Bug#891611: marked as done (jessie-pu: package subversion/1.8.10-6+deb8u6)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <1529753533.11744.69.camel@adam-barratt.org.uk>
and subject line Closing bugs for requests included in the EoL jessie point release
has caused the Debian Bug report #891611,
regarding jessie-pu: package subversion/1.8.10-6+deb8u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
891611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891611
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package subversion/1.8.10-6+deb8u6
• From: James McCoy <jamessan@debian.org>
• Date: Mon, 26 Feb 2018 22:12:15 -0500
• Message-id: <151970113568.3586.9038432381086635997.reportbug@freya.jamessan.com>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

This upload would fix crashes that are seen when using subversion's Perl
bindings.  In particular, git-svn has been a common victim since its
memory usage patterns tend to cause the right conditions.

I've verified this against the originally reported issue[0] and
Salvatore Bonaccorso, who prodded me to prepare the upload, has verified
it against their problematic repository.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diffstat for subversion_1.8.10-6+deb8u5 subversion_1.8.10-6+deb8u6

 debian/patches/perl-swig-crash          |  244 ++++++++++++++++++++++++++++++++
 subversion-1.8.10/debian/changelog      |    7 
 subversion-1.8.10/debian/patches/series |    1 
 3 files changed, 252 insertions(+)

diff -u subversion-1.8.10/debian/changelog subversion-1.8.10/debian/changelog
--- subversion-1.8.10/debian/changelog
+++ subversion-1.8.10/debian/changelog
@@ -1,3 +1,10 @@
+subversion (1.8.10-6+deb8u6) jessie; urgency=medium
+
+  * Backport patches/perl-swig-crash from upstream to fix crashes with Perl
+    bindings, commonly seen when using git-svn (Closes: #780246, #534763).
+
+ -- James McCoy <jamessan@debian.org>  Mon, 26 Feb 2018 22:00:47 -0500
+
 subversion (1.8.10-6+deb8u5) jessie-security; urgency=high
 
