svn security bugs
来源:互联网 发布:淘宝卖家怎么贷款 编辑:程序博客网 时间:2024/06/16 05:31
http://subversion.apache.org/security/CVE-2013-2088-advisory.txt
Subversion releases up to 1.6.22 (inclusive), and 1.7.x tags up to 1.7.10 (inclusive, but excepting 1.7.x releases made from those tags), include a contrib/ script prone to shell injection by authenticated users, which could result in arbitrary code execution.Summary:========Subversion's contrib/ directory contains two example hook scripts, whichuse 'svnlook changed' to examine a revision or transaction and then passthose paths as arguments to further 'svnlook' commands, without properlyescaping the command-line.The contrib/ directory ships in 1.6.x releases, and although it does notship in 1.7.x or 1.8.x releases, is included in the 1.7.x and 1.8.xrelease branches and tags in Subversion's repository.Known vulnerable:================= Subversion releases through 1.6.22 (inculsive) Repository revisions branches/1.7.x until r1485487 Repository revisions branches/1.8.x until r1485487 Subversion tags through 1.7.10 (inclusive)Known fixed:============ Releases: Subversion 1.6.23 Subversion 1.7.0 Subversion 1.8.0 Tags: Subversion 1.6.23 Subversion 1.7.11 Subversion 1.8.0-rc3 Subversion 1.8.0Details:======== The script contrib/hook-scripts/check-mime-type.pl does not escape argv arguments to 'svnlook' that start with a hyphen. This could be used to cause 'svnlook', and hence check-mime-type.pl, to error out. The script contrib/hook-scripts/svn-keyword-check.pl parses filenames from the output of 'svnlook changed' and passes them to a further shell command (equivalent to the 'system()' call of the C standard library) without escaping them. This could be used to run arbitrary shell commands in the context of the user whom the pre-commit script runs as (the user who owns the repository).Severity:========= CVSSv2 Base Score: 7.1 CVSSv2 Base Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C Most installations of Subversion do not use these contrib scripts, so while the score above is high, we suspect that very few sites are impacted. However, if you do use these scripts, this is a serious issue. The check-mime-type.pl issue could only be a problem if 'svnlook' was patched or if a child of the repository root had a name starting with a '-', so it is ranked as low severity. The svn-keyword-check.pl issue could be used by any authenticated committer to run shell commands as the server. Anonymous users typically do not have commit access so cannot exploit this. On the other hand, those who can exploit this could, for example, delete the repository from the server disk.Recommendations:================ We recommend all users to apply the attached patch. The hook scripts have not changed since 1.6.x, so using their latest versions from the repository is (as of this writing) equivalent to applying the patch. The fix will be included in the 1.6.23, 1.7.11, and 1.8.0 releases, when those are made. A workaround is to ensure that all in-repository filenames are shell-safe, e.g., match the regular expression ^[A-Za-z0-9_:][A-Za-z0-9_:/-]+$ . This can be implemented using the provided [validate-files.py] hook script, by providing a command= that checks the environment variable "FILE" against that pattern; for example, command= might point to the following script: #!