On Wed, Feb 10, 2021 at 09:21:54PM +0100, Salvatore Bonaccorso wrote:
> Hi James,
>
> On Wed, Feb 10, 2021 at 03:20:22PM -0500, James McCoy wrote:
> > On Wed, Feb 10, 2021 at 03:36:11PM +0100, Salvatore Bonaccorso wrote:
> > > The following vulnerability was published for subversion.
> > >
> > > CVE-2020-17525[0]:
> > > | Remote unauthenticated denial-of-service in Subversion mod_authz_svn
> >
> > I'll have uploads ready for this tonight to both sid and buster. I'll
> > send the debdiff for review before uploading to buster-security.
>
> Ack, thank you!
Buster debdiff attached.
Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
diffstat for subversion-1.10.4 subversion-1.10.4
changelog | 8
+++
gbp.conf | 2
patches/0017-Fix-a-potential-NULL-dereference-in-the-config-file-.patch | 26
++++++++++
patches/series | 1
4 files changed, 36 insertions(+), 1 deletion(-)
diff -Nru subversion-1.10.4/debian/changelog subversion-1.10.4/debian/changelog
--- subversion-1.10.4/debian/changelog 2019-07-27 22:44:06.000000000 -0400
+++ subversion-1.10.4/debian/changelog 2021-02-10 15:15:45.000000000 -0500
@@ -1,3 +1,11 @@
+subversion (1.10.4-1+deb10u2) buster-security; urgency=high
+
+ * Backport security fixes from upstream:
+ + CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion
+ mod_authz_svn (Closes: #982464)
+
+ -- James McCoy <james...@debian.org> Wed, 10 Feb 2021 15:15:45 -0500
+
subversion (1.10.4-1+deb10u1) buster-security; urgency=high
* Backport security fixes from upstream:
diff -Nru subversion-1.10.4/debian/gbp.conf subversion-1.10.4/debian/gbp.conf
--- subversion-1.10.4/debian/gbp.conf 2019-07-27 22:44:06.000000000 -0400
+++ subversion-1.10.4/debian/gbp.conf 2021-02-10 15:15:45.000000000 -0500
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-branch = upstream/1.10.x
-debian-branch = debian/sid
+debian-branch = debian/buster
upstream-tag = upstream/%(version)s
sign-tags = True
diff -Nru
subversion-1.10.4/debian/patches/0017-Fix-a-potential-NULL-dereference-in-the-config-file-.patch
subversion-1.10.4/debian/patches/0017-Fix-a-potential-NULL-dereference-in-the-config-file-.patch
---
subversion-1.10.4/debian/patches/0017-Fix-a-potential-NULL-dereference-in-the-config-file-.patch
1969-12-31 19:00:00.000000000 -0500
+++
subversion-1.10.4/debian/patches/0017-Fix-a-potential-NULL-dereference-in-the-config-file-.patch
2021-02-10 15:15:45.000000000 -0500
@@ -0,0 +1,26 @@
+From: Stefan Sperling <s...@apache.org>
+Date: Fri, 29 Jan 2021 13:17:15 +0000
+Subject: Fix a potential NULL dereference in the config file parser.
+
+* subversion/libsvn_repos/config_file.c
+ (get_repos_config): svn_repos_find_root_path() may return NULL.
+ Check the return value accordingly.
+---
+ subversion/libsvn_repos/config_file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/subversion/libsvn_repos/config_file.c
b/subversion/libsvn_repos/config_file.c
+index 9187277..2414db9 100644
+--- a/subversion/libsvn_repos/config_file.c
++++ b/subversion/libsvn_repos/config_file.c
+@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream,
+ {
+ /* Search for a repository in the full path. */
+ repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool);
++ if (repos_root_dirent == NULL)
++ return svn_error_trace(handle_missing_file(stream, checksum, access,
++ url, must_exist,
++ svn_node_none));
+
+ /* Attempt to open a repository at repos_root_dirent. */
+ SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL,
diff -Nru subversion-1.10.4/debian/patches/series
subversion-1.10.4/debian/patches/series
--- subversion-1.10.4/debian/patches/series 2019-07-27 22:44:06.000000000
-0400
+++ subversion-1.10.4/debian/patches/series 2021-02-10 15:15:45.000000000
-0500
@@ -14,3 +14,4 @@
0014-Provide-a-way-for-svnserve-s-get-deleted-rev-API-to-.patch
0015-Adjust-expectations-of-a-new-test-to-account-for-dif.patch
0016-In-svnserve-consistently-handle-errors-in-opening-a-.patch
+0017-Fix-a-potential-NULL-dereference-in-the-config-file-.patch
