Remote unauthenticated denial-of-service in Subversion svnserve. Summary: ======== Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server. Known vulnerable: ================= Subversion svnserve servers through 1.9.10 (inclusive). Subversion svnserve servers 1.10.0 through 1.10.4 (inclusive). Subversion svnserve servers 1.11.0 through 1.11.1 (inclusive). Subversion svnserve servers 1.12.0 through 1.12.0 (inclusive). mod_dav_svn (any version) is not affected. Known fixed: ============ Subversion svnserve servers 1.9.11 Subversion svnserve servers 1.10.5 Subversion svnserve servers 1.12.1 (Subversion 1.11.x is not a supported release line.) Details: ======== A null-pointer-dereference has been found in svnserve that results in a remote unauthenticated Denial-of-Service in some server configurations. The vulnerability can be triggered by an unauthenticated user if the server is configured with anonymous access enabled. The problem originates in opening a new connection to svnserve. On failure to find the specified repository or to be authorized to access it, svnserve logs and reports the error, but also keeps the connection open despite its incomplete initialization. If the client sends any further command on the same connection, then a null-pointer-dereference occurs in svnserve. Severity: ========= CVSSv3 Base Score: 7.5 (High) CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Exploitation results in denial of service by crashing an svnserve process. The impact of this differs depending on how svnserve is launched, including the different run modes selected by options such as "svnserve -d", "svnserve -T -d", "svnserve -t", and "svnserve -i". Recommendations: ================ We recommend all users to upgrade to a known fixed release of the Subversion svnserve server. Users who are unable to upgrade may apply the included patches. References: =========== CVE-2019-0203 (Subversion) Reported by: ============ Tomas Bortoli Patches: ======== Patch for Subversion 1.12, 1.10, 1.9: [[[ Index: subversion/svnserve/serve.c =================================================================== --- subversion/svnserve/serve.c +++ subversion/svnserve/serve.c @@ -4125,7 +4125,7 @@ construct_server_baton serve_params_t *params, apr_pool_t *scratch_pool) { - svn_error_t *err, *io_err; + svn_error_t *err; apr_uint64_t ver; const char *client_url, *ra_client_string, *client_string; svn_ra_svn__list_t *caplist; @@ -4267,11 +4267,12 @@ } if (err) { - log_error(err, b); - io_err = svn_ra_svn__write_cmd_failure(conn, scratch_pool, err); - svn_error_clear(err); - SVN_ERR(io_err); - return svn_ra_svn__flush(conn, scratch_pool); + /* Report these errors to the client before closing the connection. */ + err = svn_error_compose_create(err, + svn_ra_svn__write_cmd_failure(conn, scratch_pool, err)); + err = svn_error_compose_create(err, + svn_ra_svn__flush(conn, scratch_pool)); + return err; } SVN_ERR(svn_fs_get_uuid(b->repository->fs, &b->repository->uuid, ]]]