CVE-2013-4277

Publication date 16 September 2013

Last updated 24 July 2024

Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
subversion	14.04 LTS trusty	Not in release
	13.10 saucy	Ignored end of life
	13.04 raring	Ignored end of life
	12.10 quantal	Ignored end of life
	12.04 LTS precise	Ignored
	10.04 LTS lucid	Ignored end of life

How can I get the fixes?
What do statuses mean?
Patch details

Notes

mdeslaur

pid file is not created by default on Ubuntu. This is only an issue if someone specifies a pid file in an insecure location. as such, we will not be fixing this.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
subversion	Upstream: http://svn.apache.org/viewvc?view=revision&revision=1516558

References

MITRE
NVD
Launchpad
Debian

Other references

http://subversion.apache.org/security/CVE-2013-4277-advisory.txt
http://xforce.iss.net/xforce/xfdb/86972
https://www.cve.org/CVERecord?id=CVE-2013-4277