Subversion 1.4.5 released (Win32 security release)
Subversion 1.4.5 is available from:
http://subversion.tigris.org/downloads/subversion-1.4.5.tar.bz2
http://subversion.tigris.org/downloads/subversion-1.4.5.tar.gz
http://subversion.tigris.org/downloads/subversion-1.4.5.zip
http://subversion.tigris.org/downloads/subversion-deps-1.4.5.tar.bz2
http://subversion.tigris.org/downloads/subversion-deps-1.4.5.tar.gz
http://subversion.tigris.org/downloads/subversion-deps-1.4.5.zip
THIS IS A SECURITY RELEASE, addressing the issue described at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846
The CVE page may not be public yet when you read this, but will be
soon. The full text of the advisory is included at the end of this email.
This security issue affects Microsoft Windows clients only, and is
considered a medium-level security problem, as write access to the
repository is required to make use of the exploit. Subversion 1.4.5
differs from 1.4.4 only in the fix for this issue. Upgrading to
Subversion 1.4.5 is therefore strongly recommended for Microsoft
Windows client installations.
The MD5 checksums are:
4c333a5fe827568c67d195cda7a5e154 subversion-1.4.5.tar.bz2
204a9577402db94cd52cc82bbb8e898e subversion-1.4.5.tar.bz2.asc
3caf1d93e13ed09d76c42eff0f52dfaf subversion-1.4.5.tar.gz
3bff2a953891d6d21b5937532a833dea subversion-1.4.5.tar.gz.asc
ddbdd57d196e8f83695a912f48389653 subversion-1.4.5.zip
d5e0a186f8a5143a9c7f6291f432fecc subversion-1.4.5.zip.asc
67cacdca12d4f648bbb005813d17f524 subversion-deps-1.4.5.tar.bz2
e02f66d50de7692328e1c336cc34ed31 subversion-deps-1.4.5.tar.bz2.asc
ac2ac4d8e50e229eb4cc37a6901b92c2 subversion-deps-1.4.5.tar.gz
9c69403da71f791b0b5f59ade9e36cb3 subversion-deps-1.4.5.tar.gz.asc
8eb5d7057b93799ace31fcf4508cca3a subversion-deps-1.4.5.zip
e7d6309bba1c2c42903b236859b275ae subversion-deps-1.4.5.zip.asc
The SHA1 checksums are:
acc80381cb670736ad626fee1eb04f36ba7e5fc8 subversion-1.4.5.tar.bz2
3a1c58ce129a3b8f6ecd0c3849712a3d4caf5284 subversion-1.4.5.tar.bz2.asc
526e7fb92aae0e5b54f51d2f48818526f46f4bc0 subversion-1.4.5.tar.gz
5d6cd8d7276e3f4bf94b24437acce75a921077ab subversion-1.4.5.tar.gz.asc
0d17de71f336e8eddadc7aaecb02102d0d911400 subversion-1.4.5.zip
290ce5763dbf8c93887884aa3d5e83b594a92543 subversion-1.4.5.zip.asc
646051d4c447d6c6e99f8f4bfdfc096712f0912a subversion-deps-1.4.5.tar.bz2
7fe4af45ff9b7d953ebd31260d8c5e29412afde6 subversion-deps-1.4.5.tar.bz2.asc
aef7bb1cd394fb59f354769161aef90c06ff1f02 subversion-deps-1.4.5.tar.gz
6ff9711672e0f85e96f582becd53356ab5c858c1 subversion-deps-1.4.5.tar.gz.asc
bf3c5a1d2d23efd9701c4ca22b1155fac5344ddd subversion-deps-1.4.5.zip
55987a8a09debed21a62743745521c6963a8caf1 subversion-deps-1.4.5.zip.asc
PGP Signatures are available at:
http://subversion.tigris.org/downloads/subversion-1.4.5.tar.bz2.asc
http://subversion.tigris.org/downloads/subversion-1.4.5.tar.gz.asc
http://subversion.tigris.org/downloads/subversion-1.4.5.zip.asc
http://subversion.tigris.org/downloads/subversion-deps-1.4.5.tar.bz2.asc
http://subversion.tigris.org/downloads/subversion-deps-1.4.5.tar.gz.asc
http://subversion.tigris.org/downloads/subversion-deps-1.4.5.zip.asc
For this release, the following people have provided PGP signatures:
C. Michael Pilato [1024D/1706FD6E] with fingerprint:
20BF 14DC F02F 2730 7EA4 C7BB A241 06A9 1706 FD6E
Paul T. Burba [1024D/53FCDC55] with fingerprint:
E630 CF54 792C F913 B13C 32C5 D916 8930 53FC DC55
Hyrum K. Wright [1024D/4E24517C] with fingerprint:
3324 80DA 0F8C A37D AEE6 D084 0B03 AE6E 4E24 517C
David Anderson [1024D/EE506461] with fingerprint:
21DF EE01 0E07 B970 CBD1 F75A 09BC 35E3 EE50 6461
The Windows binary packages are also available in the download area on
the Subversion website.
