diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-04-15 13:21:25 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-29 13:43:28 +0100 |
commit | 2361a8171b41c1d4a382256f06ea7439d599334e (patch) | |
tree | f640e18255d58ae59537d0bfd3b152e5f7f387e3 /meta | |
parent | ee4d10698795c9743f29d81d7b5633b82752ed3f (diff) | |
download | poky-2361a8171b41c1d4a382256f06ea7439d599334e.tar.gz |
subversion: fix for Security Advisory CVE-2013-1845
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before
1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to
cause a denial of service (memory consumption) by (1) setting or (2)
deleting a large number of properties for a file or directory.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1845
(From OE-Core rev: 432666b84b80f8b0d13672aa94855369f577c56d)
(From OE-Core rev: 890cbced4c2bc45db3b5ec493d5f390f2de70bc2)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch | 171 | ||||
-rw-r--r-- | meta/recipes-devtools/subversion/subversion_1.6.15.bb | 3 |
2 files changed, 173 insertions, 1 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch new file mode 100644 index 0000000000..29aeea5017 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch | |||
@@ -0,0 +1,171 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Index: subversion/mod_dav_svn/dav_svn.h | ||
4 | =================================================================== | ||
5 | --- a/subversion/mod_dav_svn/dav_svn.h (revision 1461956) | ||
6 | +++ b/subversion/mod_dav_svn/dav_svn.h (working copy) | ||
7 | @@ -254,6 +254,9 @@ struct dav_resource_private { | ||
8 | interface (ie: /path/to/item?p=PEGREV]? */ | ||
9 | svn_boolean_t pegged; | ||
10 | |||
11 | + /* Cache any revprop change error */ | ||
12 | + svn_error_t *revprop_error; | ||
13 | + | ||
14 | /* Pool to allocate temporary data from */ | ||
15 | apr_pool_t *pool; | ||
16 | }; | ||
17 | Index: subversion/mod_dav_svn/deadprops.c | ||
18 | =================================================================== | ||
19 | --- a/subversion/mod_dav_svn/deadprops.c (revision 1461956) | ||
20 | +++ b/subversion/mod_dav_svn/deadprops.c (working copy) | ||
21 | @@ -49,8 +49,7 @@ struct dav_db { | ||
22 | |||
23 | |||
24 | struct dav_deadprop_rollback { | ||
25 | - dav_prop_name name; | ||
26 | - svn_string_t value; | ||
27 | + int dummy; | ||
28 | }; | ||
29 | |||
30 | |||
31 | @@ -134,6 +133,7 @@ save_value(dav_db *db, const dav_prop_name *name, | ||
32 | { | ||
33 | const char *propname; | ||
34 | svn_error_t *serr; | ||
35 | + apr_pool_t *subpool; | ||
36 | |||
37 | /* get the repos-local name */ | ||
38 | get_repos_propname(db, name, &propname); | ||
39 | @@ -151,10 +151,14 @@ save_value(dav_db *db, const dav_prop_name *name, | ||
40 | } | ||
41 | |||
42 | /* Working Baseline or Working (Version) Resource */ | ||
43 | + | ||
44 | + /* A subpool to cope with mod_dav making multiple calls, e.g. during | ||
45 | + PROPPATCH with multiple values. */ | ||
46 | + subpool = svn_pool_create(db->resource->pool); | ||
47 | if (db->resource->baselined) | ||
48 | if (db->resource->working) | ||
49 | serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn, | ||
50 | - propname, value, db->resource->pool); | ||
51 | + propname, value, subpool); | ||
52 | else | ||
53 | { | ||
54 | /* ### VIOLATING deltaV: you can't proppatch a baseline, it's | ||
55 | @@ -168,19 +172,29 @@ save_value(dav_db *db, const dav_prop_name *name, | ||
56 | propname, value, TRUE, TRUE, | ||
57 | db->authz_read_func, | ||
58 | db->authz_read_baton, | ||
59 | - db->resource->pool); | ||
60 | + subpool); | ||
61 | |||
62 | + /* mod_dav doesn't handle the returned error very well, it | ||
63 | + generates its own generic error that will be returned to | ||
64 | + the client. Cache the detailed error here so that it can | ||
65 | + be returned a second time when the rollback mechanism | ||
66 | + triggers. */ | ||
67 | + if (serr) | ||
68 | + db->resource->info->revprop_error = svn_error_dup(serr); | ||
69 | + | ||
70 | /* Tell the logging subsystem about the revprop change. */ | ||
71 | dav_svn__operational_log(db->resource->info, | ||
72 | svn_log__change_rev_prop( | ||
73 | db->resource->info->root.rev, | ||
74 | propname, | ||
75 | - db->resource->pool)); | ||
76 | + subpool)); | ||
77 | } | ||
78 | else | ||
79 | serr = svn_repos_fs_change_node_prop(db->resource->info->root.root, | ||
80 | get_repos_path(db->resource->info), | ||
81 | - propname, value, db->resource->pool); | ||
82 | + propname, value, subpool); | ||
