Your message dated Tue, 17 Dec 2019 20:50:05 -0500
with message-id <20191218015005.nwcpwnz25bgiahkm@localhost>
and subject line Re: Bug#514320: subversion: seems it does not properly escape
filenames (e.g. option-like: -foo)
has caused the Debian Bug report #514320,
regarding subversion: seems it does not properly escape filenames (e.g.
option-like: -foo)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
514320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514320
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: subversion
Version: 1.4.2dfsg1-2
Severity: normal
When adding a file with an option-like name
touch -- -foo
svn add -- -foo
svn ci -m "Adding -foo"
I get the following error:
Transmitting file data ............svn: Commit succeeded, but other errors
follow:
svn: Error bumping revisions post-commit (details follow):
svn: In directory '<snip>'
svn: Error processing command 'committed' in '<snip>'
svn: Error replacing text-base of '-foo'
svn: Can't change perms of file '<snip>/-foo': No such file or directory
Seems like just a '--' missing in a chmod invokation, so I'm reporting although
I
couldn't reproduce it again.
After that, the working copy got locked, and any attempt at
svn cleanup
just resulted in
svn: In directory '.'
svn: Error processing command 'committed' in '.'
svn: Error replacing text-base of '-foo'
svn: Can't change perms of file '-foo': No such file or directory
The commit made it in, though, and an independant checkout afterwards works
fine, too.
I'm not a security researcher, so I have no clue about whether and if so how
this could be exploited, but it feels fishy.
Thanks,
Marc
-- System Information:
Debian Release: 4.0
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-etchnhalf.1-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages subversion depends on:
ii libapr1 1.2.7-8.2 The Apache Portable Runtime Librar
ii libc6 2.3.6.ds1-13etch9 GNU C Library: Shared libraries
ii libsvn1 1.4.2dfsg1-2 Shared libraries used by Subversio
subversion recommends no packages.
-- no debconf information
--
Marc Mutz - [email protected], [email protected] - Klarälvdalens Datakonsult AB
Platform-independent software solutions - www.kdab.com [email protected]
--- End Message ---
--- Begin Message ---
On Fri, Feb 06, 2009 at 10:00:33AM +0100, Marc Mutz wrote:
> When adding a file with an option-like name
> touch -- -foo
> svn add -- -foo
> svn ci -m "Adding -foo"
> I get the following error:
>
> Transmitting file data ............svn: Commit succeeded, but other errors
> follow:
> svn: Error bumping revisions post-commit (details follow):
This looks like it's executing a post-commit hook. If that's the case,
then the problem is likely in that script, not svn itself.
> svn: In directory '<snip>'
> svn: Error processing command 'committed' in '<snip>'
> svn: Error replacing text-base of '-foo'
> svn: Can't change perms of file '<snip>/-foo': No such file or directory
Based on the above, and being unable to reproduce this with the current
svn code, I'm closing the bug.
Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
--- End Message ---
