diff -u subversion-1.7.5/debian/changelog subversion-1.7.5/debian/changelog --- subversion-1.7.5/debian/changelog +++ subversion-1.7.5/debian/changelog @@ -1,3 +1,41 @@ +subversion (1.7.5-1+rpi1) wheezy-staging; urgency=low + * Add various security fixes, this should give us the same security fixes that + version 1.6.17dfsg-4+deb7u6 has. + + Fix taken from http://svn.apache.org/viewvc?view=revision&revision=r1557320 + * debian/patches/CVE-2014-0032.patch Disallow methods other than GET/HEAD + for the parentpath list. + + Fixes taken from 1.7.5-1ubuntu2.1 + * SECURITY UPDATE: denial of service in mod_dav_svn + - debian/patches/CVE-2013-1845.patch: handle multiple calls in + subversion/mod_dav_svn/deadprops.c. + - CVE-2013-1845 + * SECURITY UPDATE: denial of service in mod_dav_svn via LOCK + - debian/patches/CVE-2013-1846_1847.patch: properly validate locks in + subversion/mod_dav_svn/lock.c. + - CVE-2013-1846 + - CVE-2013-1847 + * SECURITY UPDATE: denial of service in mod_dav_svn via PROPFIND + - debian/patches/CVE-2013-1849.patch: validate type in + subversion/mod_dav_svn/liveprops.c. + - CVE-2013-1849 + * SECURITY UPDATE: denial of service in mod_dav_svn via log REPORT + - debian/patches/CVE-2013-1884.patch: fix error handling in + subversion/mod_dav_svn/reports/log.c. + - CVE-2013-1884 + * SECURITY UPDATE: repo corruption via newline chars in filenames + - debian/patches/CVE-2013-1968.patch: properly escape paths in + subversion/libsvn_fs_fs/tree.c, added test to + subversion/tests/libsvn_fs/fs-test.c. + - CVE-2013-1968 + * SECURITY UPDATE: denial of service via closed connection + - debian/patches/CVE-2013-2112.patch: check for closed connections in + subversion/svnserve/main.c. + - CVE-2013-2112 + + -- Peter Michael Green Sat, 22 Mar 2014 01:42:44 +0000 + subversion (1.7.5-1) unstable; urgency=low [ Peter Samuelson ] diff -u subversion-1.7.5/debian/patches/series subversion-1.7.5/debian/patches/series --- subversion-1.7.5/debian/patches/series +++ subversion-1.7.5/debian/patches/series @@ -23 +23,8 @@ +CVE-2013-1845.patch +CVE-2013-1846_1847.patch +CVE-2013-1849.patch +CVE-2013-1884.patch +CVE-2013-1968.patch +CVE-2013-2112.patch java-osgi-metadata +CVE-2014-0032.patch only in patch2: unchanged: --- subversion-1.7.5.orig/debian/patches/CVE-2013-2112.patch +++ subversion-1.7.5/debian/patches/CVE-2013-2112.patch @@ -0,0 +1,19 @@ +Description: fix denial of service via closed connection +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711033 +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1485047 + +Index: subversion-1.7.5/subversion/svnserve/main.c +=================================================================== +--- subversion-1.7.5.orig/subversion/svnserve/main.c 2011-06-21 14:00:13.000000000 -0400 ++++ subversion-1.7.5/subversion/svnserve/main.c 2013-06-21 13:08:06.362542862 -0400 +@@ -928,7 +928,9 @@ + connection_pool) == APR_CHILD_DONE) + ; + } +- if (APR_STATUS_IS_EINTR(status)) ++ if (APR_STATUS_IS_EINTR(status) ++ || APR_STATUS_IS_ECONNABORTED(status) ++ || APR_STATUS_IS_ECONNRESET(status)) + { + svn_pool_destroy(connection_pool); + continue; only in patch2: unchanged: --- subversion-1.7.5.orig/debian/patches/CVE-2013-1849.patch +++ subversion-1.7.5/debian/patches/CVE-2013-1849.patch @@ -0,0 +1,28 @@ +Description: fix denial of service in mod_dav_svn via PROPFIND +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1461944 + +Index: subversion-1.7.5/subversion/mod_dav_svn/liveprops.c +=================================================================== +--- subversion-1.7.5.orig/subversion/mod_dav_svn/liveprops.c 2012-02-03 15:04:00.000000000 -0500 ++++ subversion-1.7.5/subversion/mod_dav_svn/liveprops.c 2013-06-21 13:06:23.922540239 -0400 +@@ -429,7 +429,8 @@ + svn_filesize_t len = 0; + + /* our property, but not defined on collection resources */ +- if (resource->collection || resource->baselined) ++ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY ++ || resource->collection || resource->baselined) + return DAV_PROP_INSERT_NOTSUPP; + + serr = svn_fs_file_length(&len, resource->info->root.root, +@@ -453,7 +454,9 @@ + svn_string_t *pval; + const char *mime_type = NULL; + +- if (resource->baselined && resource->type == DAV_RESOURCE_TYPE_VERSION) ++ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY ++ || (resource->baselined ++ && resource->type == DAV_RESOURCE_TYPE_VERSION)) + return DAV_PROP_INSERT_NOTSUPP; + + if (resource->type == DAV_RESOURCE_TYPE_PRIVATE only in patch2: unchanged: --- subversion-1.7.5.orig/debian/patches/CVE-2013-1845.patch +++ subversion-1.7.5/debian/patches/CVE-2013-1845.patch @@ -0,0 +1,107 @@ +Description: fix denial of service in mod_dav_svn +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1454237 + +Index: subversion-1.7.5/subversion/mod_dav_svn/deadprops.c +=================================================================== +--- subversion-1.7.5.orig/subversion/mod_dav_svn/deadprops.c 2010-12-30 15:46:50.000000000 -0500 ++++ subversion-1.7.5/subversion/mod_dav_svn/deadprops.c 2013-06-21 13:05:32.326538918 -0400 +@@ -168,6 +168,7 @@ + const char *propname; + svn_error_t *serr; + const dav_resource *resource = db->resource; ++ apr_pool_t *subpool; + + /* get the repos-local name */ + get_repos_propname(db, name, &propname); +@@ -202,13 +203,16 @@ + + */ + ++ /* A subpool to cope with mod_dav making multiple calls, e.g. during ++ PROPPATCH with multiple values. */ ++ subpool = svn_pool_create(db->resource->pool); + if (db->resource->baselined) + { + if (db->resource->working) + { + serr = svn_repos_fs_change_txn_prop(resource->info->root.txn, + propname, value, +- resource->pool); ++ subpool); + } + else + { +@@ -219,7 +223,7 @@ + TRUE, TRUE, + db->authz_read_func, + db->authz_read_baton, +- resource->pool); ++ subpool); + + /* Prepare any hook failure message to get sent over the wire */ + if (serr) +@@ -242,20 +246,21 @@ + dav_svn__operational_log(resource->info, + svn_log__change_rev_prop( + resource->info->root.rev, +- propname, resource->pool)); ++ propname, subpool)); + } + } + else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION) + { + serr = svn_repos_fs_change_txn_prop(resource->info->root.txn, +- propname, value, resource->pool); ++ propname, value, subpool); + } + else + { + serr = svn_repos_fs_change_node_prop(resource->info->root.root, + get_repos_path(resource->info), +- propname, value, resource->pool); ++ propname, value, subpool); + } ++ svn_pool_destroy(subpool); + + if (serr != NULL) + return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR, +@@ -540,6 +545,7 @@ + { + svn_error_t *serr; + const char *propname; ++ apr_pool_t *subpool; + + /* get the repos-local name */ + get_repos_propname(db, name, &propname); +@@ -548,11 +554,15 @@ + if (propname == NULL) + return NULL; + ++ /* A subpool to cope with mod_dav making multiple calls, e.g. during ++ PROPPATCH with multiple values. */ ++ subpool = svn_pool_create(db->resource->pool); ++ + /* Working Baseline or Working (Version) Resource */ + if (db->resource->baselined) + if (db->resource->working) + serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn, +- propname, NULL, db->resource->pool); ++ propname, NULL, subpool); + else + /* ### VIOLATING deltaV: you can't proppatch a baseline, it's + not a working resource! But this is how we currently +@@ -564,11 +574,12 @@ + propname, NULL, NULL, TRUE, TRUE, + db->authz_read_func, + db->authz_read_baton, +- db->resource->pool); ++ subpool); + else + serr = svn_repos_fs_change_node_prop(db->resource->info->root.root, + get_repos_path(db->resource->info), +- propname, NULL, db->resource->pool); ++ propname, NULL, subpool); ++ svn_pool_destroy(subpool); + if (serr != NULL) + return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR, + "could not remove a property", only in patch2: unchanged: --- subversion-1.7.5.orig/debian/patches/CVE-2013-1968.patch +++ subversion-1.7.5/debian/patches/CVE-2013-1968.patch @@ -0,0 +1,197 @@ +Description: fix repo corruption via newline chars in filenames +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711033 +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1485182 + +Index: subversion-1.7.5/subversion/libsvn_fs_fs/tree.c +=================================================================== +--- subversion-1.7.5.orig/subversion/libsvn_fs_fs/tree.c 2012-03-27 00:02:36.000000000 -0400 ++++ subversion-1.7.5/subversion/libsvn_fs_fs/tree.c 2013-06-21 13:07:28.498541892 -0400 +@@ -44,6 +44,7 @@ + #include "svn_private_config.h" + #include "svn_pools.h" + #include "svn_error.h" ++#include "svn_ctype.h" + #include "svn_dirent_uri.h" + #include "svn_path.h" + #include "svn_mergeinfo.h" +@@ -1806,6 +1807,78 @@ + return svn_fs_fs__dag_dir_entries(table_p, node, pool, pool); + } + ++/* Return a copy of PATH, allocated from POOL, for which control ++ characters have been escaped using the form \NNN (where NNN is the ++ octal representation of the byte's ordinal value). */ ++static const char * ++illegal_path_escape(const char *path, apr_pool_t *pool) ++{ ++ svn_stringbuf_t *retstr; ++ apr_size_t i, copied = 0; ++ int c; ++ ++ /* At least one control character: ++ strlen - 1 (control) + \ + N + N + N + null . */ ++ retstr = svn_stringbuf_create_ensure(strlen(path) + 4, pool); ++ for (i = 0; path[i]; i++) ++ { ++ c = (unsigned char)path[i]; ++ if (! svn_ctype_iscntrl(c)) ++ continue; ++ ++ /* If we got here, we're looking at a character that isn't ++ supported by the (or at least, our) URI encoding scheme. We ++ need to escape this character. */ ++ ++ /* First things first, copy all the good stuff that we haven't ++ yet copied into our output buffer. */ ++ if (i - copied) ++ svn_stringbuf_appendbytes(retstr, path + copied, ++ i - copied); ++ ++ /* Make sure buffer is big enough for '\' 'N' 'N' 'N' (and NUL) */ ++ svn_stringbuf_ensure(retstr, retstr->len + 5); ++ /*### The backslash separator doesn't work too great with Windows, ++ but it's what we'll use for consistency with invalid utf8 ++ formatting (until someone has a better idea) */ ++ apr_snprintf(retstr->data + retstr->len, 5, "\\%03o", (unsigned char)c); ++ retstr->len += 4; ++ ++ /* Finally, update our copy counter. */ ++ copied = i + 1; ++ } ++ ++ /* If we didn't encode anything, we don't need to duplicate the string. */ ++ if (retstr->len == 0) ++ return path; ++ ++ /* Anything left to copy? */ ++ if (i - copied) ++ svn_stringbuf_appendbytes(retstr, path + copied, i - copied); ++ ++ /* retstr is null-terminated either by apr_snprintf or the svn_stringbuf ++ functions. */ ++ ++ return retstr->data; ++} ++ ++/* Raise an error if PATH contains a newline because FSFS cannot handle ++ * such paths. See issue #4340. */ ++static svn_error_t * ++check_newline(const char *path, apr_pool_t *pool) ++{ ++ const char *c; ++ ++ for (c = path; *c; c++) ++ { ++ if (*c == '\n') ++ return svn_error_createf(SVN_ERR_FS_PATH_SYNTAX, NULL, ++ _("Invalid control character '0x%02x' in path '%s'"), ++ (unsigned char)*c, illegal_path_escape(path, pool)); ++ } ++ ++ return SVN_NO_ERROR; ++} + + /* Create a new directory named PATH in ROOT. The new directory has + no entries, and no properties. ROOT must be the root of a +@@ -1820,6 +1893,8 @@ + dag_node_t *sub_dir; + const char *txn_id = root->txn; + ++ SVN_ERR(check_newline(path, pool)); ++ + SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional, + txn_id, pool)); + +@@ -2082,6 +2157,8 @@ + const char *to_path, + apr_pool_t *pool) + { ++ SVN_ERR(check_newline(to_path, pool)); ++ + return svn_error_trace(copy_helper(from_root, from_path, to_root, to_path, + TRUE, pool)); + } +@@ -2174,6 +2251,8 @@ + dag_node_t *child; + const