subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <s...@elego.de>
Subject Re: ssh+svn vs. bash security bug?
Date Wed, 24 Sep 2014 16:28:51 GMT
On Wed, Sep 24, 2014 at 11:06:13AM -0500, Les Mikesell wrote:
> Does the recently announced bash bug:
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> affect the security of the way people generally configure svn+ssh access?
> 
> -- 
>    Les Mikesell
 
>From what I understand after reading about the problem briefly:

In an svn+ssh setup svn clients run 'svnserve -t' by default.
But there is no reason this could not be changed to '/bin/bash' by
an attacker.

Note that forcing a command in the authorized_keys file will *not*
work around the problem: http://seclists.org/oss-sec/2014/q3/651

It should be possible to mitigate this attack vector by having
svnserve run in an environment that doesn't have bash available,
either with no bash binary at all on the system, or within a chroot.

Mime
View raw message