subversion: fix for Security Advisory CVE-2013-1845

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1845 (From OE-Core rev: 432666b84b80f8b0d13672aa94855369f577c56d) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yue Tao <Yue.Tao@windriver.com> 2014-04-15 13:21:25 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-05-21 09:09:00 +0100
commit: 128adcb714bd74adef0de00b49e89a3851535e91 (patch)
tree: 9d850933baf7821e28cd015588d73b0d10af0ce6 /meta/recipes-devtools/subversion
parent: 722ff438b355afc04f82e0aca47f9082d2d3d7df (diff)
download: poky-128adcb714bd74adef0de00b49e89a3851535e91.tar.gz
2 files changed, 173 insertions, 1 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch
new file mode 100644
index 0000000000..29aeea5017
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch
@@ -0,0 +1,171 @@
+Upstream-Status: Backport
+Index: subversion/mod_dav_svn/dav_svn.h
+===================================================================
+--- a/subversion/mod_dav_svn/dav_svn.h  (revision 1461956)
+++ b/subversion/mod_dav_svn/dav_svn.h  (working copy)
+@@ -254,6 +254,9 @@ struct dav_resource_private {
+      interface (ie: /path/to/item?p=PEGREV]? */
+   svn_boolean_t pegged;
+ 
+  /* Cache any revprop change error */
+  svn_error_t *revprop_error;
+
+   /* Pool to allocate temporary data from */
+   apr_pool_t *pool;
+ };
+Index: subversion/mod_dav_svn/deadprops.c
+===================================================================
+--- a/subversion/mod_dav_svn/deadprops.c        (revision 1461956)
+++ b/subversion/mod_dav_svn/deadprops.c        (working copy)
+@@ -49,8 +49,7 @@ struct dav_db {
+ 
+ 
+ struct dav_deadprop_rollback {
+-  dav_prop_name name;
+-  svn_string_t value;
+  int dummy;
+ };
+ 
+ 
+@@ -134,6 +133,7 @@ save_value(dav_db *db, const dav_prop_name *name,
+ {
+   const char *propname;
+   svn_error_t *serr;
+  apr_pool_t *subpool;
+ 
+   /* get the repos-local name */
+   get_repos_propname(db, name, &propname);
+@@ -151,10 +151,14 @@ save_value(dav_db *db, const dav_prop_name *name,
+     }
+ 
+   /* Working Baseline or Working (Version) Resource */
+
+  /* A subpool to cope with mod_dav making multiple calls, e.g. during
+     PROPPATCH with multiple values. */
+  subpool = svn_pool_create(db->resource->pool);
+   if (db->resource->baselined)
+     if (db->resource->working)
+       serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
+-                                          propname, value, db->resource->pool);
+                                          propname, value, subpool);
+     else
+       {
+         /* ### VIOLATING deltaV: you can't proppatch a baseline, it's
+@@ -168,19 +172,29 @@ save_value(dav_db *db, const dav_prop_name *name,
+            propname, value, TRUE, TRUE,
+            db->authz_read_func,
+            db->authz_read_baton,
+-           db->resource->pool);
+           subpool);
+ 
+        /* mod_dav doesn't handle the returned error very well, it
+           generates its own generic error that will be returned to
+           the client.  Cache the detailed error here so that it can
+           be returned a second time when the rollback mechanism
+           triggers. */
+        if (serr)
+          db->resource->info->revprop_error = svn_error_dup(serr);
+
+         /* Tell the logging subsystem about the revprop change. */
+         dav_svn__operational_log(db->resource->info,
+                                  svn_log__change_rev_prop(
+                                               db->resource->info->root.rev,
+                                               propname,
+-                                              db->resource->pool));
+                                              subpool));
+       }
+   else
+     serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
+                                          get_repos_path(db->resource->info),
+-                                         propname, value, db->resource->pool);
+                                         propname, value, subpool);
+  svn_pool_destroy(subpool);
+
+   if (serr != NULL)
+     return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
+                                 NULL,
+@@ -395,6 +409,7 @@ db_remove(dav_db *db, const dav_prop_name *name)
+ {
+   svn_error_t *serr;
+   const char *propname;
+  apr_pool_t *subpool;
+ 
+   /* get the repos-local name */
+   get_repos_propname(db, name, &propname);
+@@ -403,6 +418,10 @@ db_remove(dav_db *db, const dav_prop_name *name)
+   if (propname == NULL)
+     return NULL;
+ 
+  /* A subpool to cope with mod_dav making multiple calls, e.g. during
+     PROPPATCH with multiple values. */
+  subpool = svn_pool_create(db->resource->pool);
+
+   /* Working Baseline or Working (Version) Resource */
+   if (db->resource->baselined)
+     if (db->resource->working)
+@@ -419,11 +438,12 @@ db_remove(dav_db *db, const dav_prop_name *name)
+                                            propname, NULL, TRUE, TRUE,
+                                            db->authz_read_func,
+                                            db->authz_read_baton,
+-                                           db->resource->pool);
+                                           subpool);
+   else
+     serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
+                                          get_repos_path(db->resource->info),
+-                                         propname, NULL, db->resource->pool);
+                                         propname, NULL, subpool);
+  svn_pool_destroy(subpool);
+   if (serr != NULL)
+     return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
+                                 "could not remove a property",
+@@ -598,19 +618,14 @@ db_get_rollback(dav_db *db,
+                 const dav_prop_name *name,
+                 dav_deadprop_rollback **prollback)
+ {
+-  dav_error *err;
+-  dav_deadprop_rollback *ddp;
+-  svn_string_t *propval;
+  /* This gets called by mod_dav in preparation for a revprop change.
+     mod_dav_svn doesn't need to make any changes during rollback, but
+     we want the rollback mechanism to trigger.  Making changes in
+     response to post-revprop-change hook errors would be positively
+     wrong. */
+ 
+-  if ((err = get_value(db, name, &propval)) != NULL)
+-    return err;
+  *prollback = apr_palloc(db->p, sizeof(dav_deadprop_rollback));
+ 
+-  ddp = apr_palloc(db->p, sizeof(*ddp));
+-  ddp->name = *name;
+-  ddp->value.data = propval ? propval->data : NULL;
+-  ddp->value.len = propval ? propval->len : 0;
+-
+-  *prollback = ddp;
+   return NULL;
+ }
+ 
+@@ -618,12 +633,20 @@ db_get_rollback(dav_db *db,
+ static dav_error *
+ db_apply_rollback(dav_db *db, dav_deadprop_rollback *rollback)
+ {
+-  if (rollback->value.data == NULL)
+-    {
+-      return db_remove(db, &rollback->name);
+-    }
+  dav_error *derr;
+ 
+-  return save_value(db, &rollback->name, &rollback->value);
+  if (! db->resource->info->revprop_error)
+    return NULL;
+  
+  /* Returning the original revprop change error here will cause this
+     detailed error to get returned to the client in preference to the
+     more generic error created by mod_dav. */
+  derr = dav_svn__convert_err(db->resource->info->revprop_error,
+                              HTTP_INTERNAL_SERVER_ERROR, NULL,
+                              db->resource->pool);
+  db->resource->info->revprop_error = NULL;
+
+  return derr;
+ }
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
index cb362765ab..11bf5ee5e3 100644
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -14,7 +14,8 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
           file://libtool2.patch \
           file://fix-install-depends.patch \
           file://subversion-CVE-2013-1849.patch \
-           file://subversion-CVE-2013-4505.patch"
+           file://subversion-CVE-2013-4505.patch \
+           file://subversion-CVE-2013-1845.patch"
 SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
 SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45"
author	Yue Tao <Yue.Tao@windriver.com>	2014-04-15 13:21:25 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-05-21 09:09:00 +0100
commit	128adcb714bd74adef0de00b49e89a3851535e91 (patch)
tree	9d850933baf7821e28cd015588d73b0d10af0ce6 /meta/recipes-devtools/subversion
parent	722ff438b355afc04f82e0aca47f9082d2d3d7df (diff)
download	poky-128adcb714bd74adef0de00b49e89a3851535e91.tar.gz

diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch new file mode 100644 index 0000000000..29aeea5017 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch
@@ -0,0 +1,171 @@
		1	Upstream-Status: Backport
		2
		3	Index: subversion/mod_dav_svn/dav_svn.h
		4	===================================================================
		5	--- a/subversion/mod_dav_svn/dav_svn.h (revision 1461956)
		6	+++ b/subversion/mod_dav_svn/dav_svn.h (working copy)
		7	@@ -254,6 +254,9 @@ struct dav_resource_private {
		8	interface (ie: /path/to/item?p=PEGREV]? */
		9	svn_boolean_t pegged;
		10
		11	+ /* Cache any revprop change error */
		12	+ svn_error_t *revprop_error;
		13	+
		14	/* Pool to allocate temporary data from */
		15	apr_pool_t *pool;
		16	};
		17	Index: subversion/mod_dav_svn/deadprops.c
		18	===================================================================
		19	--- a/subversion/mod_dav_svn/deadprops.c (revision 1461956)
		20	+++ b/subversion/mod_dav_svn/deadprops.c (working copy)
		21	@@ -49,8 +49,7 @@ struct dav_db {
		22
		23
		24	struct dav_deadprop_rollback {
		25	- dav_prop_name name;
		26	- svn_string_t value;
		27	+ int dummy;
		28	};
		29
		30
		31	@@ -134,6 +133,7 @@ save_value(dav_db db, const dav_prop_name name,
		32	{
		33	const char *propname;
		34	svn_error_t *serr;
		35	+ apr_pool_t *subpool;
		36
		37	/* get the repos-local name */
		38	get_repos_propname(db, name, &propname);
		39	@@ -151,10 +151,14 @@ save_value(dav_db db, const dav_prop_name name,
		40	}
		41
		42	/* Working Baseline or Working (Version) Resource */
		43	+
		44	+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
		45	+ PROPPATCH with multiple values. */
		46	+ subpool = svn_pool_create(db->resource->pool);
		47	if (db->resource->baselined)
		48	if (db->resource->working)
		49	serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
		50	- propname, value, db->resource->pool);
		51	+ propname, value, subpool);
		52	else
		53	{
		54	/* ### VIOLATING deltaV: you can't proppatch a baseline, it's
		55	@@ -168,19 +172,29 @@ save_value(dav_db db, const dav_prop_name name,
		56	propname, value, TRUE, TRUE,
		57	db->authz_read_func,
		58	db->authz_read_baton,
		59	- db->resource->pool);
		60	+ subpool);
		61
		62	+ /* mod_dav doesn't handle the returned error very well, it
		63	+ generates its own generic error that will be returned to
		64	+ the client. Cache the detailed error here so that it can
		65	+ be returned a second time when the rollback mechanism
		66	+ triggers. */
		67	+ if (serr)
		68	+ db->resource->info->revprop_error = svn_error_dup(serr);
		69	+
		70	/* Tell the logging subsystem about the revprop change. */
		71	dav_svn__operational_log(db->resource->info,
		72	svn_log__change_rev_prop(
		73	db->resource->info->root.rev,
		74	propname,
		75	- db->resource->pool));
		76	+ subpool));
		77	}
		78	else
		79	serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
		80	get_repos_path(db->resource->info),
		81	- propname, value, db->resource->pool);
		82	+ propname, value, subpool);
		83	+ svn_pool_destroy(subpool);
		84	+
		85	if (serr != NULL)
		86	return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
