tags 711033 + patch tags 711033 + pending thanks Dear maintainer,
I've prepared an NMU for subversion (versioned as 1.7.9-1+nmu2) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -u subversion-1.7.9/debian/changelog subversion-1.7.9/debian/changelog --- subversion-1.7.9/debian/changelog +++ subversion-1.7.9/debian/changelog @@ -1,3 +1,14 @@ +subversion (1.7.9-1+nmu2) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1968.patch patch. + CVE-2013-1968: Subversion FSFS repositories can be corrupted by newline + characters in filenames. (Closes: #711033) + * Add CVE-2013-2112.patch patch. + CVE-2013-2112: Fix remotely triggerable DoS vulnerability. (Closes: #711033) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 06 Jun 2013 13:14:52 +0200 + subversion (1.7.9-1+nmu1) unstable; urgency=medium * Non-maintainer upload. diff -u subversion-1.7.9/debian/patches/series subversion-1.7.9/debian/patches/series --- subversion-1.7.9/debian/patches/series +++ subversion-1.7.9/debian/patches/series @@ -22,0 +23,2 @@ +CVE-2013-1968.patch +CVE-2013-2112.patch only in patch2: unchanged: --- subversion-1.7.9.orig/debian/patches/CVE-2013-2112.patch +++ subversion-1.7.9/debian/patches/CVE-2013-2112.patch @@ -0,0 +1,24 @@ +Description: Fix CVE-2013-2112 + Subversion's svnserve server process may exit when an incoming TCP connection + is closed early in the connection process. + . + This can lead to disruption for users of the server. +Origin: upstream, http://subversion.apache.org/security/CVE-2013-2112-advisory.txt +Bug-Debian: http://bugs.debian.org/711033 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-06-06 + +--- a/subversion/svnserve/main.c ++++ b/subversion/svnserve/main.c +@@ -928,7 +928,9 @@ + connection_pool) == APR_CHILD_DONE) + ; + } +- if (APR_STATUS_IS_EINTR(status)) ++ if (APR_STATUS_IS_EINTR(status) ++ || APR_STATUS_IS_ECONNABORTED(status) ++ || APR_STATUS_IS_ECONNRESET(status)) + { + svn_pool_destroy(connection_pool); + continue; only in patch2: unchanged: --- subversion-1.7.9.orig/debian/patches/CVE-2013-1968.patch +++ subversion-1.7.9/debian/patches/CVE-2013-1968.patch @@ -0,0 +1,125 @@ +Description: Fix CVE-2013-1968 + Subversion FSFS repositories can be corrupted by newline characters in + filenames. +Origin: upstream, http://subversion.apache.org/security/CVE-2013-1968-advisory.txt +Bug-Debian: http://bugs.debian.org/711033 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-06-06 + +--- a/subversion/libsvn_fs_fs/tree.c ++++ b/subversion/libsvn_fs_fs/tree.c +@@ -44,6 +44,7 @@ + #include "svn_private_config.h" + #include "svn_pools.h" + #include "svn_error.h" ++#include "svn_ctype.h" + #include "svn_dirent_uri.h" + #include "svn_path.h" + #include "svn_mergeinfo.h" +@@ -1806,6 +1807,78 @@ + return svn_fs_fs__dag_dir_entries(table_p, node, pool, pool); + } + ++/* Return a copy of PATH, allocated from POOL, for which control ++ characters have been escaped using the form \NNN (where NNN is the ++ octal representation of the byte's ordinal value). */ ++static const char * ++illegal_path_escape(const char *path, apr_pool_t *pool) ++{ ++ svn_stringbuf_t *retstr; ++ apr_size_t i, copied = 0; ++ int c; ++ ++ /* At least one control character: ++ strlen - 1 (control) + \ + N + N + N + null . */ ++ retstr = svn_stringbuf_create_ensure(strlen(path) + 4, pool); ++ for (i = 0; path[i]; i++) ++ { ++ c = (unsigned char)path[i]; ++ if (! svn_ctype_iscntrl(c)) ++ continue; ++ ++ /* If we got here, we're looking at a character that isn't ++ supported by the (or at least, our) URI encoding scheme. We ++ need to escape this character. */ ++ ++ /* First things first, copy all the good stuff that we haven't ++ yet copied into our output buffer. */ ++ if (i - copied) ++ svn_stringbuf_appendbytes(retstr, path + copied, ++ i - copied); ++ ++ /* Make sure buffer is big enough for '\' 'N' 'N' 'N' (and NUL) */ ++ svn_stringbuf_ensure(retstr, retstr->len + 5); ++ /*### The backslash separator doesn't work too great with Windows, ++ but it's what we'll use for consistency with invalid utf8 ++ formatting (until someone has a better idea) */ ++ apr_snprintf(retstr->data + retstr->len, 5, "\\%03o", (unsigned char)c); ++ retstr->len += 4; ++ ++ /* Finally, update our copy counter. */ ++ copied = i + 1; ++ } ++ ++ /* If we didn't encode anything, we don't need to duplicate the string. */ ++ if (retstr->len == 0) ++ return path; ++ ++ /* Anything left to copy? */ ++ if (i - copied) ++ svn_stringbuf_appendbytes(retstr, path + copied, i - copied); ++ ++ /* retstr is null-terminated either by apr_snprintf or the svn_stringbuf ++ functions. */ ++ ++ return retstr->data; ++} ++ ++/* Raise an error if PATH contains a newline because FSFS cannot handle ++ * such paths. See issue #4340. */ ++static svn_error_t * ++check_newline(const char *path, apr_pool_t *pool) ++{ ++ const char *c; ++ ++ for (c = path; *c; c++) ++ { ++ if (*c == '\n') ++ return svn_error_createf(SVN_ERR_FS_PATH_SYNTAX, NULL, ++ _("Invalid control character '0x%02x' in path '%s'"), ++ (unsigned char)*c, illegal_path_escape(path, pool)); ++ } ++ ++ return SVN_NO_ERROR; ++} + + /* Create a new directory named PATH in ROOT. The new directory has + no entries, and no properties. ROOT must be the root of a +@@ -1820,6 +1893,8 @@ + dag_node_t *sub_dir; + const char *txn_id = root->txn; + ++ SVN_ERR(check_newline(path, pool)); ++ + SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional, + txn_id, pool)); + +@@ -2082,6 +2157,8 @@ + const char *to_path, + apr_pool_t *pool) + { ++ SVN_ERR(check_newline(to_path, pool)); ++ + return svn_error_trace(copy_helper(from_root, from_path, to_root, to_path, + TRUE, pool)); + } +@@ -2174,6 +2251,8 @@ + dag_node_t *child; + const char *txn_id = root->txn; + ++ SVN_ERR(check_newline(path, pool)); ++ + SVN_ERR(open_path(&parent_path, root, path, open_path_last_optional, + txn_id, pool)); +
