Simultaneously with Subversion 1.4.5, TortoiseSVN 1.4.5 has
been released.
TortoiseSVN 1.4.5 is linked against the Subversion library
1.4.5 which
contains an important security fix. Please update as soon as
possible.
Here's the full advisory:
============================================================
===============
On some platforms (e.g., Win32), svn client can create
files in bad
places
Summary:
========
This vulnerability requires prior write access to the
repository.
In Subversion 1.4.4 and earlier versions, on platforms
where the
directory separator is "" (or anything other
than "/"), the client
libraries can allow files outside the working copy to be
created
during a checkout or update. This could, in theory, be
used to
place arbitrary code at arbitrary locations on the client
machine,
for example, in system startup scripts.
Known vulnerable:
=================
Subversion clients <= 1.4.4 (including clients like
TortoiseSVN)
Known fixed:
============
Subversion 1.4.5
TortoiseSVN 1.4.5
Details:
========
The Subversion client libraries fail to validate that
filenames
obtained from the Subversion server during checkout do
not contain
"..". This allows the creation of files
outside the checkout
directory. Users on operating systems where
"" is not used to
separate directory paths can commit files with
".." in the path.
When these files are checked out onto systems where
"" is a
directory separator, hilarity may ensue. To reproduce:
On a UNIX system, create a file
"..DIRNAME/exploit.exe" and check
it into a repository on the top level. Then check out
that
repository to a Win32 system. The file will appear
outside of the
checkout directory and instead under
"DIRNAME".
Severity:
=========
Med (arbitrary file creation on client, possibly over
system startup
files)
An adversary with write access to the repository could
create a file
at an arbitrary path on the victim's machines. This
could be used
to install code on the system, for example by placing
executable
code into the startup sequence.
The attacker first requires write access to the
repository from
which the file will be checked out, and requires that
others not
notice the commit of the dangerous file. Thus, at first
glance it
might seem that some social engineering is necessary for
a full
exploit. However, if the repository administrator is the
attacker,
little or no social engineering is required.
References:
===========
CVE-2007-3846 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846)
http://crisp.cs.du.
edu/?q=node/36
Reported by:
============
Nils Durner and Christian Grothoff, Colorado Research
Institute for
Security and Privacy, http://crisp.cs.du.edu/.
Recommendation:
===============
Upgrade to TortoiseSVN 1.4.5.
http://tortoisesvn.n
et/downloads
Workarounds:
============
These workarounds apply only to the repository (server)
side. They
cannot protect a client from a malicious repository
administrator.
* Scan existing repositories for paths containing
"", rename them.
* Install a pre-commit hook that checks for ""
in filenames.
Below is such a hook script, indented by four spaces:
#!/bin/sh
### backslash-check.py: A Subversion pre-commit hook
script to prevent
### files containing "" from being added to
the repository.
###
### See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-3846
### *** NOTE: ***
### Because Subversion hook scripts execute in a
scrubbed environment,
### we use an absolute path to the svnlook binary. You
might need to
### adjust it for your system.
SVNLOOK="/usr/bin/svnlook"
### You shouldn't need to change anything below this
line.
REPOS=$
TXN=$
if $ changed -t $ $ | grep -E
"^A +.*\\"; then
echo "" >&2
echo "Cannot commit paths containing '\':"
>&2
echo "" >&2
# Show the actual paths:
$ changed -t $ $
| grep -E "^A +.*\\" | cut -c5-
>&2
echo "" >&2
exit 1
else
exit 0
fi
And here's the changelog of TortoiseSVN 1.4.5:
Version 1.4.5
- BUG: The setting "unversioned files mark parent
folder as modified"
for the overlays marked folders as modified even if
the
unversioned files were ignored. (Stefan)
- BUG: The commit dialog wrongly showed added files in
external folders.
(Tobias Schäfer)
- BUG: Selecting the 'to:' date in the log dialog didn't
include the
selected date. (Stefan)
- BUG: Saving a file which did not exist failed or wasn't
possible,
only "Save as" worked. (Stefan)
- BUG: Crash in the statistics dialog if for some reason the
date of a
revision is not available. (Stefan)
- BUG: Thread leak in the status cache/handle lead in the
shell extension. (Stefan)
- BUG: Missing items got crawled over and over again in the
status
cache. (Stefan)
Stefan
--
___
oo // \ "De Chelonian Mobile"
(_,/ _/ TortoiseSVN
_/__/> The coolest Interface to (Sub)Version
Control
/_/ _ http://tortoisesvn.net
------------------------------------------------------------
---------
To unsubscribe, e-mail: announce-unsubscribe tortoisesvn.tigris.org
For additional commands, e-mail: announce-helptortoisesvn.tigris.org
|