pool/subversion
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 221557 from devel:tools:scm:svn

Browse Source 
- fix a remotely triggerable segfault in mod_dav_svn when svn is
  handling the server root and SVNListParentPath is on
  [bnc#862459] CVE-2014-0032 (forwarded request 221556 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/221557
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/subversion?expand=0&rev=112
This commit is contained in:
Stephan Kulow 2014-02-11 09:45:39 +00:00 committed by Git OBS Bridge
commit 13f6716de0
3 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
subversion-CVE-2014-0032.patch Normal file
View File

@ -0,0 +1,59 @@
From: Ben Reser <ben@reser.org>
Subject: [PATCH] Disallow methods other than GET/HEAD for the parentpath list.
Date: Sat, 11 Jan 2014 07:19:54 +0000
References: bnc#862459 CVE-2014-0032 http://svn.apache.org/viewvc?view=revision&revision=r1557320
Upstream: committed
------------------------------------------------------------------------
r1557320 | breser | 2014-01-11 07:19:54 +0000 (Sat, 11 Jan 2014) | 13 lines
Changed paths:
M /subversion/trunk/subversion/mod_dav_svn/repos.c
Disallow methods other than GET/HEAD for the parentpath list.
Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling
the server root and SVNListParentPath is on.
CVE-2014-0032
* subversion/mod_dav_svn/repos.c
(get_resource): Return an error when we try to get a parentpath list
resource and the method isn't GET.
Found by: lgo
------------------------------------------------------------------------
---
subversion/mod_dav_svn/repos.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
Index: subversion-1.8.5/subversion/mod_dav_svn/repos.c
===================================================================
--- subversion-1.8.5.orig/subversion/mod_dav_svn/repos.c 2013-11-14 21:02:26.000000000 +0000
+++ subversion-1.8.5/subversion/mod_dav_svn/repos.c 2014-02-09 22:25:05.000000000 +0000
@@ -1971,6 +1971,25 @@ get_resource(request_rec *r,
of private resource, iff the SVNListParentPath directive is 'on'. */
if (dav_svn__is_parentpath_list(r))
{
+ /* Only allow GET and HEAD on the parentpath resource
+ * httpd uses the same method_number for HEAD as GET */
+ if (r->method_number != M_GET)
+ {
+ int status;
+
+ /* Marshall the error back to the client by generating by
+ * way of the dav_svn__error_response_tag trick. */
+ err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
+ SVN_ERR_APMOD_MALFORMED_URI,
+ "The URI does not contain the name "
+ "of a repository.");
+ /* can't use r->allowed since the default handler isn't called */
+ apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
+ status = dav_svn__error_response_tag(r, err);
+
+ return dav_push_error(r->pool, status, err->error_id, NULL, err);
+ }
+
err = get_parentpath_resource(r, resource);
if (err)
return err;

9
subversion.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Sun Feb 9 22:30:22 UTC 2014 - andreas.stieger@gmx.de
- fix a remotely triggerable segfault in mod_dav_svn when svn is
handling the server root and SVNListParentPath is on
[bnc#862459] CVE-2014-0032
- added patches:
* subversion-CVE-2014-0032.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Dec 8 15:32:37 UTC 2013 - andreas.stieger@gmx.de Sun Dec 8 15:32:37 UTC 2013 - andreas.stieger@gmx.de

4
subversion.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package subversion # spec file for package subversion
# #
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2013 Andreas Stieger <andreas.stieger@gmx.de> # Copyright (c) 2013 Andreas Stieger <andreas.stieger@gmx.de>
# Copyright (c) 2009-2010 Pascal Bleser <pascal.bleser@opensuse.org> # Copyright (c) 2009-2010 Pascal Bleser <pascal.bleser@opensuse.org>
# #
@ -180,6 +180,7 @@ Patch31: subversion.perl.LD_RUN_PATH.patch
Patch37: subversion-no-build-date.patch Patch37: subversion-no-build-date.patch
Patch38: subversion-1.8.x-fix-ppc-tests.patch Patch38: subversion-1.8.x-fix-ppc-tests.patch
Patch39: subversion-1.8.x-SQLite-3.8.patch Patch39: subversion-1.8.x-SQLite-3.8.patch
Patch40: subversion-CVE-2014-0032.patch
# #
%if %with_ruby %if %with_ruby
%define rb_arch %(echo "%{_host_cpu}-%{_os}" | sed -e "s/i686/i586/" -e "s/armv5tel/armv4l/" -e "s/hppa2.0/hppa/") %define rb_arch %(echo "%{_host_cpu}-%{_os}" | sed -e "s/i686/i586/" -e "s/armv5tel/armv4l/" -e "s/hppa2.0/hppa/")
@ -346,6 +347,7 @@ popd #./sqlite-amalgamation
%patch37 -p1 %patch37 -p1
%patch38 -p1 %patch38 -p1
%patch39 -p1 %patch39 -p1
%patch40 -p1
SQLITE_RECOMMENDED_VER=$(grep -E '^SQLITE_RECOMMENDED_VER=' configure.ac|cut -f2 -d=|cut -f2 -d\") SQLITE_RECOMMENDED_VER=$(grep -E '^SQLITE_RECOMMENDED_VER=' configure.ac|cut -f2 -d=|cut -f2 -d\")
#" #"