Accepting request 221557 from devel:tools:scm:svn

- fix a remotely triggerable segfault in mod_dav_svn when svn is handling the server root and SVNListParentPath is on [bnc#862459] CVE-2014-0032 (forwarded request 221556 from AndreasStieger) OBS-URL: https://build.opensuse.org/request/show/221557 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/subversion?expand=0&rev=112
2014-02-11 09:45:39 +00:00 · 2014-02-11 09:45:39 +00:00 · 13f6716de0
commit 13f6716de0
parent f4d6f1f200 5a17d84723
3 changed files with 71 additions and 1 deletions
--- a/subversion-CVE-2014-0032.patch
+++ b/subversion-CVE-2014-0032.patch
@ -0,0 +1,59 @@
+From: Ben Reser <ben@reser.org>
+Subject: [PATCH] Disallow methods other than GET/HEAD for the parentpath list.
+Date: Sat, 11 Jan 2014 07:19:54 +0000
+References: bnc#862459 CVE-2014-0032 http://svn.apache.org/viewvc?view=revision&revision=r1557320
+Upstream: committed
+
+------------------------------------------------------------------------
+r1557320 | breser | 2014-01-11 07:19:54 +0000 (Sat, 11 Jan 2014) | 13 lines
+Changed paths:
+   M /subversion/trunk/subversion/mod_dav_svn/repos.c
+
+Disallow methods other than GET/HEAD for the parentpath list.
+
+Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling
+the server root and SVNListParentPath is on.
+
+CVE-2014-0032
+
+* subversion/mod_dav_svn/repos.c
+  (get_resource): Return an error when we try to get a parentpath list
+    resource and the method isn't GET.
+
+Found by: lgo
+
+------------------------------------------------------------------------
+---
+ subversion/mod_dav_svn/repos.c |   19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+Index: subversion-1.8.5/subversion/mod_dav_svn/repos.c
+===================================================================
+--- subversion-1.8.5.orig/subversion/mod_dav_svn/repos.c	2013-11-14 21:02:26.000000000 +0000
+++ subversion-1.8.5/subversion/mod_dav_svn/repos.c	2014-02-09 22:25:05.000000000 +0000
+@@ -1971,6 +1971,25 @@ get_resource(request_rec *r,
+      of private resource, iff the SVNListParentPath directive is 'on'. */
+   if (dav_svn__is_parentpath_list(r))
+     {
+      /* Only allow GET and HEAD on the parentpath resource
+       * httpd uses the same method_number for HEAD as GET */
+      if (r->method_number != M_GET)
+        {
+          int status;
+
+          /* Marshall the error back to the client by generating by
+           * way of the dav_svn__error_response_tag trick. */
+          err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
+                                   SVN_ERR_APMOD_MALFORMED_URI,
+                                   "The URI does not contain the name "
+                                   "of a repository.");
+          /* can't use r->allowed since the default handler isn't called */
+          apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
+          status = dav_svn__error_response_tag(r, err);
+
+          return dav_push_error(r->pool, status, err->error_id, NULL, err);
+        }
+
+       err = get_parentpath_resource(r, resource);
+       if (err)
+         return err;
--- a/subversion.changes
+++ b/subversion.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Sun Feb  9 22:30:22 UTC 2014 - andreas.stieger@gmx.de
+
+- fix a remotely triggerable segfault in mod_dav_svn when svn is
+  handling the server root and SVNListParentPath is on
+  [bnc#862459] CVE-2014-0032
+- added patches:
+  * subversion-CVE-2014-0032.patch
+
 -------------------------------------------------------------------
 Sun Dec  8 15:32:37 UTC 2013 - andreas.stieger@gmx.de

--- a/subversion.spec
+++ b/subversion.spec
@ -1,7 +1,7 @@
 #
 # spec file for package subversion
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # Copyright (c) 2013 Andreas Stieger <andreas.stieger@gmx.de>
 # Copyright (c) 2009-2010 Pascal Bleser <pascal.bleser@opensuse.org>
 #
@ -180,6 +180,7 @@ Patch31:        subversion.perl.LD_RUN_PATH.patch
 Patch37:        subversion-no-build-date.patch
 Patch38:        subversion-1.8.x-fix-ppc-tests.patch
 Patch39:        subversion-1.8.x-SQLite-3.8.patch
+Patch40:        subversion-CVE-2014-0032.patch
 #
 %if %with_ruby
 %define rb_arch %(echo "%{_host_cpu}-%{_os}" | sed -e "s/i686/i586/" -e "s/armv5tel/armv4l/" -e "s/hppa2.0/hppa/")
@ -346,6 +347,7 @@ popd #./sqlite-amalgamation
 %patch37 -p1
 %patch38 -p1
 %patch39 -p1
+%patch40 -p1

 SQLITE_RECOMMENDED_VER=$(grep -E '^SQLITE_RECOMMENDED_VER=' configure.ac|cut -f2 -d=|cut -f2 -d\")
 #"