Bug#891611: jessie-pu: package subversion/1.8.10-6+deb8u6
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
This upload would fix crashes that are seen when using subversion's Perl
bindings. In particular, git-svn has been a common victim since its
memory usage patterns tend to cause the right conditions.
I've verified this against the originally reported issue[0] and
Salvatore Bonaccorso, who prodded me to prepare the upload, has verified
it against their problematic repository.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diffstat for subversion_1.8.10-6+deb8u5 subversion_1.8.10-6+deb8u6
debian/patches/perl-swig-crash | 244 ++++++++++++++++++++++++++++++++
subversion-1.8.10/debian/changelog | 7
subversion-1.8.10/debian/patches/series | 1
3 files changed, 252 insertions(+)
diff -u subversion-1.8.10/debian/changelog subversion-1.8.10/debian/changelog
--- subversion-1.8.10/debian/changelog
+++ subversion-1.8.10/debian/changelog
@@ -1,3 +1,10 @@
+subversion (1.8.10-6+deb8u6) jessie; urgency=medium
+
+ * Backport patches/perl-swig-crash from upstream to fix crashes with Perl
+ bindings, commonly seen when using git-svn (Closes: #780246, #534763).
+
+ -- James McCoy <jamessan@debian.org> Mon, 26 Feb 2018 22:00:47 -0500
+
subversion (1.8.10-6+deb8u5) jessie-security; urgency=high
* patches/CVE-2016-8734: Unrestricted XML entity expansion in HTTP clients
diff -u subversion-1.8.10/debian/patches/series subversion-1.8.10/debian/patches/series
--- subversion-1.8.10/debian/patches/series
+++ subversion-1.8.10/debian/patches/series
@@ -33,0 +34 @@
+perl-swig-crash
only in patch2:
unchanged:
--- subversion-1.8.10.orig/debian/patches/perl-swig-crash
+++ subversion-1.8.10/debian/patches/perl-swig-crash
@@ -0,0 +1,244 @@
+------------------------------------------------------------------------
+r1668618 | philip | 2015-03-23 08:33:22 -0400 (Mon, 23 Mar 2015) | 6 lines
+
+* subversion/bindings/swig/include/svn_types.swg: Change the
+ SWIG Perl binding code that was marked "clearly buggy" so
+ that svn_swig_pl_from_md5 follows the same pattern as
+ svn_swig_pl_from_stream. This may fix a SEGV reported
+ via Debian: https://bugs.debian.org/780246
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg (revision 1668617)
++++ trunk/subversion/bindings/swig/include/svn_types.swg (revision 1668618)
+@@ -1116,11 +1116,7 @@
+ }
+
+ %typemap(argout) unsigned char *result_digest {
+- /* FIXME: This code is clearly buggy. The return value of sv_newmortal()
+- is immediately overwritten by the return value
+- of svn_swig_pl_from_md5(). */
+- ST(argvi) = sv_newmortal();
+- ST(argvi++) = svn_swig_pl_from_md5($1);
++ %append_output(svn_swig_pl_from_md5($1));
+ }
+ #endif
+
+
+------------------------------------------------------------------------
+r1671388 | rschupp | 2015-04-05 08:48:45 -0400 (Sun, 05 Apr 2015) | 6 lines
+
+* subversion/bindings/swig/include/svn_types.swg: Following r1668618
+ fix two more instances where the Perl argument stack pointer
+ was bumped without checking if there's enough space allocated.
+ While we're at it, reduce the size of the temp array - 30 bytes
+ are more than enough to hold a decimal representation of a 64-bit integer.
