CVE-2007-2448-advisory.txt [plain text]
Subversion versions up to and including 1.4.3 have a bug which allows,
in certain specific scenarios, data stripped from the output of 'svn
log' due to the requesting user's lack of access priveleges to be
visible via 'svn propget', 'svn proplist', and 'svn propedit'.
Details:
========
Like most version control systems, access to versioned objects in
Subversion is determined on primarily path-based system. Users either
do or don't have the ability to read a given path.
However, unlike many version control systems where versioned objects
maintain their own distinct version information (revision numbers,
authors, log messages, change timestamps, etc.), Subversion binds
multiple paths changed as part of a single commit operation into a
set, calls the whole thing a revision, and hangs commit metadata
(author, date, log message, etc.) off of that revision. So, commit
metadata is shared across all the paths changed as part of a given
commit operation.
It is common for log messages to give detailed information about
changes made in the commit to which the log message is attached. Such
information might include a mention of all the files changed, what was
changed in them, and so on. But this causes a problem when presenting
information to readers who aren't authorized to read every path in the
repository. Simply knowing that a given path exists may be a security
leak, even if the user can't see the contents of the data located at
that path.
So Subversion does what it reasonably can to prevent the leak of this
information, and does so via a staged revision access policy. A
reader can be said to have one of three levels of access to a given
revision's metadata, based solely on the reader's access rights to the
paths changed or copied in that revision:
'full access' -- Granted when the reader has access to all paths
changed or copied in the revision, or when no paths were
changed in the revision at all, this access level permits
full visibility of all revision property names and values,
and the full changed-paths information.
'no access' -- Granted when the reader does not have access to any
paths changed or copied in the revision, this access level
denies the reader access to all revision properties and all
changed-paths information.
'partial access' -- Granted when the reader has access to at least
one, but not all, of the paths changed or copied in the revision,
this access level permits visibility of the svn:date and
svn:author revision properties and only the paths of the
changed-paths information to which the reader has access.
The bug covered in this advisory causes readers who should be granted
'partial access' to a revision to instead be granted 'full access' for
certain revision-property-related query operations. This situation
occurs when the reader
* has access to all paths changed in the revision, but
* does not have access to all the paths copied in the revision, and
* is using the following subcommands (or the APIs behind them):
svn propget, svn proplist, svn propedit.
An example:
If in a given revision path /public/document.txt was created as a copy
of /private/document.txt, and a reader has sufficient authorization to
read /public/document.txt but not to read /private/document.txt,
that reader should be granted partial access to the revision. And, in
fact, 'svn log' (and the APIs behind it) will grant the proper access
level. But the aforementioned 'svn prop*' commands fail to take copy
source paths into consideration when making a revision access level
determination -- meaning they only check the reader's access to the
copy destination (the actual path changed) -- and will grant this
reader full access. Where 'svn log' would reveal only the author and
datestamp of the revision, 'svn prop*' would allow the reader to see
all of the revision properties, including the log message.
Severity:
=========
This is expected to be a rare scenario. While path-based
authorization is common practice, data is not commonly copied from a
private location to a public one. The 'svn prop*' commands only
reveal the contents of properties, not the revision's changed-paths
information. And, of course, this bug does not permit anyone to see
file contents or directory listings that they should not. Information
leaked via this bug is limited to the contents of revision properties
associated with revisions whose changed-path information meets the
specific criteria mentioned above.
Workarounds:
============
Log messages and other revision properties can be modified at any
time, so if you believe your repository contains revision properties
which might reveal in this scenario information best left unrevealed,
you can change or remove (perhaps temporarily) the property values.
Recommendations:
================
References:
===========
CVE-2007-2448: