     filename (issue #4340)

  - fix svnserve exiting when a client connection is aborted     (r1482759)

  - Other tool improvements and bugfixes :

  - fix argument processing in contrib hook scripts     (r1485350)

The installed version of Apache Subversion Server is prior to 1.6.23 or 1.7.x prior to 1.7.10. It is, therefore, affected by multiple remote denial of service vulnerabilities :

  - A flaw exists when handling specially crafted filenames     that could result in corruption of the FSFS repository.
    A workaround exists to install a pre-commit hook that     will prevent unsanitized filenames from being committed     into the repository. (CVE-2013-1968)

  - A flaw exists in svnserve server where improperly     handled aborted connection message are handled as     critical errors. (CVE-2013-2112)

Alexander Klink discovered that the Subversion mod_dav_svn module for Apache did not properly handle a large number of properties. A remote authenticated attacker could use this flaw to cause memory consumption, leading to a denial of service. (CVE-2013-1845)

Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain LOCKs. A remote authenticated attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1846)

Philip Martin and Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain LOCKs. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1847)

It was discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain PROPFIND requests. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. (CVE-2013-1849)

Greg McMullin, Stefan Fuhrmann, Philip Martin, and Ben Reser discovered that the Subversion mod_dav_svn module for Apache did not properly handle certain log REPORT requests. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service. This issue only affected Ubuntu 12.10 and Ubuntu 13.04.
(CVE-2013-1884)

Stefan Sperling discovered that Subversion incorrectly handled newline characters in filenames. A remote authenticated attacker could use this flaw to corrupt FSFS repositories. (CVE-2013-1968)

Boris Lytochkin discovered that Subversion incorrectly handled TCP connections that were closed early. A remote attacker could use this flaw to cause Subversion to crash, leading to a denial of service.
(CVE-2013-2112).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities has been found and corrected in subversion :

If a filename which contains a newline character (ASCII 0x0a) is committed to a repository using the FSFS format, the resulting revision is corrupt. This can lead to disruption for users of the repository (CVE-2013-1968).

Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. This can lead to disruption for users of the server (CVE-2013-2112).

This advisory provides the latest versions of subversion (1.6.23/1.7.10) which is not vulnerable to these issues.

Several vulnerabilities were discovered in Subversion, a version control system. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2013-1968     Subversion repositories with the FSFS repository data     store format can be corrupted by newline characters in     filenames. A remote attacker with a malicious client     could use this flaw to disrupt the service for other     users using that repository.

  - CVE-2013-2112     Subversion's svnserve server process may exit when an     incoming TCP connection is closed early in the     connection process. A remote attacker can cause svnserve     to exit and thus deny service to users of the server.

The installed version of SVN is affected by the following vulnerabilities:

  - Remote denial-of-service vulnerabilities exist due to an error in the svnserve server, as it does not properly handle aborted connection messages. (CVE-2013-1968, CVE-2013-2112)

  - A command-injection vulnerability exists in the 'svn-keyword-check.pl' hook script while processing filenames. (CVE-2013-2088)

Versions of Apache Subversion prior to 1.6.23, or 1.7.x prior to 1.7.10 are affected by the following vulnerabilities :

 - Remote denial-of-service vulnerabilities exist due to an error in the 'svnserve' server, as it does not properly handle aborted connection messages. (CVE-2013-1968, CVE-2013-2112)
 - A command injection vulnerability exists in the 'svn-keyword-check.pl' hook script while processing filenames. (CVE-2013-2088)

Subversion team reports :

If a filename which contains a newline character (ASCII 0x0a) is committed to a repository using the FSFS format, the resulting revision is corrupt.

ID	Name	Product	Family	Severity
83592	SUSE SLED10 Security Update : subversion (SUSE-SU-2013:1217-1)	Nessus	SuSE Local Security Checks	high
75035	openSUSE Security Update : subversion (openSUSE-SU-2013:1006-1)	Nessus	SuSE Local Security Checks	high
72866	CentOS 5 / 6 : subversion (CESA-2014:0255)	Nessus	CentOS Local Security Checks	high
72855	Scientific Linux Security Update : subversion on SL5.x, SL6.x i386/x86_64 (20140305)	Nessus	Scientific Linux Local Security Checks	high
72854	RHEL 5 / 6 : subversion (RHSA-2014:0255)	Nessus	Red Hat Local Security Checks	high
72852	Oracle Linux 5 / 6 : subversion (ELSA-2014-0255)	Nessus	Oracle Linux Local Security Checks	high
70084	GLSA-201309-11 : Subversion: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69355	Fedora 18 : subversion-1.7.11-1.fc18.1 (2013-13672)	Nessus	Fedora Local Security Checks	high
68955	SuSE 10 Security Update : subversion (ZYPP Patch Number 8628)	Nessus	SuSE Local Security Checks	high
68930	Apache Subversion < 1.6.23 / 1.7.x < 1.7.10 Multiple Remote DoS	Nessus	Windows	medium
67016	Ubuntu 12.04 LTS / 12.10 / 13.04 : subversion vulnerabilities (USN-1893-1)	Nessus	Ubuntu Local Security Checks	high
66890	Mandriva Linux Security Advisory : subversion (MDVSA-2013:173)	Nessus	Mandriva Local Security Checks	high
66846	Debian DSA-2703-1 : subversion - several vulnerabilities	Nessus	Debian Local Security Checks	high
800980	Apache Subversion < 1.8.0 / 1.7.10 / 1.6.23 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
6854	Apache Subversion < 1.6.23 / 1.7.x < 1.7.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
66737	FreeBSD : devel/subversion -- fsfs repositories can be corrupted by newline characters in filenames (787d21b9-ca38-11e2-9673-001e8c75030d)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2013-1968

medium

Tenable Plugins

high

high

high

high

high

high

high

high

high

medium

high

high

high

medium

high

medium