内容安全 
大数据安全 
网络安全 
更多产品 
Apache Subversion mod_dav_svn服务器新修订本svn:author属性值
发表日期:2015-04-02 10:25:38
Apache Subversion mod_dav_svn服务器新修订本svn:author属性值欺骗漏洞(CVE-2015-0251)
CVE-ID:CVE-2015-0251
发布日期:2015-04-01
更新日期:2015-04-01
受影响系统:
Apache Group Subversion HTTPD servers 1.8.0 - 1.8.11
Apache Group Subversion HTTPD servers 1.5.0 - 1.7.19
详细信息:
Subversion是一款开源多用户版本控制系统,支持非ASCII文本和二进制数据。
Subversion mod_dav_svn服务器在提交新修订本时允许任意设置svn:author属性值。这可使攻击者使用精心构造的v1请求序列,欺骗服务器使用客户端提交的任意svn:author值,从而影响依赖这些值的环境内的数据完整性。
来源:
Ivan Zhakov
参考信息:
http://subversion.apache.org/security/CVE-2015-0251-advisory.txt
解决办法:
厂商补丁:
Apache Group
------------
Apache Group已经为此发布了一个安全公告(CVE-2015-0251-advisory)以及相应补丁:
CVE-2015-0251-advisory:Subversion HTTP servers allow spoofing svn:author property values for new revisions.
链接:http://subversion.apache.org/security/CVE-2015-0251-advisory.txt
补丁下载:
1.7.19的补丁:
[[[
Index: subversion/mod_dav_svn/deadprops.c
===================================================================
--- subversion/mod_dav_svn/deadprops.c (revision 1660122)
+++ subversion/mod_dav_svn/deadprops.c (working copy)
@@ -160,6 +160,23 @@ get_value(dav_db *db, const dav_prop_name *name, s
}
+static svn_error_t *
+change_txn_prop(svn_fs_txn_t *txn,
+ const char *propname,
+ const svn_string_t *value,
+ apr_pool_t *scratch_pool)
+{
+ if (strcmp(propname, SVN_PROP_REVISION_AUTHOR) == 0)
+ return svn_error_create(SVN_ERR_RA_DAV_REQUEST_FAILED, NULL,
+ "Attempted to modify \'svn:author\' property "
+ "on a transaction");
+
+ SVN_ERR(svn_repos_fs_change_txn_prop(txn, propname, value, scratch_pool));
+
+ return SVN_NO_ERROR;
+}
+
+
static dav_error *
save_value(dav_db *db, const dav_prop_name *name,
const svn_string_t *const *old_value_p,
@@ -210,9 +227,8 @@ save_value(dav_db *db, const dav_prop_name *name,
{
if (db->resource->working)
{
- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
- propname, value,
- subpool);
+ serr = change_txn_prop(resource->info->root.txn, propname,
+ value, subpool);
}
else
{
@@ -251,8 +267,8 @@ save_value(dav_db *db, const dav_prop_name *name,
}
else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
{
- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
- propname, value, subpool);
+ serr = change_txn_prop(resource->info->root.txn, propname,
+ value, subpool);
}
else
{
@@ -561,8 +577,8 @@ db_remove(dav_db *db, const dav_prop_name *name)
/* Working Baseline or Working (Version) Resource */
if (db->resource->baselined)
if (db->resource->working)
- serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
- propname, NULL, subpool);
+ serr = change_txn_prop(db->resource->info->root.txn, propname,
+ NULL, subpool);
else
/* ### VIOLATING deltaV: you can\'t proppatch a baseline, it\'s
not a working resource! But this is how we currently
]]]
1.8.11的补丁:
[[[
Index: subversion/mod_dav_svn/deadprops.c
===================================================================
--- subversion/mod_dav_svn/deadprops.c (revision 1660122)
+++ subversion/mod_dav_svn/deadprops.c (working copy)
@@ -163,6 +163,23 @@ get_value(dav_db *db, const dav_prop_name *name, s
}
+static svn_error_t *
+change_txn_prop(svn_fs_txn_t *txn,
+ const char *propname,
+ const svn_string_t *value,
+ apr_pool_t *scratch_pool)
+{
+ if (strcmp(propname, SVN_PROP_REVISION_AUTHOR) == 0)
+ return svn_error_create(SVN_ERR_RA_DAV_REQUEST_FAILED, NULL,
+ "Attempted to modify \'svn:author\' property "
+ "on a transaction");
+
+ SVN_ERR(svn_repos_fs_change_txn_prop(txn, propname, value, scratch_pool));
+
+ return SVN_NO_ERROR;
+}
+
+
static dav_error *
save_value(dav_db *db, const dav_prop_name *name,
const svn_string_t *const *old_value_p,
@@ -213,9 +230,8 @@ save_value(dav_db *db, const dav_prop_name *name,
{
if (resource->working)
{
- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
- propname, value,
- subpool);
+ serr = change_txn_prop(resource->info->root.txn, propname,
+ value, subpool);
}
else
{
@@ -254,8 +270,8 @@ save_value(dav_db *db, const dav_prop_name *name,
}
else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
{
- serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
- propname, value, subpool);
+ serr = change_txn_prop(resource->info->root.txn, propname,
+ value, subpool);
}
else
{
@@ -560,8 +576,8 @@ db_remove(dav_db *db, const dav_prop_name *name)
/* Working Baseline or Working (Version) Resource */
if (db->resource->baselined)
if (db->resource->working)
- serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
- propname, NULL, subpool);
+ serr = change_txn_prop(db->resource->info->root.txn, propname,
+ NULL, subpool);
else
/* ### VIOLATING deltaV: you can\'t proppatch a baseline, it\'s
not a working resource! But this is how we currently
]]]