   * patches/CVE-2016-8734: Unrestricted XML entity expansion in HTTP clients
diff -u subversion-1.8.10/debian/patches/series subversion-1.8.10/debian/patches/series
--- subversion-1.8.10/debian/patches/series
+++ subversion-1.8.10/debian/patches/series
@@ -33,0 +34 @@
+perl-swig-crash
only in patch2:
unchanged:
--- subversion-1.8.10.orig/debian/patches/perl-swig-crash
+++ subversion-1.8.10/debian/patches/perl-swig-crash
@@ -0,0 +1,244 @@
+------------------------------------------------------------------------
+r1668618 | philip | 2015-03-23 08:33:22 -0400 (Mon, 23 Mar 2015) | 6 lines
+
+* subversion/bindings/swig/include/svn_types.swg: Change the
+   SWIG Perl binding code that was marked "clearly buggy" so
+   that svn_swig_pl_from_md5 follows the same pattern as
+   svn_swig_pl_from_stream.  This may fix a SEGV reported
+   via Debian: https://bugs.debian.org/780246
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg	(revision 1668617)
++++ trunk/subversion/bindings/swig/include/svn_types.swg	(revision 1668618)
+@@ -1116,11 +1116,7 @@
+ }
+ 
+ %typemap(argout) unsigned char *result_digest {
+-  /* FIXME: This code is clearly buggy. The return value of sv_newmortal()
+-     is immediately overwritten by the return value
+-     of svn_swig_pl_from_md5(). */
+-    ST(argvi) = sv_newmortal();
+-    ST(argvi++) = svn_swig_pl_from_md5($1);
++    %append_output(svn_swig_pl_from_md5($1));
+ }
+ #endif
+ 
+
+------------------------------------------------------------------------
+r1671388 | rschupp | 2015-04-05 08:48:45 -0400 (Sun, 05 Apr 2015) | 6 lines
+
+* subversion/bindings/swig/include/svn_types.swg: Following r1668618
+   fix two more instances where the Perl argument stack pointer 
+   was bumped without checking if there's enough space allocated.
+   While we're at it, reduce the size of the temp array - 30 bytes
+   are more than enough to hold a decimal representation of a 64-bit integer.
+
+
+Index: trunk/subversion/bindings/swig/include/apr.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/apr.swg	(revision 1671387)
++++ trunk/subversion/bindings/swig/include/apr.swg	(revision 1671388)
+@@ -31,23 +31,21 @@
+ */
+ #ifdef SWIGPERL
+ %typemap(out) long long {
+-    char temp[256];
++    char temp[30];
+     sprintf(temp, "%" APR_INT64_T_FMT, (apr_int64_t) $1);
+-    ST(argvi) = sv_newmortal();
+-    sv_setpv((SV*)ST(argvi++), temp);
++    %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+ 
+ %typemap(out) unsigned long long {
+-    char temp[256];
++    char temp[30];
+     sprintf(temp, "%" APR_UINT64_T_FMT, (apr_uint64_t) $1);
+-    ST(argvi) = sv_newmortal();
+-    sv_setpv((SV*)ST(argvi++), temp);
++    %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+ 
+ %typemap(in, numinputs=0) long long *OUTPUT (apr_int64_t temp)
+     "$1 = &temp;";
+ %typemap(argout) long long *OUTPUT {
+-  char temp[256];
++  char temp[30];
+   sprintf(temp, "%" APR_INT64_T_FMT, (apr_int64_t)*($1));
+   %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+@@ -55,7 +53,7 @@
+ %typemap(in, numinputs=0) unsigned long long *OUTPUT (apr_uint64_t temp)
+     "$1 = &temp;";
+ %typemap(argout) unsigned long long *OUTPUT {
+-  char temp[256];
++  char temp[30];
+   sprintf(temp, "%" APR_UINT64_T_FMT, (apr_uint64_t)*($1));
+   %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+
+------------------------------------------------------------------------
+r1683266 | rschupp | 2015-06-03 05:50:59 -0400 (Wed, 03 Jun 2015) | 8 lines
+
+* subversion/bindings/swig/include/svn_types.swg:
+  Bracket calls with PUTBACK/SPAGAIN to helper functions 
+  that call back into Perl:
+  - svn_swig_pl_make_stream
+  - svn_swig_pl_from_stream
+  - svn_swig_pl_from_md5
+  Note: calls in typemaps need only SPAGAIN.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg	(revision 1683265)
++++ trunk/subversion/bindings/swig/include/svn_types.swg	(revision 1683266)
+@@ -935,15 +935,24 @@
+ #ifdef SWIGPERL
+ %typemap(in) svn_stream_t * {
+     svn_swig_pl_make_stream (&$1, $input);
++    SPAGAIN;
+ }
+ 
+ %typemap(out) svn_stream_t * {
+-    $result = svn_swig_pl_from_stream ($1);
++    SV* tmp;
++    PUTBACK;
++    tmp = svn_swig_pl_from_stream ($1);
++    SPAGAIN;
++    $result = tmp;
+     argvi++;
+ }
+ 
+ %typemap(argout) svn_stream_t ** {
+-  %append_output(svn_swig_pl_from_stream(*$1));
++    SV *tmp;
++    PUTBACK;
++    tmp = svn_swig_pl_from_stream(*$1);
++    SPAGAIN;
++    %append_output(tmp);
+ }
+ #endif
+ 
+@@ -1116,7 +1125,11 @@
+ }
+ 
+ %typemap(argout) unsigned char *result_digest {
+-    %append_output(svn_swig_pl_from_md5($1));
++    SV *tmp;
++    PUTBACK;
++    tmp = svn_swig_pl_from_md5($1);
++    SPAGAIN;
++    %append_output(tmp);
+ }
+ #endif
+ 
+
+------------------------------------------------------------------------
+r1683267 | rschupp | 2015-06-03 05:56:16 -0400 (Wed, 03 Jun 2015) | 8 lines
+
+* subversion/bindings/swig/core.i, subversion/bindings/swig/svn_client.i,
+  subversion/bindings/swig/include/svn_containers.swg,
+  subversion/bindings/swig/include/svn_string.swg,
+  subversion/bindings/swig/include/svn_types.swg:
+  Bracket calls with PUTBACK/SPAGAIN to helper function svn_swig_pl_make_pool
+  as it calls back into Perl.
+  Note: calls in typemaps need only SPAGAIN.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_string.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_string.swg	(revision 1683266)
++++ trunk/subversion/bindings/swig/include/svn_string.swg	(revision 1683267)
+@@ -90,6 +90,7 @@
+ %typemap(in) svn_stringbuf_t * {
+     apr_size_t len;
+     char *buf;
++    apr_pool_t *pool;
+ 
+     if (!SvOK($input)) {
+         $1 = NULL;
+@@ -97,8 +98,9 @@
+         buf = SvPV($input, len);
+         /* Another case of ugly pool handling, this should use the current
+            default pool, or make a new one if it doesn't exist yet */
+-        $1 = svn_stringbuf_ncreate(buf,len,
+-                                   svn_swig_pl_make_pool ((SV *)NULL));
++        pool = svn_swig_pl_make_pool ((SV *)NULL);
++        SPAGAIN;
++        $1 = svn_stringbuf_ncreate(buf,len, pool);
+     } else {
+         croak("Not a string");
+     }
+Index: trunk/subversion/bindings/swig/include/svn_containers.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_containers.swg	(revision 1683266)
++++ trunk/subversion/bindings/swig/include/svn_containers.swg	(revision 1683267)
+@@ -269,8 +269,10 @@
+ %typemap(in) apr_hash_t *PROPHASH
+   (apr_pool_t *_global_pool = NULL)
+ {
+-  if (_global_pool == NULL)
++  if (_global_pool == NULL) {
+     _global_pool = svn_swig_pl_make_pool((SV *)NULL);
++    SPAGAIN;
++  }
+   $1 = svn_swig_pl_hash_to_prophash($input, _global_pool);  
+ }
+ %typemap(out) apr_hash_t *PROPHASH
+Index: trunk/subversion/bindings/swig/svn_client.i
+===================================================================
+--- trunk/subversion/bindings/swig/svn_client.i	(revision 1683266)
++++ trunk/subversion/bindings/swig/svn_client.i	(revision 1683267)
+@@ -293,8 +293,9 @@
+  */
+ #ifdef SWIGPERL
+ %typemap(in) apr_hash_t *config {
+-  $1 = svn_swig_pl_objs_to_hash_by_name ($input, "svn_config_t *",
+-                                         svn_swig_pl_make_pool ((SV *)NULL));
++  apr_pool_t *pool = svn_swig_pl_make_pool ((SV *)NULL);
++  SPAGAIN;
++  $1 = svn_swig_pl_objs_to_hash_by_name ($input, "svn_config_t *", pool);
+ }
+ 
+ %typemap(out) apr_hash_t *config {
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg	(revision 1683266)
++++ trunk/subversion/bindings/swig/include/svn_types.swg	(revision 1683267)
+@@ -548,6 +548,7 @@
+ %typemap(in) apr_pool_t *pool "";
+ %typemap(default) apr_pool_t *pool(apr_pool_t *_global_pool) {
+     _global_pool = $1 = svn_swig_pl_make_pool (ST(items-1));
++    SPAGAIN;
+ }
+ #endif
+ #ifdef SWIGRUBY
+------------------------------------------------------------------------
+r1683269 | rschupp | 2015-06-03 05:59:38 -0400 (Wed, 03 Jun 2015) | 4 lines
+
+* subversion/bindings/swig/include/svn_types.swg:
+  Bracket calls with PUTBACK/SPAGAIN to helper function 
+  svn_swig_pl_callback_thunk as it calls back into Perl.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg	(revision 1683268)
++++ trunk/subversion/bindings/swig/include/svn_types.swg	(revision 1683269)
+@@ -423,9 +423,11 @@
+         if (SvOK(exception_handler)) {
+             SV *callback_result;
+ 
++            PUTBACK;
+             svn_swig_pl_callback_thunk (CALL_SV, exception_handler,
+                                         &callback_result, "S", $1,
+                                         $1_descriptor);
++            SPAGAIN;
+         } else {
+             $result = SWIG_NewPointerObj($1, $1_descriptor, 0);
+             argvi++;
+
+------------------------------------------------------------------------

