subversion: Multiple vulnerabilities (CVE-2018-11782, CVE-2019-0203)
CVE-2018-11782: remotely triggerable DoS vulnerability in svnserve 'get-deleted-rev'
Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.
Subversion svn:// connections, including svn+ssh:// and svn+://, use a custom network protocol [1] with Lisp-like syntax. The code implementing the protocol has dedicated codepaths for serialization of revision numbers into protocol integers. A particular client query could cause the server to attempt to reply with a revision number whose value is the invalid revision number constant SVN_INVALID_REVNUM
, thereby triggering an assertion failure in the the serialization layer.
Fixed In Version:
subversion 1.12.2, subversion 1.10.6, subversion 1.9.12
Reference:
https://subversion.apache.org/security/CVE-2018-11782-advisory.txt
CVE-2019-0203: remote unauthenticated denial-of-service in subversion svnserve
Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server. A null-pointer-dereference in svnserve results in a remote unauthenticated Denial-of-Service in some server configurations. The vulnerability can be triggered by an unauthenticated user if the server is configured with anonymous access enabled.
The problem originates in opening a new connection to svnserve. On failure to find the specified repository or to be authorized to access it, svnserve logs and reports the error, but also keeps the connection open despite its incomplete initialization. If the client sends any further command on the same connection, then a null-pointer dereference occurs in svnserve.
Exploitation results in denial of service by crashing an svnserve process. The impact of this differs depending on how svnserve is launched, including the different run modes selected by options such as "svnserve -d", "svnserve -T -d", "svnserve -t", and "svnserve -i".
Fixed In Version:
subversion 1.12.2, subversion 1.10.6, subversion 1.9.12
Reference:
https://subversion.apache.org/security/CVE-2019-0203-advisory.txt