Bug#740302: wheezy-pu: package subversion/1.6.17dfsg-4+deb7u5

[James McCoy]

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

I would like to upload subversion for the next Wheezy point release to
address the following issues.

   * Add patch CVE-2014-0032: mod_dav_svn crash when handling certain requests
     with SVNListParentPath on  (Closes: #737815)
   * rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev (Closes:
     #711911)

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diffstat for subversion_1.6.17dfsg-4+deb7u4 subversion_1.6.17dfsg-4+deb7u5

 debian/patches/CVE-2014-0032                |   39 ++++++++++++++++++++++++++++
 subversion-1.6.17dfsg/debian/changelog      |    9 ++++++
 subversion-1.6.17dfsg/debian/patches/series |    1 
 subversion-1.6.17dfsg/debian/rules          |    3 +-
 4 files changed, 51 insertions(+), 1 deletion(-)

diff -u subversion-1.6.17dfsg/debian/rules subversion-1.6.17dfsg/debian/rules
--- subversion-1.6.17dfsg/debian/rules
+++ subversion-1.6.17dfsg/debian/rules
@@ -346,13 +346,14 @@
 	cd debian/tmp/$(libdir); for lib in ra fs auth swig; do \
 	    $(RM) libsvn_$${lib}_*.so libsvn_$${lib}_*.la; \
 	done
-	cd debian/tmp/$(libdir); $(RM) libsvn_swig*.a libsvnjavahl.a libsvnjavahl.la
+	cd debian/tmp/$(libdir); $(RM) libsvn_swig*.a libsvnjavahl-1.a libsvnjavahl-1.la
 	# Intermediate hack, until we can remove the rest of the .la files.
 	sed -i  "/dependency_libs/s/=.*/=''/" debian/tmp/$(libdir)/*.la
 	dh_install -s
 ifdef DEB_OPT_WITH_JAVAHL
 	mkdir -p debian/libsvn-java/$(libdir)
 	mv debian/libsvn-java/usr/lib/jni debian/libsvn-java/$(libdir)/
+	$(RM) debian/libsvn-dev/$(libdir)/libsvnjavahl-1.so
 endif
 	ln -s libsvn_ra_neon-1.so.1 debian/libsvn1/$(libdir)/libsvn_ra_dav-1.so.1
 
diff -u subversion-1.6.17dfsg/debian/changelog subversion-1.6.17dfsg/debian/changelog
--- subversion-1.6.17dfsg/debian/changelog
+++ subversion-1.6.17dfsg/debian/changelog
@@ -1,3 +1,12 @@
+subversion (1.6.17dfsg-4+deb7u5) UNRELEASED; urgency=medium
+
+  * Add patch CVE-2014-0032: mod_dav_svn crash when handling certain requests
+    with SVNListParentPath on  (Closes: #737815)
+  * rules: Fix removal of libsvnjavahl-1.a/.la/.so from libsvn-dev (Closes:
+    #711911)
+
+ -- James McCoy <james...@debian.org>  Wed, 26 Feb 2014 21:19:57 -0500
+
 subversion (1.6.17dfsg-4+deb7u4) wheezy; urgency=low
 
   * Non-maintainer upload.
diff -u subversion-1.6.17dfsg/debian/patches/series subversion-1.6.17dfsg/debian/patches/series
--- subversion-1.6.17dfsg/debian/patches/series
+++ subversion-1.6.17dfsg/debian/patches/series
@@ -42,0 +43 @@
+CVE-2014-0032
only in patch2:
unchanged:
--- subversion-1.6.17dfsg.orig/debian/patches/CVE-2014-0032
+++ subversion-1.6.17dfsg/debian/patches/CVE-2014-0032
@@ -0,0 +1,39 @@
+Author: Ben Reser <bre...@apache.org>
+Subject: Disallow methods other than GET/HEAD for the parentpath list.
+
+Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling
+the server root and SVNListParentPath is on.
+
+Origin: upstream, backported from commit:r1557320
+Bug-CVE: http://subversion.apache.org/security/CVE-2014-0032-advisory.txt
+Bug-Debian: http://bugs.debian.org/737815
+Last-Update: 2014-02-26
+
+--- a/subversion/mod_dav_svn/repos.c
++++ b/subversion/mod_dav_svn/repos.c
+@@ -1672,6 +1672,25 @@
+ 
+       if (strcmp(parentpath, uri) == 0)
+         {
++          /* Only allow GET and HEAD on the parentpath resource
++           * httpd uses the same method_number for HEAD as GET */
++          if (r->method_number != M_GET)
++            {
++              int status;
++
++              /* Marshal the error back to the client by generating by
++               * way of the dav_svn__error_response_tag trick. */
++              err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
++                                       SVN_ERR_APMOD_MALFORMED_URI,
++                                       "The URI does not contain the name "
++                                       "of a repository.");
++              /* can't use r->allowed since the default handler isn't called */
++              apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
++              status = dav_svn__error_response_tag(r, err);
++
++              return dav_push_error(r->pool, status, err->error_id, NULL, err);
++            }
++
+           err = get_parentpath_resource(r, root_path, resource);
+           if (err)
+             return err;