--- End Message ---

--- Begin Message ---

• To: 831459-done@bugs.debian.org, 837458-done@bugs.debian.org, 862030-done@bugs.debian.org, 876944-done@bugs.debian.org, 879161-done@bugs.debian.org, 885533-done@bugs.debian.org, 885584-done@bugs.debian.org, 885619-done@bugs.debian.org, 887047-done@bugs.debian.org, 887138-done@bugs.debian.org, 887559-done@bugs.debian.org, 887857-done@bugs.debian.org, 888019-done@bugs.debian.org, 888553-done@bugs.debian.org, 888767-done@bugs.debian.org, 891611-done@bugs.debian.org, 891974-done@bugs.debian.org, 893507-done@bugs.debian.org, 893804-done@bugs.debian.org, 893970-done@bugs.debian.org, 895144-done@bugs.debian.org, 895887-done@bugs.debian.org, 895935-done@bugs.debian.org, 896841-done@bugs.debian.org, 896919-done@bugs.debian.org, 896942-done@bugs.debian.org, 897369-done@bugs.debian.org, 897447-done@bugs.debian.org, 897911-done@bugs.debian.org, 899018-done@bugs.debian.org, 899030-done@bugs.debian.org, 901194-done@bugs.debian.org, 901276-done@bugs.debian.org, 901425-done@bugs.debian.org, 901613-done@bugs.debian.org, 901645-done@bugs.debian.org
• Subject: Closing bugs for requests included in the EoL jessie point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 23 Jun 2018 12:32:13 +0100
• Message-id: <1529753533.11744.69.camel@adam-barratt.org.uk>

Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---