安全研究

安全漏洞
Apache Subversion mod_dav_svn服务器新修订本svn:author属性值欺骗漏洞(CVE-2015-0251)

发布日期:2015-04-01
更新日期:2015-04-01

受影响系统:
Apache Group Subversion HTTPD servers 1.8.0 - 1.8.11
Apache Group Subversion HTTPD servers 1.5.0 - 1.7.19
描述:
CVE(CAN) ID: CVE-2015-0251

Subversion是一款开源多用户版本控制系统,支持非ASCII文本和二进制数据。

Subversion mod_dav_svn服务器在提交新修订本时允许任意设置svn:author属性值。这可使攻击者使用精心构造的v1请求序列,欺骗服务器使用客户端提交的任意svn:author值,从而影响依赖这些值的环境内的数据完整性。

<*来源:Ivan Zhakov
  
  链接:http://subversion.apache.org/security/CVE-2015-0251-advisory.txt
*>

建议:
厂商补丁:

Apache Group
------------
Apache Group已经为此发布了一个安全公告(CVE-2015-0251-advisory)以及相应补丁:
CVE-2015-0251-advisory:Subversion HTTP servers allow spoofing svn:author property values   for new revisions.
链接:http://subversion.apache.org/security/CVE-2015-0251-advisory.txt

补丁下载:
1.7.19的补丁:
[[[
Index: subversion/mod_dav_svn/deadprops.c
===================================================================
--- subversion/mod_dav_svn/deadprops.c    (revision 1660122)
+++ subversion/mod_dav_svn/deadprops.c    (working copy)
@@ -160,6 +160,23 @@ get_value(dav_db *db, const dav_prop_name *name, s
}


+static svn_error_t *
+change_txn_prop(svn_fs_txn_t *txn,
+                const char *propname,
+                const svn_string_t *value,
+                apr_pool_t *scratch_pool)
+{
+  if (strcmp(propname, SVN_PROP_REVISION_AUTHOR) == 0)
+    return svn_error_create(SVN_ERR_RA_DAV_REQUEST_FAILED, NULL,
+                            "Attempted to modify 'svn:author' property "
+                            "on a transaction");
+
+  SVN_ERR(svn_repos_fs_change_txn_prop(txn, propname, value, scratch_pool));
+
+  return SVN_NO_ERROR;
+}
+
+
static dav_error *
save_value(dav_db *db, const dav_prop_name *name,
            const svn_string_t *const *old_value_p,
@@ -210,9 +227,8 @@ save_value(dav_db *db, const dav_prop_name *name,
     {
       if (db->resource->working)
         {
-          serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
-                                              propname, value,
-                                              subpool);
+          serr = change_txn_prop(resource->info->root.txn, propname,
+                                 value, subpool);
         }
       else
         {
@@ -251,8 +267,8 @@ save_value(dav_db *db, const dav_prop_name *name,
     }
   else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
     {
-      serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
-                                          propname, value, subpool);
+      serr = change_txn_prop(resource->info->root.txn, propname,
+                             value, subpool);
     }
   else
     {
@@ -561,8 +577,8 @@ db_remove(dav_db *db, const dav_prop_name *name)
   /* Working Baseline or Working (Version) Resource */
   if (db->resource->baselined)
     if (db->resource->working)
-      serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
-                                          propname, NULL, subpool);
+      serr = change_txn_prop(db->resource->info->root.txn, propname,
+                             NULL, subpool);
     else
       /* ### VIOLATING deltaV: you can't proppatch a baseline, it's
          not a working resource!  But this is how we currently
]]]

1.8.11的补丁:
[[[
Index: subversion/mod_dav_svn/deadprops.c
===================================================================
--- subversion/mod_dav_svn/deadprops.c    (revision 1660122)
+++ subversion/mod_dav_svn/deadprops.c    (working copy)
@@ -163,6 +163,23 @@ get_value(dav_db *db, const dav_prop_name *name, s
}


+static svn_error_t *
+change_txn_prop(svn_fs_txn_t *txn,
+                const char *propname,
+                const svn_string_t *value,
+                apr_pool_t *scratch_pool)
+{
+  if (strcmp(propname, SVN_PROP_REVISION_AUTHOR) == 0)
+    return svn_error_create(SVN_ERR_RA_DAV_REQUEST_FAILED, NULL,
+                            "Attempted to modify 'svn:author' property "
+                            "on a transaction");
+
+  SVN_ERR(svn_repos_fs_change_txn_prop(txn, propname, value, scratch_pool));
+
+  return SVN_NO_ERROR;
+}
+
+
static dav_error *
save_value(dav_db *db, const dav_prop_name *name,
            const svn_string_t *const *old_value_p,
@@ -213,9 +230,8 @@ save_value(dav_db *db, const dav_prop_name *name,
     {
       if (resource->working)
         {
-          serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
-                                              propname, value,
-                                              subpool);
+          serr = change_txn_prop(resource->info->root.txn, propname,
+                                 value, subpool);
         }
       else
         {
@@ -254,8 +270,8 @@ save_value(dav_db *db, const dav_prop_name *name,
     }
   else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
     {
-      serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
-                                          propname, value, subpool);
+      serr = change_txn_prop(resource->info->root.txn, propname,
+                             value, subpool);
     }
   else
     {
@@ -560,8 +576,8 @@ db_remove(dav_db *db, const dav_prop_name *name)
   /* Working Baseline or Working (Version) Resource */
   if (db->resource->baselined)
     if (db->resource->working)
-      serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
-                                          propname, NULL, subpool);
+      serr = change_txn_prop(db->resource->info->root.txn, propname,
+                             NULL, subpool);
     else
       /* ### VIOLATING deltaV: you can't proppatch a baseline, it's
          not a working resource!  But this is how we currently
]]]

浏览次数:2089
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障