Vulnerabilities > CVE-2015-5259 - Numeric Errors vulnerability in Apache Subversion 1.9.0/1.9.1/1.9.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
HIGH Summary
Integer overflow in the read_string function in libsvn_ra_svn/marshal.c in Apache Subversion 1.9.x before 1.9.3 allows remote attackers to execute arbitrary code via an svn:// protocol string, which triggers a heap-based buffer overflow and an out-of-bounds read.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2015-6EFA349A85.NASL description This update includes the latest stable release of _Apache Subversion 1.8_, version **1.8.15**. This update fixes two security issues: * **CVE-2015-3184**: Subversion last seen 2020-06-05 modified 2016-03-04 plugin id 89276 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89276 title Fedora 22 : subversion-1.8.15-1.fc22 (2015-6efa349a85) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201610-05.NASL description The remote host is affected by the vulnerability described in GLSA-201610-05 (Subversion, Serf: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in Subversion and Serf. Please review the CVE identifiers referenced below for details Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, conduct a man-in-the-middle attack, obtain sensitive information, or cause a Denial of Service Condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 93992 published 2016-10-12 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93992 title GLSA-201610-05 : Subversion, Serf: Multiple Vulnerabilities NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-676.NASL description It was found that when an SVN server (both svnserve and httpd with the mod_dav_svn module) searched the history of a file or a directory, it would disclose its location in the repository if that file or directory was not readable (for example, if it had been moved). (CVE-2015-3187) An integer overflow was discovered allowing remote attackers to execute arbitrary code via an svn:// protocol string, which triggers a heap-based buffer overflow and an out-of-bounds read. (CVE-2015-5259) It was found that the mod_authz_svn module did not properly restrict anonymous access to Subversion repositories under certain configurations when used with Apache httpd 2.4.x. This could allow a user to anonymously access files in a Subversion repository, which should only be accessible to authenticated users. (CVE-2015-3184) It was found that the mod_dav_svn module was vulnerable to a remotely triggerable heap-based buffer overflow and out-of-bounds read caused by an integer overflow when parsing skel-encoded request bodies, allowing an attacker with write access to a repository to cause a denial of service attack (on 32-bit or 64-bit servers) or possibly execute arbitrary code (on 32-bit servers only) under the context of the httpd process. (CVE-2015-5343) last seen 2020-06-01 modified 2020-06-02 plugin id 90269 published 2016-04-01 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90269 title Amazon Linux AMI : mod_dav_svn / subversion (ALAS-2016-676) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_DAADEF86A36611E58B4020CF30E32F6D.NASL description Subversion Project reports : Remotely triggerable heap overflow and out-of-bounds read caused by integer overflow in the svn:// protocol parser. Remotely triggerable heap overflow and out-of-bounds read in mod_dav_svn caused by integer overflow when parsing skel-encoded request bodies. last seen 2020-06-01 modified 2020-06-02 plugin id 87388 published 2015-12-16 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87388 title FreeBSD : subversion -- multiple vulnerabilities (daadef86-a366-11e5-8b40-20cf30e32f6d) NASL family Fedora Local Security Checks NASL id FEDORA_2015-AFDB0E8AAA.NASL description This update includes the latest stable release of _Apache Subversion_, version **1.9.3**. ### User-visible changes: #### Client-side bugfixes: * svn: fix possible crash in auth credentials cache * cleanup: avoid unneeded memory growth during pristine cleanup * diff: fix crash when repository is on server root * fix translations for commit notifications * ra_serf: fix crash in multistatus parser * svn: report lock/unlock errors as failures * svn: cleanup user deleted external registrations * svn: allow simple resolving of binary file text conflicts * svnlook: properly remove tempfiles on diff errors * ra_serf: report built- and run-time versions of libserf * ra_serf: set Content- Type header in outgoing requests * svn: fix merging deletes of svn:eol-style CRLF/CR files * ra_local: disable zero-copy code path #### Server-side bugfixes: * mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm ( [issue 4602](http://subversion.tigris.org/issues/show_bug.cgi?id=4602)) * mod_dav_svn: fix display of process ID in cache statistics * mod_dav_svn: use LimitXMLRequestBody for skel-encoded requests * svnadmin dump: preserve no-op changes * fsfs: avoid unneeded I/O when opening transactions #### Bindings bugfixes: * javahl: fix ABI incompatibility with 1.8 * javahl: allow non- absolute paths in SVNClient.vacuum ### Developer-visible changes: #### General : - fix patch filter invocation in svn_client_patch() * add \@since information to config defines * fix running the tests in compatibility mode * clarify documentation of svn_fs_node_created_rev() #### API changes: * fix overflow detection in svn_stringbuf_remove and _replace * don last seen 2020-06-05 modified 2016-03-04 plugin id 89372 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89372 title Fedora 23 : subversion-1.9.3-1.fc23 (2015-afdb0e8aaa)
References
- http://subversion.apache.org/security/CVE-2015-5259-advisory.txt
- http://subversion.apache.org/security/CVE-2015-5259-advisory.txt
- http://www.securityfocus.com/bid/82300
- http://www.securityfocus.com/bid/82300
- http://www.securitytracker.com/id/1034469
- http://www.securitytracker.com/id/1034469
- https://security.gentoo.org/glsa/201610-05
- https://security.gentoo.org/glsa/201610-05