Release notes for the 1.4.x release series may be found at:
http://subversion.tigris.org/svn_1.4_releasenotes.html
You can find list of changes between 1.4.5 and earlier versions at:
http://svn.collab.net/repos/svn/tags/1.4.5/CHANGES
Questions, comments, and bug reports to users <at> subversion.tigris.org.
Thanks,
- The Subversion Team
**** BEGIN ADVISORY TEXT ****
On some platforms (e.g., Win32), svn client can create files in bad places
Summary:
========
This vulnerability requires prior write access to the repository.
In Subversion 1.4.4 and earlier versions, on platforms where the
directory separator is "\" (or anything other than "/"), the client
libraries can allow files outside the working copy to be created
during a checkout or update. This could, in theory, be used to
place arbitrary code at arbitrary locations on the client machine,
for example, in system startup scripts.
Known vulnerable:
=================
Subversion clients <= 1.4.4 (including clients like TortoiseSVN)
Known fixed:
============
Subversion 1.4.5
(Search for "Patch" below to see the patch from 1.4.4 -> 1.4.5.
Search for "Recommendation" to get URLs for the 1.4.5 release.)
Details:
========
The Subversion client libraries fail to validate that filenames
obtained from the Subversion server during checkout do not contain
"..\". This allows the creation of files outside the checkout
directory. Users on operating systems where "\" is not used to
separate directory paths can commit files with "..\" in the path.
When these files are checked out onto systems where "\" is a
directory separator, hilarity may ensue. To reproduce:
On a UNIX system, create a file "..\DIRNAME/exploit.exe" and check
it into a repository on the top level. Then check out that
repository to a Win32 system. The file will appear outside of the
checkout directory and instead under "DIRNAME".
Severity:
=========
Med (arbitrary file creation on client, possibly over system startup files)
An adversary with write access to the repository could create a file
at an arbitrary path on the victim's machines. This could be used
to install code on the system, for example by placing executable
code into the startup sequence.
The attacker first requires write access to the repository from
which the file will be checked out, and requires that others not
notice the commit of the dangerous file. Thus, at first glance it
might seem that some social engineering is necessary for a full
exploit. However, if the repository administrator is the attacker,
little or no social engineering is required.
References:
===========
CVE-2007-3846 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846)
http://crisp.cs.du.edu/?q=node/36
Reported by:
============
Nils Durner and Christian Grothoff, Colorado Research Institute for
Security and Privacy, http://crisp.cs.du.edu/.
Recommendation:
===============
Upgrade clients to use Subversion 1.4.5 libraries:
http://subversion.tigris.org/project_packages.html
Workarounds:
============
These workarounds apply only to the repository (server) side. They
cannot protect a client from a malicious repository administrator.
* Scan existing repositories for paths containing "\", rename them.
* Install a pre-commit hook that checks for "\" in filenames.
Below is such a hook script, indented by four spaces:
#!/bin/sh
### backslash-check.py: A Subversion pre-commit hook script to prevent
### files containing "\" from being added to the repository.
###
### See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846
### *** NOTE: ***
### Because Subversion hook scripts execute in a scrubbed environment,
### we use an absolute path to the svnlook binary. You might need to
### adjust it for your system.
SVNLOOK="/usr/bin/svnlook"
### You shouldn't need to change anything below this line.
REPOS=${1}
TXN=${2}
if ${SVNLOOK} changed -t ${TXN} ${REPOS} | grep -E "^A +.*\\\\"; then
echo "" >&2
echo "Cannot commit paths containing '\\':" >&2
echo "" >&2
# Show the actual paths:
${SVNLOOK} changed -t ${TXN} ${REPOS} \
| grep -E "^A +.*\\\\" | cut -c5- >&2
echo "" >&2
exit 1
else
exit 0
fi
Patch:
======
This log message and patch applies to Subversion 1.4.4.
[[[
CVE-2007-3846: arbitrary path creation during updates and checkouts.
* subversion/libsvn_wc/update_editor.c
(check_path_under_root): New helper function.
(delete_entry, add_or_open_file, open_directory, add_directory):
Call above, to prevent paths above cwd from being affected.
Patch by: Nils Durner <ndurner <at> web.de>
kfogel
]]]
Index: subversion/libsvn_wc/update_editor.c
===================================================================
--- subversion/libsvn_wc/update_editor.c (revision 26049)
+++ subversion/libsvn_wc/update_editor.c (working copy)
@@ -793,6 +793,46 @@
return SVN_NO_ERROR;
}
+
+/* Check that when ADD_PATH is joined to BASE_PATH, the resulting path
+ * is still under BASE_PATH in the local filesystem. If not, return
+ * SVN_ERR_WC_OBSTRUCTED_UPDATE; else return success.
+ *
+ * This is to prevent the situation where the repository contains,
+ * say, "..\nastyfile". Although that's perfectly legal on some
+ * systems, when checked out onto Win32 it would cause "nastyfile" to
+ * be created in the parent of the current edit directory.
+ *
+ * (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846)
+ */
+static svn_error_t *
+check_path_under_root(const char *base_path,
+ const char *add_path,
+ apr_pool_t *pool)
+{
+ char *newpath;
+ apr_status_t retval;
+
+ retval = apr_filepath_merge
+ (&newpath, base_path, add_path,
+ APR_FILEPATH_NOTABOVEROOT | APR_FILEPATH_SECUREROOTTEST,
+ pool);
+
+ if (retval != APR_SUCCESS)
+ {
+ return svn_error_createf
+ (SVN_ERR_WC_OBSTRUCTED_UPDATE, NULL,
+ _("Path '%s' is not in the working copy"),
+ /* Not using newpath here because it might be NULL or
+ undefined, since apr_filepath_merge() returned error.
+ (Pity we can't pass NULL for &newpath in the first place,
+ but the APR docs don't bless that.) */
+ svn_path_local_style(svn_path_join(base_path, add_path, pool), pool));
+ }
+
+ return SVN_NO_ERROR;
+}
+
/*** The callbacks we'll plug into an svn_delta_editor_t structure. ***/
@@ -1033,6 +1073,8 @@
apr_pool_t *pool)
{
struct dir_baton *pb = parent_baton;
+ SVN_ERR(check_path_under_root(pb->path, svn_path_basename(path, pool),
+ pool));
return do_entry_deletion(pb->edit_baton, pb->path, path, &pb->log_number,
pool);
}
@@ -1057,6 +1099,8 @@
|| ((! copyfrom_path) && (SVN_IS_VALID_REVNUM(copyfrom_revision))))
abort();
+ SVN_ERR(check_path_under_root(pb->path, db->name, pool));
+
/* There should be nothing with this name. */
SVN_ERR(svn_io_check_path(db->path, &kind, db->pool));
if (kind != svn_node_none)
@@ -1168,6 +1212,8 @@
struct dir_baton *db = make_dir_baton(path, eb, pb, FALSE, pool);
*child_baton = db;
+ SVN_ERR(check_path_under_root(pb->path, db->name, pool));
+
/* Mark directory as being at target_revision and URL, but incomplete. */
tmp_entry.revision = *(eb->target_revision);
tmp_entry.url = db->new_URL;
@@ -1451,6 +1497,8 @@
fb = make_file_baton(pb, path, adding, pool);
+ SVN_ERR(check_path_under_root(fb->dir_baton->path, fb->name, subpool));
+
/* It is interesting to note: everything below is just validation. We
aren't actually doing any "work" or fetching any persistent data. */
). -Karl, a moderator of this list
RSS Feed