Matt Lewis

**Name of the Vulnerable Software and Affected Versions** subversion versions prior to 1.6.4 subversion-devel versions 1.4.2 subversion-javahl versions 1.4.2 subversion-perl versions 1.4.2 subversion-ruby versions 1.4.2 viewcvs (affected versions not specified) cvs2svn (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary code via an svndiff stream with large windows that trigger a heap-based buffer overflow. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation can be carried out remotely by an attacker who has passed the authentication procedure. **Recommendations** For subversion versions prior to 1.6.4, update to version 1.6.4 or later. For subversion-devel version 1.4.2, update to a version later than 1.4.2. For subversion-javahl version 1.4.2, update to a version later than 1.4.2. For subversion-perl version 1.4.2, update to a version later than 1.4.2. For subversion-ruby version 1.4.2, update to a version later than 1.4.2. For viewcvs and cvs2svn, at the moment, there is no information about a newer version that contains a fix for this vulnerability.