Bug#740302: wheezy-pu: package subversion/1.6.17dfsg-4+deb7u5
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
I would like to upload subversion for the next Wheezy point release to
address the following issues.
* Add patch CVE-2014-0032: mod_dav_svn crash when handling certain requests
with SVNListParentPath on (Closes: #737815)
* rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev (Closes:
#711911)
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diffstat for subversion_1.6.17dfsg-4+deb7u4 subversion_1.6.17dfsg-4+deb7u5
debian/patches/CVE-2014-0032 | 39 ++++++++++++++++++++++++++++
subversion-1.6.17dfsg/debian/changelog | 9 ++++++
subversion-1.6.17dfsg/debian/patches/series | 1
subversion-1.6.17dfsg/debian/rules | 3 +-
4 files changed, 51 insertions(+), 1 deletion(-)
diff -u subversion-1.6.17dfsg/debian/rules subversion-1.6.17dfsg/debian/rules
--- subversion-1.6.17dfsg/debian/rules
+++ subversion-1.6.17dfsg/debian/rules
@@ -346,13 +346,14 @@
cd debian/tmp/$(libdir); for lib in ra fs auth swig; do \
$(RM) libsvn_$${lib}_*.so libsvn_$${lib}_*.la; \
done
- cd debian/tmp/$(libdir); $(RM) libsvn_swig*.a libsvnjavahl.a libsvnjavahl.la
+ cd debian/tmp/$(libdir); $(RM) libsvn_swig*.a libsvnjavahl-1.a libsvnjavahl-1.la
# Intermediate hack, until we can remove the rest of the .la files.
sed -i "/dependency_libs/s/=.*/=''/" debian/tmp/$(libdir)/*.la
dh_install -s
ifdef DEB_OPT_WITH_JAVAHL
mkdir -p debian/libsvn-java/$(libdir)
mv debian/libsvn-java/usr/lib/jni debian/libsvn-java/$(libdir)/
+ $(RM) debian/libsvn-dev/$(libdir)/libsvnjavahl-1.so
endif
ln -s libsvn_ra_neon-1.so.1 debian/libsvn1/$(libdir)/libsvn_ra_dav-1.so.1
diff -u subversion-1.6.17dfsg/debian/changelog subversion-1.6.17dfsg/debian/changelog
--- subversion-1.6.17dfsg/debian/changelog
+++ subversion-1.6.17dfsg/debian/changelog
@@ -1,3 +1,12 @@
+subversion (1.6.17dfsg-4+deb7u5) UNRELEASED; urgency=medium
+
+ * Add patch CVE-2014-0032: mod_dav_svn crash when handling certain requests
+ with SVNListParentPath on (Closes: #737815)
+ * rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev (Closes:
+ #711911)
+
+ -- James McCoy <jamessan@debian.org> Wed, 26 Feb 2014 21:19:57 -0500
+
subversion (1.6.17dfsg-4+deb7u4) wheezy; urgency=low
* Non-maintainer upload.
diff -u subversion-1.6.17dfsg/debian/patches/series subversion-1.6.17dfsg/debian/patches/series
--- subversion-1.6.17dfsg/debian/patches/series
+++ subversion-1.6.17dfsg/debian/patches/series
@@ -42,0 +43 @@
+CVE-2014-0032
only in patch2:
unchanged:
--- subversion-1.6.17dfsg.orig/debian/patches/CVE-2014-0032
+++ subversion-1.6.17dfsg/debian/patches/CVE-2014-0032
@@ -0,0 +1,39 @@
+Author: Ben Reser <breser@apache.org>
+Subject: Disallow methods other than GET/HEAD for the parentpath list.
+
+Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling
+the server root and SVNListParentPath is on.
+
+Origin: upstream, backported from commit:r1557320
+Bug-CVE: http://subversion.apache.org/security/CVE-2014-0032-advisory.txt
+Bug-Debian: http://bugs.debian.org/737815
+Last-Update: 2014-02-26
+
+--- a/subversion/mod_dav_svn/repos.c
++++ b/subversion/mod_dav_svn/repos.c
+@@ -1672,6 +1672,25 @@
+
+ if (strcmp(parentpath, uri) == 0)
+ {
++ /* Only allow GET and HEAD on the parentpath resource
++ * httpd uses the same method_number for HEAD as GET */
++ if (r->method_number != M_GET)
++ {
++ int status;
++
++ /* Marshal the error back to the client by generating by
++ * way of the dav_svn__error_response_tag trick. */
++ err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
++ SVN_ERR_APMOD_MALFORMED_URI,
++ "The URI does not contain the name "
++ "of a repository.");
++ /* can't use r->allowed since the default handler isn't called */
++ apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
++ status = dav_svn__error_response_tag(r, err);
++
++ return dav_push_error(r->pool, status, err->error_id, NULL, err);
++ }
++
+ err = get_parentpath_resource(r, root_path, resource);
+ if (err)
+ return err;
Reply to: