On Mon, Oct 22, 2012 at 08:58:49AM -0400, Parrish Knight wrote: > The reported problem is with earlier versions of Subversion, but our > security officer reports that the problem persists even after an > upgrade. > > "Multiple integer overflows in the libsvn_delta library in Subversion > before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users > and remote Subversion servers to execute arbitrary code via an svndiff > stream with large windows that trigger a heap-based buffer overflow, a > related issue to CVE-2009-2412." > > http://www.orvant.com/vuln/detail/181334/CVE-2009-2411
If he can reproduce this problem even with patches applied, please ask him to report this as a new security issue with a reproduction recipe included. Please see http://subversion.apache.org/docs/community-guide/issues.html#security for details on reporting security issues. That said, at the time I personally (as did several other developers) reviewed and tested the fix for this issue, and could *not* trigger the problem with the patches applied. Are you sure the Subversion upgrade was done properly? Maybe the server is still using a vulnerable version of libsvn_delta by accident? How are you testing for this vulnerability? As far as I know an exploit was circulated privately among developers for testing purposes but was never made public. Did you write a new exploit or do you happen to have a repository data set that triggers the problem reliably? Please do not post reproduction recipes for security issues to this list -- it is publicly archived. Instead, feel free to continue this conversation via channels documented at http://subversion.apache.org/docs/community-guide/issues.html#security if you have some sort of sensitive data to share with us. Thanks.