+
+
+Index: trunk/subversion/bindings/swig/include/apr.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/apr.swg (revision 1671387)
++++ trunk/subversion/bindings/swig/include/apr.swg (revision 1671388)
+@@ -31,23 +31,21 @@
+ */
+ #ifdef SWIGPERL
+ %typemap(out) long long {
+- char temp[256];
++ char temp[30];
+ sprintf(temp, "%" APR_INT64_T_FMT, (apr_int64_t) $1);
+- ST(argvi) = sv_newmortal();
+- sv_setpv((SV*)ST(argvi++), temp);
++ %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+
+ %typemap(out) unsigned long long {
+- char temp[256];
++ char temp[30];
+ sprintf(temp, "%" APR_UINT64_T_FMT, (apr_uint64_t) $1);
+- ST(argvi) = sv_newmortal();
+- sv_setpv((SV*)ST(argvi++), temp);
++ %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+
+ %typemap(in, numinputs=0) long long *OUTPUT (apr_int64_t temp)
+ "$1 = &temp;";
+ %typemap(argout) long long *OUTPUT {
+- char temp[256];
++ char temp[30];
+ sprintf(temp, "%" APR_INT64_T_FMT, (apr_int64_t)*($1));
+ %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+@@ -55,7 +53,7 @@
+ %typemap(in, numinputs=0) unsigned long long *OUTPUT (apr_uint64_t temp)
+ "$1 = &temp;";
+ %typemap(argout) unsigned long long *OUTPUT {
+- char temp[256];
++ char temp[30];
+ sprintf(temp, "%" APR_UINT64_T_FMT, (apr_uint64_t)*($1));
+ %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+
+------------------------------------------------------------------------
+r1683266 | rschupp | 2015-06-03 05:50:59 -0400 (Wed, 03 Jun 2015) | 8 lines
+
+* subversion/bindings/swig/include/svn_types.swg:
+ Bracket calls with PUTBACK/SPAGAIN to helper functions
+ that call back into Perl:
+ - svn_swig_pl_make_stream
+ - svn_swig_pl_from_stream
+ - svn_swig_pl_from_md5
+ Note: calls in typemaps need only SPAGAIN.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg (revision 1683265)
++++ trunk/subversion/bindings/swig/include/svn_types.swg (revision 1683266)
+@@ -935,15 +935,24 @@
+ #ifdef SWIGPERL
+ %typemap(in) svn_stream_t * {
+ svn_swig_pl_make_stream (&$1, $input);
++ SPAGAIN;
+ }
+
+ %typemap(out) svn_stream_t * {
+- $result = svn_swig_pl_from_stream ($1);
++ SV* tmp;
++ PUTBACK;
++ tmp = svn_swig_pl_from_stream ($1);
++ SPAGAIN;
++ $result = tmp;
+ argvi++;
+ }
+
+ %typemap(argout) svn_stream_t ** {
+- %append_output(svn_swig_pl_from_stream(*$1));
++ SV *tmp;
++ PUTBACK;
++ tmp = svn_swig_pl_from_stream(*$1);
++ SPAGAIN;
++ %append_output(tmp);
+ }
+ #endif
+
+@@ -1116,7 +1125,11 @@
+ }
+
+ %typemap(argout) unsigned char *result_digest {
+- %append_output(svn_swig_pl_from_md5($1));
++ SV *tmp;
++ PUTBACK;
++ tmp = svn_swig_pl_from_md5($1);
++ SPAGAIN;
++ %append_output(tmp);
+ }
+ #endif
+
+
+------------------------------------------------------------------------
+r1683267 | rschupp | 2015-06-03 05:56:16 -0400 (Wed, 03 Jun 2015) | 8 lines
+
+* subversion/bindings/swig/core.i, subversion/bindings/swig/svn_client.i,
+ subversion/bindings/swig/include/svn_containers.swg,
+ subversion/bindings/swig/include/svn_string.swg,
+ subversion/bindings/swig/include/svn_types.swg:
+ Bracket calls with PUTBACK/SPAGAIN to helper function svn_swig_pl_make_pool
+ as it calls back into Perl.
