On Thu, Feb 27, 2014 at 09:52:17PM -0500, James McCoy wrote: > I would like to upload subversion for the next Wheezy point release to > address the following issues. > > * Add patch CVE-2014-0032: mod_dav_svn crash when handling certain requests > with SVNListParentPath on (Closes: #737815) > * rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev (Closes: > #711911)
Ping?
> diffstat for subversion_1.6.17dfsg-4+deb7u4 subversion_1.6.17dfsg-4+deb7u5
>
> debian/patches/CVE-2014-0032 | 39
> ++++++++++++++++++++++++++++
> subversion-1.6.17dfsg/debian/changelog | 9 ++++++
> subversion-1.6.17dfsg/debian/patches/series | 1
> subversion-1.6.17dfsg/debian/rules | 3 +-
> 4 files changed, 51 insertions(+), 1 deletion(-)
>
> diff -u subversion-1.6.17dfsg/debian/rules subversion-1.6.17dfsg/debian/rules
> --- subversion-1.6.17dfsg/debian/rules
> +++ subversion-1.6.17dfsg/debian/rules
> @@ -346,13 +346,14 @@
> cd debian/tmp/$(libdir); for lib in ra fs auth swig; do \
> $(RM) libsvn_$${lib}_*.so libsvn_$${lib}_*.la; \
> done
> - cd debian/tmp/$(libdir); $(RM) libsvn_swig*.a libsvnjavahl.a
> libsvnjavahl.la
> + cd debian/tmp/$(libdir); $(RM) libsvn_swig*.a libsvnjavahl-1.a
> libsvnjavahl-1.la
> # Intermediate hack, until we can remove the rest of the .la files.
> sed -i "/dependency_libs/s/=.*/=''/" debian/tmp/$(libdir)/*.la
> dh_install -s
> ifdef DEB_OPT_WITH_JAVAHL
> mkdir -p debian/libsvn-java/$(libdir)
> mv debian/libsvn-java/usr/lib/jni debian/libsvn-java/$(libdir)/
> + $(RM) debian/libsvn-dev/$(libdir)/libsvnjavahl-1.so
> endif
> ln -s libsvn_ra_neon-1.so.1
> debian/libsvn1/$(libdir)/libsvn_ra_dav-1.so.1
>
> diff -u subversion-1.6.17dfsg/debian/changelog
> subversion-1.6.17dfsg/debian/changelog
> --- subversion-1.6.17dfsg/debian/changelog
> +++ subversion-1.6.17dfsg/debian/changelog
> @@ -1,3 +1,12 @@
> +subversion (1.6.17dfsg-4+deb7u5) UNRELEASED; urgency=medium
> +
> + * Add patch CVE-2014-0032: mod_dav_svn crash when handling certain requests
> + with SVNListParentPath on (Closes: #737815)
> + * rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev (Closes:
> + #711911)
> +
> + -- James McCoy <james...@debian.org> Wed, 26 Feb 2014 21:19:57 -0500
> +
> subversion (1.6.17dfsg-4+deb7u4) wheezy; urgency=low
>
> * Non-maintainer upload.
> diff -u subversion-1.6.17dfsg/debian/patches/series
> subversion-1.6.17dfsg/debian/patches/series
> --- subversion-1.6.17dfsg/debian/patches/series
> +++ subversion-1.6.17dfsg/debian/patches/series
> @@ -42,0 +43 @@
> +CVE-2014-0032
> only in patch2:
> unchanged:
> --- subversion-1.6.17dfsg.orig/debian/patches/CVE-2014-0032
> +++ subversion-1.6.17dfsg/debian/patches/CVE-2014-0032
> @@ -0,0 +1,39 @@
> +Author: Ben Reser <bre...@apache.org>
> +Subject: Disallow methods other than GET/HEAD for the parentpath list.
> +
> +Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling
> +the server root and SVNListParentPath is on.
> +
> +Origin: upstream, backported from commit:r1557320
> +Bug-CVE: http://subversion.apache.org/security/CVE-2014-0032-advisory.txt
> +Bug-Debian: http://bugs.debian.org/737815
> +Last-Update: 2014-02-26
> +
> +--- a/subversion/mod_dav_svn/repos.c
> ++++ b/subversion/mod_dav_svn/repos.c
> +@@ -1672,6 +1672,25 @@
> +
> + if (strcmp(parentpath, uri) == 0)
> + {
> ++ /* Only allow GET and HEAD on the parentpath resource
> ++ * httpd uses the same method_number for HEAD as GET */
> ++ if (r->method_number != M_GET)
> ++ {
> ++ int status;
> ++
> ++ /* Marshal the error back to the client by generating by
> ++ * way of the dav_svn__error_response_tag trick. */
> ++ err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
> ++ SVN_ERR_APMOD_MALFORMED_URI,
> ++ "The URI does not contain the name "
> ++ "of a repository.");
> ++ /* can't use r->allowed since the default handler isn't
> called */
> ++ apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
> ++ status = dav_svn__error_response_tag(r, err);
> ++
> ++ return dav_push_error(r->pool, status, err->error_id, NULL,
> err);
> ++ }
> ++
> + err = get_parentpath_resource(r, root_path, resource);
> + if (err)
> + return err;
--
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <james...@debian.org>
signature.asc
Description: Digital signature
