diff --git a/subversion-CVE-2014-0032.patch b/subversion-CVE-2014-0032.patch new file mode 100644 index 0000000..cadeee1 --- /dev/null +++ b/subversion-CVE-2014-0032.patch @@ -0,0 +1,59 @@ +From: Ben Reser +Subject: [PATCH] Disallow methods other than GET/HEAD for the parentpath list. +Date: Sat, 11 Jan 2014 07:19:54 +0000 +References: bnc#862459 CVE-2014-0032 http://svn.apache.org/viewvc?view=revision&revision=r1557320 +Upstream: committed + +------------------------------------------------------------------------ +r1557320 | breser | 2014-01-11 07:19:54 +0000 (Sat, 11 Jan 2014) | 13 lines +Changed paths: + M /subversion/trunk/subversion/mod_dav_svn/repos.c + +Disallow methods other than GET/HEAD for the parentpath list. + +Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling +the server root and SVNListParentPath is on. + +CVE-2014-0032 + +* subversion/mod_dav_svn/repos.c + (get_resource): Return an error when we try to get a parentpath list + resource and the method isn't GET. + +Found by: lgo + +------------------------------------------------------------------------ +--- + subversion/mod_dav_svn/repos.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +Index: subversion-1.8.5/subversion/mod_dav_svn/repos.c +=================================================================== +--- subversion-1.8.5.orig/subversion/mod_dav_svn/repos.c 2013-11-14 21:02:26.000000000 +0000 ++++ subversion-1.8.5/subversion/mod_dav_svn/repos.c 2014-02-09 22:25:05.000000000 +0000 +@@ -1971,6 +1971,25 @@ get_resource(request_rec *r, + of private resource, iff the SVNListParentPath directive is 'on'. */ + if (dav_svn__is_parentpath_list(r)) + { ++ /* Only allow GET and HEAD on the parentpath resource ++ * httpd uses the same method_number for HEAD as GET */ ++ if (r->method_number != M_GET) ++ { ++ int status; ++ ++ /* Marshall the error back to the client by generating by ++ * way of the dav_svn__error_response_tag trick. */ ++ err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, ++ SVN_ERR_APMOD_MALFORMED_URI, ++ "The URI does not contain the name " ++ "of a repository."); ++ /* can't use r->allowed since the default handler isn't called */ ++ apr_table_setn(r->headers_out, "Allow", "GET,HEAD"); ++ status = dav_svn__error_response_tag(r, err); ++ ++ return dav_push_error(r->pool, status, err->error_id, NULL, err); ++ } ++ + err = get_parentpath_resource(r, resource); + if (err) + return err; diff --git a/subversion.changes b/subversion.changes index bf403d0..e0d55bb 100644 --- a/subversion.changes +++ b/subversion.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Sun Feb 9 22:30:22 UTC 2014 - andreas.stieger@gmx.de + +- fix a remotely triggerable segfault in mod_dav_svn when svn is + handling the server root and SVNListParentPath is on + [bnc#862459] CVE-2014-0032 +- added patches: + * subversion-CVE-2014-0032.patch + ------------------------------------------------------------------- Sun Dec 8 15:32:37 UTC 2013 - andreas.stieger@gmx.de diff --git a/subversion.spec b/subversion.spec index 6be525d..7dd538b 100644 --- a/subversion.spec +++ b/subversion.spec @@ -1,7 +1,7 @@ # # spec file for package subversion # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2013 Andreas Stieger # Copyright (c) 2009-2010 Pascal Bleser # @@ -180,6 +180,7 @@ Patch31: subversion.perl.LD_RUN_PATH.patch Patch37: subversion-no-build-date.patch Patch38: subversion-1.8.x-fix-ppc-tests.patch Patch39: subversion-1.8.x-SQLite-3.8.patch +Patch40: subversion-CVE-2014-0032.patch # %if %with_ruby %define rb_arch %(echo "%{_host_cpu}-%{_os}" | sed -e "s/i686/i586/" -e "s/armv5tel/armv4l/" -e "s/hppa2.0/hppa/") @@ -346,6 +347,7 @@ popd #./sqlite-amalgamation %patch37 -p1 %patch38 -p1 %patch39 -p1 +%patch40 -p1 SQLITE_RECOMMENDED_VER=$(grep -E '^SQLITE_RECOMMENDED_VER=' configure.ac|cut -f2 -d=|cut -f2 -d\") #"