From 4fc1cff43b6babd898ff4c7f0217b8aa19ea2c5b Mon Sep 17 00:00:00 2001 From: Yue Tao Date: Fri, 4 Apr 2014 13:35:31 +0800 Subject: subversion: fix for Security Advisory CVE-2013-1849 Reject operations on getcontentlength and getcontenttype properties if the resource is an activity. (From OE-Core rev: 94e8b503e8a5ae476037d4aa86f8e27d4a8c23ea) Signed-off-by: Yue Tao Signed-off-by: Roy Li Signed-off-by: Saul Wold Signed-off-by: Richard Purdie --- .../subversion/subversion-CVE-2013-1849.patch | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch (limited to 'meta/recipes-devtools/subversion/subversion') diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch new file mode 100644 index 0000000000..734f9b02e4 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch @@ -0,0 +1,25 @@ +Upstream-Status: Backport + +--- a/subversion/mod_dav_svn/liveprops.c ++++ b/subversion/mod_dav_svn/liveprops.c +@@ -410,7 +410,8 @@ insert_prop(const dav_resource *resource + svn_filesize_t len = 0; + + /* our property, but not defined on collection resources */ +- if (resource->collection || resource->baselined) ++ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY ++ || resource->collection || resource->baselined) + return DAV_PROP_INSERT_NOTSUPP; + + serr = svn_fs_file_length(&len, resource->info->root.root, +@@ -434,7 +435,9 @@ insert_prop(const dav_resource *resource + svn_string_t *pval; + const char *mime_type = NULL; + +- if (resource->baselined && resource->type == DAV_RESOURCE_TYPE_VERSION) ++ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY ++ || (resource->baselined ++ && resource->type == DAV_RESOURCE_TYPE_VERSION)) + return DAV_PROP_INSERT_NOTSUPP; + + if (resource->type == DAV_RESOURCE_TYPE_PRIVATE -- cgit v1.2.3-54-g00ecf