		87	NULL,
		88	@@ -395,6 +409,7 @@ db_remove(dav_db db, const dav_prop_name name)
		89	{
		90	svn_error_t *serr;
		91	const char *propname;
		92	+ apr_pool_t *subpool;
		93
		94	/* get the repos-local name */
		95	get_repos_propname(db, name, &propname);
		96	@@ -403,6 +418,10 @@ db_remove(dav_db db, const dav_prop_name name)
		97	if (propname == NULL)
		98	return NULL;
		99
		100	+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
		101	+ PROPPATCH with multiple values. */
		102	+ subpool = svn_pool_create(db->resource->pool);
		103	+
		104	/* Working Baseline or Working (Version) Resource */
		105	if (db->resource->baselined)
		106	if (db->resource->working)
		107	@@ -419,11 +438,12 @@ db_remove(dav_db db, const dav_prop_name name)
		108	propname, NULL, TRUE, TRUE,
		109	db->authz_read_func,
		110	db->authz_read_baton,
		111	- db->resource->pool);
		112	+ subpool);
		113	else
		114	serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
		115	get_repos_path(db->resource->info),
		116	- propname, NULL, db->resource->pool);
		117	+ propname, NULL, subpool);
		118	+ svn_pool_destroy(subpool);
		119	if (serr != NULL)
		120	return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
		121	"could not remove a property",
		122	@@ -598,19 +618,14 @@ db_get_rollback(dav_db *db,
		123	const dav_prop_name *name,
		124	dav_deadprop_rollback **prollback)
		125	{
		126	- dav_error *err;
		127	- dav_deadprop_rollback *ddp;
		128	- svn_string_t *propval;
		129	+ /* This gets called by mod_dav in preparation for a revprop change.
		130	+ mod_dav_svn doesn't need to make any changes during rollback, but
		131	+ we want the rollback mechanism to trigger. Making changes in
		132	+ response to post-revprop-change hook errors would be positively
		133	+ wrong. */
		134
		135	- if ((err = get_value(db, name, &propval)) != NULL)
		136	- return err;
		137	+ *prollback = apr_palloc(db->p, sizeof(dav_deadprop_rollback));
		138
		139	- ddp = apr_palloc(db->p, sizeof(*ddp));
		140	- ddp->name = *name;
		141	- ddp->value.data = propval ? propval->data : NULL;
		142	- ddp->value.len = propval ? propval->len : 0;
		143	-
		144	- *prollback = ddp;
		145	return NULL;
		146	}
		147
		148	@@ -618,12 +633,20 @@ db_get_rollback(dav_db *db,
		149	static dav_error *
		150	db_apply_rollback(dav_db db, dav_deadprop_rollback rollback)
		151	{
		152	- if (rollback->value.data == NULL)
		153	- {
		154	- return db_remove(db, &rollback->name);
		155	- }
		156	+ dav_error *derr;
		157
		158	- return save_value(db, &rollback->name, &rollback->value);
		159	+ if (! db->resource->info->revprop_error)
		160	+ return NULL;
		161	+
		162	+ /* Returning the original revprop change error here will cause this
		163	+ detailed error to get returned to the client in preference to the
		164	+ more generic error created by mod_dav. */
		165	+ derr = dav_svn__convert_err(db->resource->info->revprop_error,
		166	+ HTTP_INTERNAL_SERVER_ERROR, NULL,
		167	+ db->resource->pool);
		168	+ db->resource->info->revprop_error = NULL;
		169	+
		170	+ return derr;
		171	}


diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb index cb362765ab..11bf5ee5e3 100644 --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -14,7 +14,8 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
14	file://libtool2.patch \	14	file://libtool2.patch \
15	file://fix-install-depends.patch \	15	file://fix-install-depends.patch \
16	file://subversion-CVE-2013-1849.patch \	16	file://subversion-CVE-2013-1849.patch \
17	file://subversion-CVE-2013-4505.patch"	17	file://subversion-CVE-2013-4505.patch \
		18	file://subversion-CVE-2013-1845.patch"
18		19
19	SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"	20	SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
20	SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45"	21	SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45"