summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorYue Tao <Yue.Tao@windriver.com>2014-04-15 13:21:25 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-05-29 13:43:28 +0100
commit2361a8171b41c1d4a382256f06ea7439d599334e (patch)
treef640e18255d58ae59537d0bfd3b152e5f7f387e3 /meta
parentee4d10698795c9743f29d81d7b5633b82752ed3f (diff)
downloadpoky-2361a8171b41c1d4a382256f06ea7439d599334e.tar.gz
subversion: fix for Security Advisory CVE-2013-1845
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1845 (From OE-Core rev: 432666b84b80f8b0d13672aa94855369f577c56d) (From OE-Core rev: 890cbced4c2bc45db3b5ec493d5f390f2de70bc2) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch171
-rw-r--r--meta/recipes-devtools/subversion/subversion_1.6.15.bb3
2 files changed, 173 insertions, 1 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch
new file mode 100644
index 0000000000..29aeea5017
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch
@@ -0,0 +1,171 @@
1Upstream-Status: Backport
2
3Index: subversion/mod_dav_svn/dav_svn.h
4===================================================================
5--- a/subversion/mod_dav_svn/dav_svn.h (revision 1461956)
6+++ b/subversion/mod_dav_svn/dav_svn.h (working copy)
7@@ -254,6 +254,9 @@ struct dav_resource_private {
8 interface (ie: /path/to/item?p=PEGREV]? */
9 svn_boolean_t pegged;
10
11+ /* Cache any revprop change error */
12+ svn_error_t *revprop_error;
13+
14 /* Pool to allocate temporary data from */
15 apr_pool_t *pool;
16 };
17Index: subversion/mod_dav_svn/deadprops.c
18===================================================================
19--- a/subversion/mod_dav_svn/deadprops.c (revision 1461956)
20+++ b/subversion/mod_dav_svn/deadprops.c (working copy)
21@@ -49,8 +49,7 @@ struct dav_db {
22
23
24 struct dav_deadprop_rollback {
25- dav_prop_name name;
26- svn_string_t value;
27+ int dummy;
28 };
29
30
31@@ -134,6 +133,7 @@ save_value(dav_db *db, const dav_prop_name *name,
32 {
33 const char *propname;
34 svn_error_t *serr;
35+ apr_pool_t *subpool;
36
37 /* get the repos-local name */
38 get_repos_propname(db, name, &propname);
39@@ -151,10 +151,14 @@ save_value(dav_db *db, const dav_prop_name *name,
40 }
41
42 /* Working Baseline or Working (Version) Resource */
43+
44+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
45+ PROPPATCH with multiple values. */
46+ subpool = svn_pool_create(db->resource->pool);
47 if (db->resource->baselined)
48 if (db->resource->working)
49 serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
50- propname, value, db->resource->pool);
51+ propname, value, subpool);
52 else
53 {
54 /* ### VIOLATING deltaV: you can't proppatch a baseline, it's
55@@ -168,19 +172,29 @@ save_value(dav_db *db, const dav_prop_name *name,
56 propname, value, TRUE, TRUE,
57 db->authz_read_func,
58 db->authz_read_baton,
59- db->resource->pool);
60+ subpool);
61
62+ /* mod_dav doesn't handle the returned error very well, it
63+ generates its own generic error that will be returned to
64+ the client. Cache the detailed error here so that it can
65+ be returned a second time when the rollback mechanism
66+ triggers. */
67+ if (serr)
68+ db->resource->info->revprop_error = svn_error_dup(serr);
69+
70 /* Tell the logging subsystem about the revprop change. */
71 dav_svn__operational_log(db->resource->info,
72 svn_log__change_rev_prop(
73 db->resource->info->root.rev,
74 propname,
75- db->resource->pool));
76+ subpool));
77 }
78 else
79 serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
80 get_repos_path(db->resource->info),
81- propname, value, db->resource->pool);
82+ propname, value, subpool);
83+ svn_pool_destroy(subpool);
84+
85 if (serr != NULL)
86 return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
87 NULL,
88@@ -395,6 +409,7 @@ db_remove(dav_db *db, const dav_prop_name *name)
89 {
90 svn_error_t *serr;
91 const char *propname;
92+ apr_pool_t *subpool;
93
94 /* get the repos-local name */
95 get_repos_propname(db, name, &propname);
96@@ -403,6 +418,10 @@ db_remove(dav_db *db, const dav_prop_name *name)
97 if (propname == NULL)
98 return NULL;
99
100+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
101+ PROPPATCH with multiple values. */
102+ subpool = svn_pool_create(db->resource->pool);
103+
104 /* Working Baseline or Working (Version) Resource */
105 if (db->resource->baselined)
106 if (db->resource->working)
107@@ -419,11 +438,12 @@ db_remove(dav_db *db, const dav_prop_name *name)
108 propname, NULL, TRUE, TRUE,
109 db->authz_read_func,
110 db->authz_read_baton,
111- db->resource->pool);
112+ subpool);
113 else
114 serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
115 get_repos_path(db->resource->info),
116- propname, NULL, db->resource->pool);
117+ propname, NULL, subpool);
118+ svn_pool_destroy(subpool);
119 if (serr != NULL)
120 return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
121 "could not remove a property",
122@@ -598,19 +618,14 @@ db_get_rollback(dav_db *db,
123 const dav_prop_name *name,
124 dav_deadprop_rollback **prollback)
125 {
126- dav_error *err;
127- dav_deadprop_rollback *ddp;
128- svn_string_t *propval;
129+ /* This gets called by mod_dav in preparation for a revprop change.
130+ mod_dav_svn doesn't need to make any changes during rollback, but
131+ we want the rollback mechanism to trigger. Making changes in
132+ response to post-revprop-change hook errors would be positively
133+ wrong. */
134
135- if ((err = get_value(db, name, &propval)) != NULL)
136- return err;
137+ *prollback = apr_palloc(db->p, sizeof(dav_deadprop_rollback));
138
139- ddp = apr_palloc(db->p, sizeof(*ddp));
140- ddp->name = *name;
141- ddp->value.data = propval ? propval->data : NULL;
142- ddp->value.len = propval ? propval->len : 0;
143-
144- *prollback = ddp;
145 return NULL;
146 }
147
148@@ -618,12 +633,20 @@ db_get_rollback(dav_db *db,
149 static dav_error *
150 db_apply_rollback(dav_db *db, dav_deadprop_rollback *rollback)
151 {
152- if (rollback->value.data == NULL)
153- {
154- return db_remove(db, &rollback->name);
155- }
156+ dav_error *derr;
157
158- return save_value(db, &rollback->name, &rollback->value);
159+ if (! db->resource->info->revprop_error)
160+ return NULL;
161+
162+ /* Returning the original revprop change error here will cause this
163+ detailed error to get returned to the client in preference to the
164+ more generic error created by mod_dav. */
165+ derr = dav_svn__convert_err(db->resource->info->revprop_error,
166+ HTTP_INTERNAL_SERVER_ERROR, NULL,
167+ db->resource->pool);
168+ db->resource->info->revprop_error = NULL;
169+
170+ return derr;
171 }
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
index cb362765ab..11bf5ee5e3 100644
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -14,7 +14,8 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
14 file://libtool2.patch \ 14 file://libtool2.patch \
15 file://fix-install-depends.patch \ 15 file://fix-install-depends.patch \
16 file://subversion-CVE-2013-1849.patch \ 16 file://subversion-CVE-2013-1849.patch \
17 file://subversion-CVE-2013-4505.patch" 17 file://subversion-CVE-2013-4505.patch \
18 file://subversion-CVE-2013-1845.patch"
18 19
19SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" 20SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
20SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45" 21SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45"