mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits. Summary: ======== When SVNAutoversioning is enabled via SVNAutoversioning on commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort. Known vulnerable: ================= mod_dav_svn 1.7.11 through 1.7.13 mod_dav_svn 1.8.1 through 1.8.4 Known fixed: ============ mod_dav_svn 1.7.14 mod_dav_svn 1.8.5 Details: ======== Given a repository located at http://example.com/repos the assert can be triggered by commands like: curl -X PUT http://example.com/repos/A/ curl -X MKCOL http://example.com/repos/A/../B The assert happens after the commit has happened in the repository and will not occur if the commit is rejected. Severity: ========= CVSSv2 Base Score: 3.5 CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P We consider this to be a low risk vulnerability. The attacker needs to have commit access to the repository to exploit the vulnerability. Most Subversion servers do not have autoversioning enabled. In order for there to be any impact assertions must have been enabled when mod_dav_svn was built. In this case if assertions are disabled there is no impact. They are enabled by default on *nix and disabled on Windows. The assertion will cause the http server process to abort. Apache httpd servers using a prefork MPM will simply start a new process to replace the process that died. Servers using threaded MPMs may be processing other requests in the same process as the process that the attack causes to die. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Recommendations: ================ We recommend all users upgrade mod_dav_svn to Subversion 1.8.5 or 1.7.14 or newer. Disabling SVNAutoversioning will avoid the problem. Building Subversion with assertions disabled will avoid the problem. This can be done using the --disable-debug option to configure on *nix and by using a Release build profile on Windows. References: =========== CVE-2013-4558 (Subversion) Reported by: ============ Philip Martin, WANdisco Patches: ======== Patch for Subversion 1.7.x and 1.8.x: [[[ Index: subversion/mod_dav_svn/repos.c =================================================================== --- subversion/mod_dav_svn/repos.c (revision 1539596) +++ subversion/mod_dav_svn/repos.c (working copy) @@ -2456,9 +2456,12 @@ get_parent_resource(const dav_resource *resource, parent->info = parentinfo; parentinfo->uri_path = - svn_stringbuf_create(get_parent_path(resource->info->uri_path->data, - TRUE, resource->pool), - resource->pool); + svn_stringbuf_create( + get_parent_path( + svn_urlpath__canonicalize(resource->info->uri_path->data, + resource->pool), + TRUE, resource->pool), + resource->pool); parentinfo->repos = resource->info->repos; parentinfo->root = resource->info->root; parentinfo->r = resource->info->r; ]]]