Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
subversion
subversion-CVE-2022-24070.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File subversion-CVE-2022-24070.patch of Package subversion
@@ -, +, @@ Subversion's mod_dav_svn is vulnerable to memory corruption While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected. Subversion httpd servers 1.14.2. Subversion httpd servers 1.10.8. Server modules for Apache HTTP server (httpd), such as mod_dav_svn, implement several hooks that httpd calls at various times. One of these, post_config, may be called more than once during module initialization. The number of calls and the purpose of each call depend on whether the module is loaded at httpd startup or during a later reload of httpd's configuration. When httpd loads a module at startup, it performs a configuration check at which time it calls the module's post_config hook for validation purposes. Later, httpd calls the hook again; this is the "real" initialization call. In contrast, when httpd loads a module at a later stage, due to reloading its own configuration, it calls the post_config hook only once. In vulnerable versions of Subversion, the post_config hook implementation does not take these semantics into account. As a result, it always treats the first call as the "real" call and performs initialization, including caching of pointers which are used later. When the call is in fact for validation only, those pointers subsequently become invalid when the memory allocation pools into which they point are cleared. Subsequent operations on the freed (and possibly reused) memory may lead to a segfault crash. The affected pointers are used by Subversion when serving requests which require a lookup of path-based authorization (authz) rules. However, even servers which do not make use of authz should be upgraded. The invalid pointers are always present in the running program and could be abused via other unknown attack vectors. CVSSv3.1 Base Score: 7.5 (High) CVSSv3.1 Base Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Exploitation results in denial of service by crashing the HTTPD worker handling the request. The impact of this differs depending on how the Apache HTTPD server is configured, including the choice of MPM (Multi- Processing-Module). If the worker shares its memory address space with the main thread, as is the case with e.g. the Event MPM, the entire HTTPD server process will terminate. If the pre-fork MPM is used, the worker will terminate but the HTTPD server will stay up, and service availability will depend on how frequently the attacker is able to send malicious requests which target the vulnerability. We recommend all users to upgrade to a known fixed release of the Subversion server. Users who are unable to upgrade may apply the patch included below. CVE-2022-24070 (Subversion) Bug 4480 (Subversion): https://issues.apache.org/jira/browse/SVN-4880 Bug 65861 (httpd): https://bz.apache.org/bugzilla/show_bug.cgi?id=65861 https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife Thomas Weißschuh, cis-solutions.eu Patch against Subversion 1.14.1 and 1.10.7: --- subversion/libsvn_repos/authz.c (revision 1894733) +++ subversion/libsvn_repos/authz.c (revision 1894734) @@ -130,6 +130,30 @@ static svn_object_pool__t *filtered_pool = NULL; static svn_atomic_t authz_pool_initialized = FALSE; +/* + * Ensure that we will initialize authz again if the pool which + * our authz caches depend on is cleared. + * + * HTTPD may run pre/post config hooks multiple times and clear + * its global configuration pool which our authz pools depend on. + * This happens in a non-threaded context during HTTPD's intialization + * and HTTPD's main loop, so it is safe to reset static variables here. + * (And any applications which cleared this pool while SVN threads + * were running would crash no matter what.) + * + * See issue #4880, "Use-after-free of object-pools in + * subversion/libsvn_repos/authz.c when used as httpd module" + */ +static apr_status_t +deinit_authz(void *data) +{ + /* The two object pools run their own cleanup handlers. */ + authz_pool = NULL; + filtered_pool = NULL; + authz_pool_initialized = FALSE; + return APR_SUCCESS; +} + /* Implements svn_atomic__err_init_func_t. */ static svn_error_t * synchronized_authz_initialize(void *baton, apr_pool_t *pool) @@ -143,6 +167,7 @@ SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool)); SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool)); + apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null); return SVN_NO_ERROR; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor