Author: kotkov
Revision: 1921181
Modified property: svn:log
Modified: svn:log at Tue Oct 8 19:23:24 2024
------------------------------------------------------------------------------
--- svn:log (original)
+++ svn:log Tue Oct 8 19:23:24 2024
@@ -1,5 +1,54 @@
-Committing the fix for CVE-2024-45720 to trunk.
+Fix CVE-2024-45720 (Subversion command line argument injection on
+Windows platforms).
-(detailed log message remains to be filled in here)
+On Windows platforms, a "best fit" character encoding conversion of
+command line arguments to Subversion's executables (e.g., svn.exe,
+etc.) may lead to unexpected command line argument interpretation,
+including argument injection and execution of other programs, if a
+specially crafted command line argument string is processed.
+
+To fix the issue, we start using wmain() in the executables and perform
+the character conversion manually without the "best fit" mapping.
+
+See the security advisory for details:
+https://subversion.apache.org/security/CVE-2024-45720-advisory.txt
+
+* build.conf
+ (svn, svnadmin): Update `msvc-libs` to link `wsetargv.obj` instead of
+ `setargv.obj`.
+
+* subversion/include/private/svn_cmdline_private.h
+ (svn_cmdline__win32_get_cstring_argv,
+ svn_cmdline__default_get_cstring_argv,
+ svn_cmdline__argv_char_t,
+ SVN_CMDLINE__MAIN,
+ svn_cmdline__get_cstring_argv): New definitions.
+
+* subversion/libsvn_subr/cmdline.c
+ (svn_cmdline__win32_get_cstring_argv): Implement this new function that
+ normalizes Windows-specific command line arguments to the environment-
+ specific code page.
+ (svn_cmdline__default_get_cstring_argv): Implement this new function that
+ normalizes command line arguments to the environment-specific code page
+ in a platform-agnostic way. Currently a no-op.
+
+* subversion/svn/svn.c,
+ subversion/svnadmin/svnadmin.c,
+ subversion/svnbench/svnbench.c,
+ subversion/svndumpfilter/svndumpfilter.c,
+ subversion/svnfsfs/svnfsfs.c,
+ subversion/svnlook/svnlook.c,
+ subversion/svnmucc/svnmucc.c,
+ subversion/svnrdump/svnrdump.c,
+ subversion/svnserve/svnserve.c,
+ subversion/svnsync/svnsync.c,
+ subversion/svnversion/svnversion.c,
+ tools/client-side/svn-mergeinfo-normalizer/svn-mergeinfo-normalizer.c,
+ tools/client-side/svnconflict/svnconflict.c,
+ tools/dev/svnraisetreeconflict/svnraisetreeconflict.c,
+ tools/dev/wc-ng/svn-wc-db-tester.c,
+ trunk/tools/server-side/svnauthz.c:
+ (main): Switch to SVN_CMDLINE__MAIN.
+ (sub_main): Invoke svn_cmdline__get_cstring_argv() to normalize arguments.
Patch by: kotkov, jun66j5