+ Note: calls in typemaps need only SPAGAIN.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_string.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_string.swg (revision 1683266)
++++ trunk/subversion/bindings/swig/include/svn_string.swg (revision 1683267)
+@@ -90,6 +90,7 @@
+ %typemap(in) svn_stringbuf_t * {
+ apr_size_t len;
+ char *buf;
++ apr_pool_t *pool;
+
+ if (!SvOK($input)) {
+ $1 = NULL;
+@@ -97,8 +98,9 @@
+ buf = SvPV($input, len);
+ /* Another case of ugly pool handling, this should use the current
+ default pool, or make a new one if it doesn't exist yet */
+- $1 = svn_stringbuf_ncreate(buf,len,
+- svn_swig_pl_make_pool ((SV *)NULL));
++ pool = svn_swig_pl_make_pool ((SV *)NULL);
++ SPAGAIN;
++ $1 = svn_stringbuf_ncreate(buf,len, pool);
+ } else {
+ croak("Not a string");
+ }
+Index: trunk/subversion/bindings/swig/include/svn_containers.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_containers.swg (revision 1683266)
++++ trunk/subversion/bindings/swig/include/svn_containers.swg (revision 1683267)
+@@ -269,8 +269,10 @@
+ %typemap(in) apr_hash_t *PROPHASH
+ (apr_pool_t *_global_pool = NULL)
+ {
+- if (_global_pool == NULL)
++ if (_global_pool == NULL) {
+ _global_pool = svn_swig_pl_make_pool((SV *)NULL);
++ SPAGAIN;
++ }
+ $1 = svn_swig_pl_hash_to_prophash($input, _global_pool);
+ }
+ %typemap(out) apr_hash_t *PROPHASH
+Index: trunk/subversion/bindings/swig/svn_client.i
+===================================================================
+--- trunk/subversion/bindings/swig/svn_client.i (revision 1683266)
++++ trunk/subversion/bindings/swig/svn_client.i (revision 1683267)
+@@ -293,8 +293,9 @@
+ */
+ #ifdef SWIGPERL
+ %typemap(in) apr_hash_t *config {
+- $1 = svn_swig_pl_objs_to_hash_by_name ($input, "svn_config_t *",
+- svn_swig_pl_make_pool ((SV *)NULL));
++ apr_pool_t *pool = svn_swig_pl_make_pool ((SV *)NULL);
++ SPAGAIN;
++ $1 = svn_swig_pl_objs_to_hash_by_name ($input, "svn_config_t *", pool);
+ }
+
+ %typemap(out) apr_hash_t *config {
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg (revision 1683266)
++++ trunk/subversion/bindings/swig/include/svn_types.swg (revision 1683267)
+@@ -548,6 +548,7 @@
+ %typemap(in) apr_pool_t *pool "";
+ %typemap(default) apr_pool_t *pool(apr_pool_t *_global_pool) {
+ _global_pool = $1 = svn_swig_pl_make_pool (ST(items-1));
++ SPAGAIN;
+ }
+ #endif
+ #ifdef SWIGRUBY
+------------------------------------------------------------------------
+r1683269 | rschupp | 2015-06-03 05:59:38 -0400 (Wed, 03 Jun 2015) | 4 lines
+
+* subversion/bindings/swig/include/svn_types.swg:
+ Bracket calls with PUTBACK/SPAGAIN to helper function
+ svn_swig_pl_callback_thunk as it calls back into Perl.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg (revision 1683268)
++++ trunk/subversion/bindings/swig/include/svn_types.swg (revision 1683269)
+@@ -423,9 +423,11 @@
+ if (SvOK(exception_handler)) {
+ SV *callback_result;
+
++ PUTBACK;
+ svn_swig_pl_callback_thunk (CALL_SV, exception_handler,
+ &callback_result, "S", $1,
+ $1_descriptor);
++ SPAGAIN;
+ } else {
+ $result = SWIG_NewPointerObj($1, $1_descriptor, 0);
+ argvi++;
+
+------------------------------------------------------------------------
Reply to: