[blfs-book] [BLFS Trac] #9599: subversion-1.9.7
BLFS Trac via blfs-book
blfs-book at lists.linuxfromscratch.org
Thu Aug 10 16:36:41 PDT 2017
Reporter: ken@… | Owner: ken@…
Type: enhancement | Status: assigned
Priority: high | Milestone: 8.1
Component: BOOK | Version: SVN
Severity: normal | Resolution:
> Following on from git-2.14.1, subversion-1.9.7 has been released. I
> presume this fixes CVE-2017-9800 (no details at the moment).
> When I built 1.9.6 the other week I got a test failure in [023/109]
> FAIL: lt-locks-test 14: lock/unlock when 'write-lock' couldn't be
> I suspect that one might be an issue with either gcc-7.1 or else newer
> headers, in which case it might might repeat in this version.
Following on from git-2.14.1, subversion-1.9.7 has been released. This
fixes CVE-2017-9800, from
Arbitrary code execution on clients through malicious svn+ssh URLs in
svn:externals and svn:sync-from-url
A Subversion client sometimes connects to URLs provided by the
This happens in two primary cases: during 'checkout', 'export',
'switch', when the tree being downloaded contains svn:externals
and when using 'svnsync sync' with one URL argument.
A maliciously constructed svn+ssh:// URL would cause Subversion clients
run an arbitrary shell command. Such a URL could be generated by a
server, by a malicious user committing to a honest server (to attack
user of that server's repositories), or by a proxy server.
The vulnerability affects all clients, including those that use file://,
http://, and plain (untunneled) svn://.
An exploit has been tested.
Subversion clients 1.0.0 through 1.8.18 (inclusive)
Subversion clients 1.9.0 through 1.9.6 (inclusive)
Subversion client 1.10.0-alpha3
Subversion 1.10.0-alpha1 and 1.10.0-alpha2 are vulnerable,
however, were never publicly released.
Patches are available for 1.9, 1.8, 1.6. The patch for 1.9 applies
to 1.10.0-alpha3 with an offset. The patch for 1.8 applies to 1.7
with an offset.
Clients that do not have access to an ssh client, and have no custom
configured in their runtime configuration area , are not vulnerable.
Clients using Subversion's own runtime module loading for Repository
(RA) modules are not vulnerable if the 'libsvn_ra_svn' module, which
support for the svn+ssh:// and svn:// protocols is removed.
This link describes Subversion 1.7, but the description is correct
all other versions as well.
(see "Summary:" above)
CVSSv3 Base Score: 9.9 (Critical)
CVSSv3 Base Vector:
When I built 1.9.6 the other week I got a test failure in [023/109] locks-
FAIL: lt-locks-test 14: lock/unlock when 'write-lock' couldn't be
I suspect that one might be an issue with either gcc-7.1 or else newer
headers, in which case it might might repeat in this version.
Comment (by ken@…):
Actually, that lock test also fails on BLFS-8.0 on my server.
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/9599#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
More information about the blfs-book