Apache Subversion官网安全更新（2023-07-17）

mod_dav_svn is vulnerable to memory corruption

<br/> Subversion&#39;s mod_dav_svn is vulnerable to memory corruption<br/><br/>Summary:<br/>========<br/><br/> While looking up path-based authorization rules, mod_dav_svn servers<br/> may attempt to use memory which has already been freed.<br/><br/>Known vulnerable:<br/>=================<br/><br/> Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive).<br/><br/> Servers that do not use mod_dav_svn are not affected.<br/><br/>Known fixed:<br/>============<br/><br/> Subversion httpd servers 1.14.2.<br/> Subversion httpd servers 1.10.8.<br/><br/>Details:<br/>========<br/><br/> Server modules for Apache HTTP server (httpd), such as mod_dav_svn,<br/> implement several hooks that httpd calls at various times.<br/><br/> One of these, post_config, may be called more than once during module<br/> initialization. The number of calls and the purpose of each call<br/> depend on whether the module is loaded at httpd startup or during a<br/> later reload of httpd&#39;s configuration.<br/><br/> When httpd loads a module at startup, it performs a configuration<br/> check at which time it calls the module&#39;s post_config hook for<br/> validation purposes. Later, httpd calls the hook again; this is the<br/> &#34;real&#34; initialization call.<br/><br/> In contrast, when httpd loads a module at a later stage, due to<br/> reloading its own configuration, it calls the post_config hook only<br/> once.<br/><br/> In vulnerable versions of Subversion, the post_config hook<br/> implementation does not take these semantics into account. As a<br/> result, it always treats the first call as the &#34;real&#34; call and<br/> performs initialization, including caching of pointers which are used<br/> later. When the call is in fact for validation only, those pointers<br/> subsequently become invalid when the memory allocation pools into<br/> which they point are cleared.<br/><br/> Subsequent operations on the freed (and possibly reused) memory may<br/> lead to a segfault crash.<br/><br/> The affected pointers are used by Subversion when serving requests<br/> which require a lookup of path-based authorization (authz) rules.<br/> However, even servers which do not make use of authz should be upgraded.<br/> The invalid pointers are always present in the running program and could<br/> be abused via other unknown attack vectors.<br/><br/>Severity:<br/>=========<br/><br/> CVSSv3.1 Base Score: 7.5 (High)<br/><br/> CVSSv3.1 Base Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H<br/><br/> Exploitation results in denial of service by crashing the HTTPD worker<br/> handling the request. The impact of this differs depending on how the<br/> Apache HTTPD server is configured, including the choice of MPM (Multi-<br/> Processing-Module). If the worker shares its memory address space with<br/> the main thread, as is the case with e.g. the Event MPM, the entire<br/> HTTPD server process will terminate. If the pre-fork MPM is used, the<br/> worker will terminate but the HTTPD server will stay up, and service<br/> availability will depend on how frequently the attacker is able to<br/> send malicious requests which target the vulnerability.<br/><br/>Recommendations:<br/>================<br/><br/> We recommend all users to upgrade to a known fixed release of the<br/> Subversion server.<br/><br/> Users who are unable to upgrade may apply the patch included below.<br/><br/>References:<br/>===========<br/><br/> CVE-2022-24070 (Subversion)<br/><br/> Bug 4480 (Subversion): https://issues.apache.org/jira/browse/SVN-4880<br/> Bug 65861 (httpd): https://bz.apache.org/bugzilla/show_bug.cgi?id=65861<br/> <br/> https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife<br/><br/>Reported by:<br/>============<br/><br/> Thomas Weißschuh, cis-solutions.eu<br/><br/>Patch:<br/>========<br/><br/> Patch against Subversion 1.14.1 and 1.10.7:<br/>[[[<br/>Index: subversion/libsvn_repos/authz.c<br/>===================================================================<br/>--- subversion/libsvn_repos/authz.c (revision 1894733)<br/>+++ subversion/libsvn_repos/authz.c (revision 1894734)<br/>@@ -130,6 +130,30 @@<br/> static svn_object_pool__t *filtered_pool = NULL;<br/> static svn_atomic_t authz_pool_initialized = FALSE;<br/> <br/>+/*<br/>+ * Ensure that we will initialize authz again if the pool which<br/>+ * our authz caches depend on is cleared.<br/>+ *<br/>+ * HTTPD may run pre/post config hooks multiple times and clear<br/>+ * its global configuration pool which our authz pools depend on.<br/>+ * This happens in a non-threaded context during HTTPD&#39;s intialization<br/>+ * and HTTPD&#39;s main loop, so it is safe to reset static variables here.<br/>+ * (And any applications which cleared this pool while SVN threads<br/>+ * were running would crash no matter what.)<br/>+ *<br/>+ * See issue #4880, &#34;Use-after-free of object-pools in<br/>+ * subversion/libsvn_repos/authz.c when used as httpd module&#34;<br/>+ */<br/>+static apr_status_t<br/>+deinit_authz(void *data)<br/>+{<br/>+ /* The two object pools run their own cleanup handlers. */<br/>+ authz_pool = NULL;<br/>+ filtered_pool = NULL;<br/>+ authz_pool_initialized = FALSE;<br/>+ return APR_SUCCESS;<br/>+}<br/>+<br/> /* Implements svn_atomic__err_init_func_t. */<br/> static svn_error_t *<br/> synchronized_authz_initialize(void *baton, apr_pool_t *pool)<br/>@@ -143,6 +167,7 @@<br/> SVN_ERR(svn_object_pool__create(&amp;authz_pool, multi_threaded, pool));<br/> SVN_ERR(svn_object_pool__create(&amp;filtered_pool, multi_threaded, pool));<br/> <br/>+ apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);<br/> return SVN_NO_ERROR;<br/> }<br/> <br/>]]]<br/>

Subversion是一个开源版本控制系统

<p><a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24070">CVE-2022-24070</a></p>

暂无

暂无

https://subversion.apache.org/security/CVE-2022-24070-advisory.txt