char *txn_id = root->txn; + ++ SVN_ERR(check_newline(path, pool)); ++ + SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional, + txn_id, pool)); + +Index: subversion-1.7.5/subversion/tests/libsvn_fs/fs-test.c +=================================================================== +--- subversion-1.7.5.orig/subversion/tests/libsvn_fs/fs-test.c 2011-04-13 05:06:07.000000000 -0400 ++++ subversion-1.7.5/subversion/tests/libsvn_fs/fs-test.c 2013-06-21 13:07:31.522541970 -0400 +@@ -4799,6 +4799,62 @@ + return SVN_NO_ERROR; + } + ++/* Issue 4340, "fs layer should reject filenames with trailing \n" */ ++static svn_error_t * ++filename_trailing_newline(const svn_test_opts_t *opts, ++ apr_pool_t *pool) ++{ ++ apr_pool_t *subpool = svn_pool_create(pool); ++ svn_fs_t *fs; ++ svn_fs_txn_t *txn; ++ svn_fs_root_t *txn_root, *root; ++ svn_revnum_t youngest_rev = 0; ++ svn_error_t *err; ++ svn_boolean_t allow_newlines; ++ ++ /* Some filesystem implementations can handle newlines in filenames ++ * and can be white-listed here. ++ * Currently, only BDB supports \n in filenames. */ ++ allow_newlines = (strcmp(opts->fs_type, "bdb") == 0); ++ ++ SVN_ERR(svn_test__create_fs(&fs, "test-filename-trailing-newline", ++ opts, pool)); ++ ++ /* Revision 1: Add a directory /foo */ ++ SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, subpool)); ++ SVN_ERR(svn_fs_txn_root(&txn_root, txn, subpool)); ++ SVN_ERR(svn_fs_make_dir(txn_root, "/foo", subpool)); ++ SVN_ERR(svn_fs_commit_txn(NULL, &youngest_rev, txn, subpool)); ++ SVN_TEST_ASSERT(SVN_IS_VALID_REVNUM(youngest_rev)); ++ svn_pool_clear(subpool); ++ ++ /* Attempt to copy /foo to "/bar\n". This should fail on FSFS. */ ++ SVN_ERR(svn_fs_begin_txn(&txn, fs, youngest_rev, subpool)); ++ SVN_ERR(svn_fs_txn_root(&txn_root, txn, subpool)); ++ SVN_ERR(svn_fs_revision_root(&root, fs, youngest_rev, subpool)); ++ err = svn_fs_copy(root, "/foo", txn_root, "/bar\n", subpool); ++ if (allow_newlines) ++ SVN_TEST_ASSERT(err == SVN_NO_ERROR); ++ else ++ { ++ SVN_TEST_ASSERT(err && err->apr_err == SVN_ERR_FS_PATH_SYNTAX); ++ svn_error_clear(err); ++ } ++ ++ /* Attempt to create a file /foo/baz\n. This should fail on FSFS. */ ++ err = svn_fs_make_file(txn_root, "/foo/baz\n", subpool); ++ if (allow_newlines) ++ SVN_TEST_ASSERT(err == SVN_NO_ERROR); ++ else ++ { ++ SVN_TEST_ASSERT(err && err->apr_err == SVN_ERR_FS_PATH_SYNTAX); ++ svn_error_clear(err); ++ } ++ ++ return SVN_NO_ERROR; ++} ++ ++ + /* ------------------------------------------------------------------------ */ + + /* The test table. */ +@@ -4878,5 +4934,7 @@ + "test svn_fs_node_origin_rev"), + SVN_TEST_OPTS_PASS(small_file_integrity, + "create and modify small file"), ++ SVN_TEST_OPTS_PASS(filename_trailing_newline, ++ "filenames with trailing \\n might be rejected"), + SVN_TEST_NULL + }; only in patch2: unchanged: --- subversion-1.7.5.orig/debian/patches/CVE-2014-0032.patch +++ subversion-1.7.5/debian/patches/CVE-2014-0032.patch @@ -0,0 +1,47 @@ +Patch taken from http://svn.apache.org/viewvc?view=revision&revision=r1557320 + +Backported to version in raspbian by Peter Michael Green. + +Disallow methods other than GET/HEAD for the parentpath list. + +Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling +the server root and SVNListParentPath is on. + +CVE-2014-0032 + +* subversion/mod_dav_svn/repos.c + (get_resource): Return an error when we try to get a parentpath list + resource and the method isn't GET. + +Found by: lgo + +Index: subversion-1.7.5/subversion/mod_dav_svn/repos.c +=================================================================== +--- subversion-1.7.5.orig/subversion/mod_dav_svn/repos.c 2012-04-21 04:01:42.000000000 +0000 ++++ subversion-1.7.5/subversion/mod_dav_svn/repos.c 2014-03-22 01:51:24.000000000 +0000 +@@ -1954,6 +1954,25 @@ + of private resource, iff the SVNListParentPath directive is 'on'. */ + if (fs_parent_path && dav_svn__get_list_parentpath_flag(r)) + { ++ /* Only allow GET and HEAD on the parentpath resource ++ * httpd uses the same method_number for HEAD as GET */ ++ if (r->method_number != M_GET) ++ { ++ int status; ++ ++ /* Marshall the error back to the client by generating by ++ * way of the dav_svn__error_response_tag trick. */ ++ err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, ++ SVN_ERR_APMOD_MALFORMED_URI, ++ "The URI does not contain the name " ++ "of a repository."); ++ /* can't use r->allowed since the default handler isn't called */ ++ apr_table_setn(r->headers_out, "Allow", "GET,HEAD"); ++ status = dav_svn__error_response_tag(r, err); ++ ++ return dav_push_error(r->pool, status, err->error_id, NULL, err); ++ } ++ + char *uri = apr_pstrdup(r->pool, r->uri); + char *parentpath = apr_pstrdup(r->pool, root_path); + apr_size_t uri_len = strlen(uri); only in patch2: unchanged: --- subversion-1.7.5.orig/debian/patches/CVE-2013-1884.patch +++ subversion-1.7.5/debian/patches/CVE-2013-1884.patch @@ -0,0 +1,19 @@ +Description: fix denial of service in mod_dav_svn via log REPORT +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1462332 + +Index: subversion-1.7.5/subversion/mod_dav_svn/reports/log.c +=================================================================== +--- subversion-1.7.5.orig/subversion/mod_dav_svn/reports/log.c 2012-01-11 10:57:13.000000000 -0500 ++++ subversion-1.7.5/subversion/mod_dav_svn/reports/log.c 2013-06-21 13:06:51.186540937 -0400 +@@ -341,10 +341,9 @@ + dav_xml_get_cdata(child, resource->pool, 1)); + if (serr) + { +- derr = dav_svn__convert_err(serr, HTTP_BAD_REQUEST, ++ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST, + "Malformed CDATA in element " + "\"limit\"", resource->pool); +- goto cleanup; + } + } + else if (strcmp(child->name, "discover-changed-paths") == 0) only in patch2: unchanged: --- subversion-1.7.5.orig/debian/patches/CVE-2013-1846_1847.patch +++ subversion-1.7.5/debian/patches/CVE-2013-1846_1847.patch @@ -0,0 +1,52 @@ +Description: fix denial of service via LOCK +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1462331 + +Index: subversion-1.7.5/subversion/mod_dav_svn/lock.c +=================================================================== +--- subversion-1.7.5.orig/subversion/mod_dav_svn/lock.c 2011-06-03 14:09:17.000000000 -0400 ++++ subversion-1.7.5/subversion/mod_dav_svn/lock.c 2013-06-21 13:05:59.530539614 -0400 +@@ -640,6 +640,19 @@ + svn_lock_t *slock; + svn_error_t *serr; + dav_error *derr; ++ dav_svn_repos *repos = resource->info->repos; ++ ++ /* We don't allow anonymous locks */ ++ if (! repos->username) ++ return dav_svn__new_error(resource->pool, HTTP_UNAUTHORIZED, ++ DAV_ERR_LOCK_SAVE_LOCK, ++ "Anonymous lock creation is not allowed."); ++ ++ /* Not a path in the repository so can't lock it. */ ++ if (! resource->info->repos_path) ++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, ++ DAV_ERR_LOCK_SAVE_LOCK, ++ "Attempted to lock path not in repository."); + + /* If the resource's fs path is unreadable, we don't allow a lock to + be created on it. */ +@@ -663,7 +676,6 @@ + svn_fs_txn_t *txn; + svn_fs_root_t *txn_root; + const char *conflict_msg; +- dav_svn_repos *repos = resource->info->repos; + apr_hash_t *revprop_table = apr_hash_make(resource->pool); + apr_hash_set(revprop_table, SVN_PROP_REVISION_AUTHOR, + APR_HASH_KEY_STRING, svn_string_create(repos->username, +@@ -741,14 +753,14 @@ + + /* Convert the dav_lock into an svn_lock_t. */ + derr = dav_lock_to_svn_lock(&slock, lock, resource->info->repos_path, +- info, resource->info->repos->is_svn_client, ++ info, repos->is_svn_client, + resource->pool); + if (derr) + return derr; + + /* Now use the svn_lock_t to actually perform the lock. */ + serr = svn_repos_fs_lock(&slock, +- resource->info->repos->repos, ++ repos->repos, + slock->path, + slock->token, + slock->comment,