There's an exploitable stack buffer overflow in svn.c when handling legacy Subversion repos:
|
if (sscanf(p, " %*[^\"]\"%[0-9]\"", rev) == 1) { |
Steps to reproduce:
- compile with
-fsanitze=address or use valgrind
- create a subversion repo
rm .svn/wc*- put the following into .svn/entries
<?xml version="1.0" encoding="utf-8"?>
<wc-entries
xmlns="http://subversion.tigris.org/xmlns/wc/entries/1.0">
<entry
revision="1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"/>
</wc-entries>
Patch:
wfr/vcprompt@da2825e
There's an exploitable stack buffer overflow in svn.c when handling legacy Subversion repos:
vcprompt/src/svn.c
Line 76 in 67394fc
Steps to reproduce:
-fsanitze=addressor use valgrindrm .svn/wc*Patch:
wfr/vcprompt@da2825e