83 | + svn_pool_destroy(subpool); | ||
84 | + | ||
85 | if (serr != NULL) | ||
86 | return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR, | ||
87 | NULL, | ||
88 | @@ -395,6 +409,7 @@ db_remove(dav_db *db, const dav_prop_name *name) | ||
89 | { | ||
90 | svn_error_t *serr; | ||
91 | const char *propname; | ||
92 | + apr_pool_t *subpool; | ||
93 | |||
94 | /* get the repos-local name */ | ||
95 | get_repos_propname(db, name, &propname); | ||
96 | @@ -403,6 +418,10 @@ db_remove(dav_db *db, const dav_prop_name *name) | ||
97 | if (propname == NULL) | ||
98 | return NULL; | ||
99 | |||
100 | + /* A subpool to cope with mod_dav making multiple calls, e.g. during | ||
101 | + PROPPATCH with multiple values. */ | ||
102 | + subpool = svn_pool_create(db->resource->pool); | ||
103 | + | ||
104 | /* Working Baseline or Working (Version) Resource */ | ||
105 | if (db->resource->baselined) | ||
106 | if (db->resource->working) | ||
107 | @@ -419,11 +438,12 @@ db_remove(dav_db *db, const dav_prop_name *name) | ||
108 | propname, NULL, TRUE, TRUE, | ||
109 | db->authz_read_func, | ||
110 | db->authz_read_baton, | ||
111 | - db->resource->pool); | ||
112 | + subpool); | ||
113 | else | ||
114 | serr = svn_repos_fs_change_node_prop(db->resource->info->root.root, | ||
115 | get_repos_path(db->resource->info), | ||
116 | - propname, NULL, db->resource->pool); | ||
117 | + propname, NULL, subpool); | ||
118 | + svn_pool_destroy(subpool); | ||
119 | if (serr != NULL) | ||
120 | return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR, | ||
121 | "could not remove a property", | ||
122 | @@ -598,19 +618,14 @@ db_get_rollback(dav_db *db, | ||
123 | const dav_prop_name *name, | ||
124 | dav_deadprop_rollback **prollback) | ||
125 | { | ||
126 | - dav_error *err; | ||
127 | - dav_deadprop_rollback *ddp; | ||
128 | - svn_string_t *propval; | ||
129 | + /* This gets called by mod_dav in preparation for a revprop change. | ||
130 | + mod_dav_svn doesn't need to make any changes during rollback, but | ||
131 | + we want the rollback mechanism to trigger. Making changes in | ||
132 | + response to post-revprop-change hook errors would be positively | ||
133 | + wrong. */ | ||
134 | |||
135 | - if ((err = get_value(db, name, &propval)) != NULL) | ||
136 | - return err; | ||
137 | + *prollback = apr_palloc(db->p, sizeof(dav_deadprop_rollback)); | ||
138 | |||
139 | - ddp = apr_palloc(db->p, sizeof(*ddp)); | ||
140 | - ddp->name = *name; | ||
141 | - ddp->value.data = propval ? propval->data : NULL; | ||
142 | - ddp->value.len = propval ? propval->len : 0; | ||
143 | - | ||
144 | - *prollback = ddp; | ||
145 | return NULL; | ||
146 | } | ||
147 | |||
148 | @@ -618,12 +633,20 @@ db_get_rollback(dav_db *db, | ||
149 | static dav_error * | ||
150 | db_apply_rollback(dav_db *db, dav_deadprop_rollback *rollback) | ||
151 | { | ||
152 | - if (rollback->value.data == NULL) | ||
153 | - { | ||
154 | - return db_remove(db, &rollback->name); | ||
155 | - } | ||
156 | + dav_error *derr; | ||
157 | |||
158 | - return save_value(db, &rollback->name, &rollback->value); | ||
159 | + if (! db->resource->info->revprop_error) | ||
160 | + return NULL; | ||
161 | + | ||
162 | + /* Returning the original revprop change error here will cause this | ||
163 | + detailed error to get returned to the client in preference to the | ||
164 | + more generic error created by mod_dav. */ | ||
165 | + derr = dav_svn__convert_err(db->resource->info->revprop_error, | ||
166 | + HTTP_INTERNAL_SERVER_ERROR, NULL, | ||
167 | + db->resource->pool); | ||
168 | + db->resource->info->revprop_error = NULL; | ||
169 | + | ||
170 | + return derr; | ||
171 | } | ||
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb index cb362765ab..11bf5ee5e3 100644 --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb | |||
@@ -14,7 +14,8 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \ | |||
14 | file://libtool2.patch \ | 14 | file://libtool2.patch \ |
15 | file://fix-install-depends.patch \ | 15 | file://fix-install-depends.patch \ |
16 | file://subversion-CVE-2013-1849.patch \ | 16 | file://subversion-CVE-2013-1849.patch \ |
17 | file://subversion-CVE-2013-4505.patch" | 17 | file://subversion-CVE-2013-4505.patch \ |
18 | file://subversion-CVE-2013-1845.patch" | ||
18 | 19 | ||
19 | SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" | 20 | SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" |
20 | SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45" | 21 | SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45" |