In association with heise online

10 August 2009, 14:12

Holes closed in Subversion version control system

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

New versions of the Subversion version management system fix vulnerabilities in the client and server which could allow an attacker to gain control of a system. The cause of the problems are multiple heap overflows in the libsvn_delta library, which may occur when the library is parsing difference data streams (binary deltas). According to the developers, a client with commit access can cause a remote heap overflow on the server and a server can cause a heap overflow on clients that attempt a checkout or update.

Subversion releases up to and including 1.5.6 and from 1.6.0 to 1.6.3 are affected. The developers have released updates as Subversion 1.6.4 and 1.5.7 with the errors corrected. Linux distributors are already distributing new packages in their distributions and there is also a source code patch available.

The error is related to an integer overflow in the Apache Portable Runtime (APR) on which Subversion is based. Patches for APR are already available.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit