On 2022-09-18 21:07:16 -0400, James McCoy wrote: > Control: severity -1 normal > Control: tag -1 - security > > On Mon, Sep 19, 2022 at 02:53:24AM +0200, Vincent Lefevre wrote: > > Yes. What happens is that svn retrieves the current property value > > from the server, puts it in a file "/tmp/svn-prop.tmp" and runs an > > editor on this file. The user modifies this file and quits the > > editor. Then svn normally updates this property on the server > > (from the modified svn-prop.tmp) and removes this temporary file. > > The issue is that svn removes this file even when the update fails. > > Ok. I don't see this as either "critical" or a security issue. "Data > loss" implies the actual versioned data is corrupted/lost.
I disagree. New data are also valuable data. And contrary to versioned data, there is no way to retrieve them from a backup. Perhaps not a security issue because any temporary network failure can affect svn. But note that the most common case is a remote attack (at least with Debian's default sshd configuration). On my server, I can see that since September 11, a "beginning MaxStartups throttling" occurred 3 times (each case apparently due to an attack from a single IP, according to the logs). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
