[CVE-2018-11803] Apache Subversion Denial of Service Vulnerability

[Troy Curtis]

This is a security notification for Apache Subversion HTTP Servers:

CVE-2018-11803
Severity: Medium
Affected Versions: Apache Subversion 1.11.0, 1.10.0 to 1.10.3

Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 
to 1.10.3 will crash after dereferencing an uninitialized pointer if the 
client omits the root path in a recursive directory listing operation. 
This issue can be triggered by any client on Subversion repositories 
configured for anonymous read access. If read access requires 
authentication, a denial of service attack can only be performed by an 
authenticated user.


The Subversion releases 1.10.4 and 1.11.1 contain the fixes for this 
vulnerability and are available immediately at:


https://dist.apache.org/repos/dist/release/subversion/?p=32084

Additional details, including patches for 1.10.3 and 1.11.0 can be found at:

https://subversion.apache.org/security/CVE-2018-11803-advisory.txt

We encourage users of Subversion to upgrade to the latest appropriate 
version as soon as reasonable.


Thanks,
- The Subversion Team

Re: mailer.py commit says TypeError: must be unicode, not str

[Troy Curtis Jr]

On Thu, Feb 1, 2018, 12:34 PM Kenneth Porter  wrote:

> [moving discussion to dev list as I think this is now the correct fix.]
>
> --On Wednesday, January 31, 2018 7:40 PM -0800 Kenneth Porter
>  wrote:
>
> > --On Wednesday, January 31, 2018 7:23 PM -0800 Kenneth Porter
> >  wrote:
> >
> >> fp = builtins.open(file, 'w+') # avoid namespace clash with
> >># trimmed-down svn_fs_open()
> >
> > I'm now thinking the problem is in the open call, and that I'm somehow
> > getting a Python 3 open function even though I've got Python 2.7
> > installed. Should the mode be 'wb' instead of 'w+'? That would insure
> > that the raw data from the Subversion object is getting dumped into the
> > temporary fle without interpretation. I don't understand why update
> > (denoted by the plus) is wanted. The temp file isn't being read from.
>
>
>
That seems strange, for py3 sure, but certainly odd on py2. Perhaps your
locale is set to utf8? I'll have to research to see if that even makes
sense.

Proposed edit to fs.py: Change 'w+' to 'wb' when copying svn stream object
> to temporary file. Update isn't needed, and the code just needs to dump the
> raw data into a file for the external diff to access, so no
> encoding/decoding should occur. Hence we should open the file in binary
> mode. I just tested this edit and it seems to cure the problem.
>
> It looks like this line is the same since it was originally added in
> r843330 and hasn't changed in Troy's swig-py3 branch.
>

I've been leaning heavily on the test coverage for validating my py3
updates. At first glance it looks like this FileDiff isn't referenced in
any existing test. I'll add a test and confirm the behavior, and then test
with your fix, unless you'd like to do so.

Troy


> >From my initial report in the users list:
>
> 
> 
>
> I'm using mailer.py in my post-commit hook and it's throwing a Unicode type
> error during the diff phase. Digging through the source code, I figured out
> that it's happening during the creation of the two temporary files for
> diff'ing. Somehow the output file is getting opened in Unicode text mode
> but the input source (the Subversion object stream) is a raw byte stream.
> The write call fails.
>
> OS: CentOS 7.4
> subversion-python-1.7.14-11.el7_4.x86_64
> python-2.7.5-58.el7.x86_64
>
>
>

Re: mailer.py commit says TypeError: must be unicode, not str

[Troy Curtis Jr]

Proposed edit to fs.py: Change 'w+' to 'wb' when copying svn stream object
>> to temporary file. Update isn't needed, and the code just needs to dump
>> the
>> raw data into a file for the external diff to access, so no
>> encoding/decoding should occur. Hence we should open the file in binary
>> mode. I just tested this edit and it seems to cure the problem.
>>
>> It looks like this line is the same since it was originally added in
>> r843330 and hasn't changed in Troy's swig-py3 branch.
>>
>
> I've been leaning heavily on the test coverage for validating my py3
> updates. At first glance it looks like this FileDiff isn't referenced in
> any existing test. I'll add a test and confirm the behavior, and then test
> with your fix, unless you'd like to do so.
>
>
Kenneth, I'm having trouble reproducing your issue.  Any other hints at
what might causing the trouble in your environment that you can think of?
I've tried changing my locale, changing the files diffed to being utf8, all
with no luck.  Regardless your suggested change needs to be done on my
swig-py3 branch, since it for sure needs it for Python 3, but I'd really
like to understand what is going on here to make sure the issue is well and
truly resolved.

Troy


>> >From my initial report in the users list:
>>
>> 
>> 
>>
>> I'm using mailer.py in my post-commit hook and it's throwing a Unicode
>> type
>> error during the diff phase. Digging through the source code, I figured
>> out
>> that it's happening during the creation of the two temporary files for
>> diff'ing. Somehow the output file is getting opened in Unicode text mode
>> but the input source (the Subversion object stream) is a raw byte stream.
>> The write call fails.
>>
>> OS: CentOS 7.4
>> subversion-python-1.7.14-11.el7_4.x86_64
>> python-2.7.5-58.el7.x86_64
>>
>>
>>