/usr/bin/env python import os, re, sys re = r'^[A-Za-z0-9_:][A-Za-z0-9_:/-]+$' sys.exit(re.compile(re).match(os.getenv("FILE", " ")))References:=========== CVE-2013-2088 (Subversion)Reported by:============Daniel Shahaf, elego Software Solutions GmbHPatches:======== Patch against 1.6.21, 1.7.x branch/tags, and 1.8.x branch:[[[Index: contrib/hook-scripts/check-mime-type.pl===================================================================--- contrib/hook-scripts/check-mime-type.pl(revision 1484585)+++ contrib/hook-scripts/check-mime-type.pl(working copy)@@ -120,7 +120,7 @@ foreach my $path ( @files_added ) # Parse the complete list of property values of the file $path to extract # the mime-type and eol-style foreach my $prop (&read_from_process($svnlook, 'proplist', $repos, '-t',- $txn, '--verbose', $path))+ $txn, '--verbose', '--', $path)) { if ($prop =~ /^\s*svn:mime-type : (\S+)/) {@@ -187,7 +187,7 @@ sub safe_read_from_pipe croak "$0: safe_read_from_pipe passed no arguments.\n"; } print "Running @_\n";- my $pid = open(SAFE_READ, '-|');+ my $pid = open(SAFE_READ, '-|', @_); unless (defined $pid) { die "$0: cannot fork: $!\n";Index: contrib/hook-scripts/svn-keyword-check.pl===================================================================--- contrib/hook-scripts/svn-keyword-check.pl(revision 1484585)+++ contrib/hook-scripts/svn-keyword-check.pl(working copy)@@ -141,7 +141,7 @@ sub check { return 1; } else { my @keywords = get_svnkeywords($file);- my $fh = _pipe("$svnlook cat $flag $value $repos $file");+ my $fh = _pipe($svnlook, qw/cat/, $flag, $value, $repos, '--', $file); while (my $line = <$fh>) { foreach my $keyword (@keywords) { if ($line =~ m/$keyword/) {@@ -168,7 +168,7 @@ sub file_is_binary { return 0; } if (has_svn_property($file, "svn:mime-type")) {- my ($mimetype) = read_from_process("$svnlook propget $flag $value $repos svn:mime-type $file");+ my ($mimetype) = read_from_process($svnlook, qw/propget/, $flag, $value, $repos, 'svn:mime-type', '--', $file); chomp($mimetype); $mimetype =~ s/^\s*(.*)/$1/; if ($mimetype =~ m/^text\//) {@@ -186,7 +186,7 @@ sub file_is_binary { # Return a list of svn:keywords on a file sub get_svnkeywords { my $file = shift;- my @lines = read_from_process("$svnlook propget $flag $value $repos svn:keywords $file");+ my @lines = read_from_process($svnlook, qw/propget/, $flag, $value, $repos, 'svn:keywords', '--', $file); my @returnlines; foreach my $line (@lines) { $line =~ s/\s+/ /;@@ -199,7 +199,7 @@ sub get_svnkeywords { sub has_svn_property { my $file = shift; my $keyword = shift;- my @proplist = read_from_process("$svnlook proplist $flag $value $repos $file");+ my @proplist = read_from_process($svnlook, qw/proplist/, $flag, $value, $repos, '--', $file); foreach my $prop (@proplist) { chomp($prop); if ($prop =~ m/\b$keyword\b/) {@@ -241,7 +241,7 @@ sub safe_read_from_pipe { # Return the filehandle as a glob so we can loop over it elsewhere. sub _pipe { local *SAFE_READ;- my $pid = open(SAFE_READ, '-|');+ my $pid = open(SAFE_READ, '-|', @_); unless (defined $pid) { die "$0: cannot fork: $!\n"; }]]]
- svn security bugs
- hunting security bugs读书笔记(1)
- Find security bugs学习笔记V1.0
- BUGS
- bugs
- Find Security Bugs研究,邀请志同道合者一起参与
- 关于Find Security Bugs新版本1.2.1及其它
- Bugs Bugs
- 小BUGS
- geos bugs
- Fix bugs
- waitj bugs
- VS2003 bugs
- php bugs
- fix bugs
- About bugs
- resin bugs
- F5 BUGS
- HDU 2030 汉字统计
- linux下firefox安装Adobe Flash Player插件
- ubuntu下安装 gSOAP 用于C/C++开发web service服务端与客户端
- OpenCV摄像头视频的获取
- POJ 2421 最小生成树
- svn security bugs
- Unable to get view server version from device emulator-5554 解决办法
- 浅谈SQL之语言基础
- 教你熟知QoS的设置方法【lpxt】
- 跨目录makefile
- Android File 文件存储
- mongodb_修改器($inc/$set/$unset/$push/$pop/upsert......) .
- widows下远程连接创建快捷方式自动登录
- 快速找回不见的关机选项【lpxt】