Bug#740302: wheezy-pu: package subversion/1.6.17dfsg-4+deb7u5

To: 740302@bugs.debian.org
Subject: Bug#740302: wheezy-pu: package subversion/1.6.17dfsg-4+deb7u5
From: James McCoy <jamessan@debian.org>
Date: Sat, 8 Mar 2014 19:53:21 -0500
Message-id: <[🔎] 20140309005321.GA13627@cerberus.jamessan.com>
Reply-to: James McCoy <jamessan@debian.org>, 740302@bugs.debian.org
In-reply-to: <20140228025217.8060.8153.reportbug@cerberus.jamessan.com>
References: <20140228025217.8060.8153.reportbug@cerberus.jamessan.com>

On Thu, Feb 27, 2014 at 09:52:17PM -0500, James McCoy wrote:
> I would like to upload subversion for the next Wheezy point release to
> address the following issues.
> 
>    * Add patch CVE-2014-0032: mod_dav_svn crash when handling certain requests
>      with SVNListParentPath on  (Closes: #737815)
>    * rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev (Closes:
>      #711911)

Ping?

> diffstat for subversion_1.6.17dfsg-4+deb7u4 subversion_1.6.17dfsg-4+deb7u5
> 
>  debian/patches/CVE-2014-0032                |   39 ++++++++++++++++++++++++++++
>  subversion-1.6.17dfsg/debian/changelog      |    9 ++++++
>  subversion-1.6.17dfsg/debian/patches/series |    1 
>  subversion-1.6.17dfsg/debian/rules          |    3 +-
>  4 files changed, 51 insertions(+), 1 deletion(-)
> 
> diff -u subversion-1.6.17dfsg/debian/rules subversion-1.6.17dfsg/debian/rules
> --- subversion-1.6.17dfsg/debian/rules
> +++ subversion-1.6.17dfsg/debian/rules
> @@ -346,13 +346,14 @@
>  	cd debian/tmp/$(libdir); for lib in ra fs auth swig; do \
>  	    $(RM) libsvn_$${lib}_*.so libsvn_$${lib}_*.la; \
>  	done
> -	cd debian/tmp/$(libdir); $(RM) libsvn_swig*.a libsvnjavahl.a libsvnjavahl.la
> +	cd debian/tmp/$(libdir); $(RM) libsvn_swig*.a libsvnjavahl-1.a libsvnjavahl-1.la
>  	# Intermediate hack, until we can remove the rest of the .la files.
>  	sed -i  "/dependency_libs/s/=.*/=''/" debian/tmp/$(libdir)/*.la
>  	dh_install -s
>  ifdef DEB_OPT_WITH_JAVAHL
>  	mkdir -p debian/libsvn-java/$(libdir)
>  	mv debian/libsvn-java/usr/lib/jni debian/libsvn-java/$(libdir)/
> +	$(RM) debian/libsvn-dev/$(libdir)/libsvnjavahl-1.so
>  endif
>  	ln -s libsvn_ra_neon-1.so.1 debian/libsvn1/$(libdir)/libsvn_ra_dav-1.so.1
>  
> diff -u subversion-1.6.17dfsg/debian/changelog subversion-1.6.17dfsg/debian/changelog
> --- subversion-1.6.17dfsg/debian/changelog
> +++ subversion-1.6.17dfsg/debian/changelog
> @@ -1,3 +1,12 @@
> +subversion (1.6.17dfsg-4+deb7u5) UNRELEASED; urgency=medium
> +
> +  * Add patch CVE-2014-0032: mod_dav_svn crash when handling certain requests
> +    with SVNListParentPath on  (Closes: #737815)
> +  * rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev (Closes:
> +    #711911)
> +
> + -- James McCoy <jamessan@debian.org>  Wed, 26 Feb 2014 21:19:57 -0500
> +
>  subversion (1.6.17dfsg-4+deb7u4) wheezy; urgency=low
>  
>    * Non-maintainer upload.
> diff -u subversion-1.6.17dfsg/debian/patches/series subversion-1.6.17dfsg/debian/patches/series
> --- subversion-1.6.17dfsg/debian/patches/series
> +++ subversion-1.6.17dfsg/debian/patches/series
> @@ -42,0 +43 @@
> +CVE-2014-0032
> only in patch2:
> unchanged:
> --- subversion-1.6.17dfsg.orig/debian/patches/CVE-2014-0032
> +++ subversion-1.6.17dfsg/debian/patches/CVE-2014-0032
> @@ -0,0 +1,39 @@
> +Author: Ben Reser <breser@apache.org>
> +Subject: Disallow methods other than GET/HEAD for the parentpath list.
> +
> +Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling
> +the server root and SVNListParentPath is on.
> +
> +Origin: upstream, backported from commit:r1557320
> +Bug-CVE: http://subversion.apache.org/security/CVE-2014-0032-advisory.txt
> +Bug-Debian: http://bugs.debian.org/737815
> +Last-Update: 2014-02-26
> +
> +--- a/subversion/mod_dav_svn/repos.c
> ++++ b/subversion/mod_dav_svn/repos.c
> +@@ -1672,6 +1672,25 @@
> + 
> +       if (strcmp(parentpath, uri) == 0)
> +         {
> ++          /* Only allow GET and HEAD on the parentpath resource
> ++           * httpd uses the same method_number for HEAD as GET */
> ++          if (r->method_number != M_GET)
> ++            {
> ++              int status;
> ++
> ++              /* Marshal the error back to the client by generating by
> ++               * way of the dav_svn__error_response_tag trick. */
> ++              err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
> ++                                       SVN_ERR_APMOD_MALFORMED_URI,
> ++                                       "The URI does not contain the name "
> ++                                       "of a repository.");
> ++              /* can't use r->allowed since the default handler isn't called */
> ++              apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
> ++              status = dav_svn__error_response_tag(r, err);
> ++
> ++              return dav_push_error(r->pool, status, err->error_id, NULL, err);
> ++            }
> ++
> +           err = get_parentpath_resource(r, root_path, resource);
> +           if (err)
> +             return err;


-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#741119: transition: cogl
Next by thread: Bug#740302: wheezy-pu: package subversion/1.6.17dfsg-4+deb7u5
Index(es):
- Date
- Thread