Hello community, here is the log from the commit of package subversion for openSUSE:Factory checked in at 2014-02-11 10:45:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/subversion (Old) and /work/SRC/openSUSE:Factory/.subversion.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "subversion" Changes: -------- --- /work/SRC/openSUSE:Factory/subversion/subversion.changes 2013-12-09 17:01:48.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.subversion.new/subversion.changes 2014-02-11 10:45:40.000000000 +0100 @@ -1,0 +2,9 @@ +Sun Feb 9 22:30:22 UTC 2014 - [email protected] + +- fix a remotely triggerable segfault in mod_dav_svn when svn is + handling the server root and SVNListParentPath is on + [bnc#862459] CVE-2014-0032 +- added patches: + * subversion-CVE-2014-0032.patch + +------------------------------------------------------------------- New: ---- subversion-CVE-2014-0032.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ subversion.spec ++++++ --- /var/tmp/diff_new_pack.MIDpCv/_old 2014-02-11 10:45:41.000000000 +0100 +++ /var/tmp/diff_new_pack.MIDpCv/_new 2014-02-11 10:45:41.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package subversion # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2013 Andreas Stieger <[email protected]> # Copyright (c) 2009-2010 Pascal Bleser <[email protected]> # @@ -180,6 +180,7 @@ Patch37: subversion-no-build-date.patch Patch38: subversion-1.8.x-fix-ppc-tests.patch Patch39: subversion-1.8.x-SQLite-3.8.patch +Patch40: subversion-CVE-2014-0032.patch # %if %with_ruby %define rb_arch %(echo "%{_host_cpu}-%{_os}" | sed -e "s/i686/i586/" -e "s/armv5tel/armv4l/" -e "s/hppa2.0/hppa/") @@ -346,6 +347,7 @@ %patch37 -p1 %patch38 -p1 %patch39 -p1 +%patch40 -p1 SQLITE_RECOMMENDED_VER=$(grep -E '^SQLITE_RECOMMENDED_VER=' configure.ac|cut -f2 -d=|cut -f2 -d\") #" ++++++ subversion-CVE-2014-0032.patch ++++++ From: Ben Reser <[email protected]> Subject: [PATCH] Disallow methods other than GET/HEAD for the parentpath list. Date: Sat, 11 Jan 2014 07:19:54 +0000 References: bnc#862459 CVE-2014-0032 http://svn.apache.org/viewvc?view=revision&revision=r1557320 Upstream: committed ------------------------------------------------------------------------ r1557320 | breser | 2014-01-11 07:19:54 +0000 (Sat, 11 Jan 2014) | 13 lines Changed paths: M /subversion/trunk/subversion/mod_dav_svn/repos.c Disallow methods other than GET/HEAD for the parentpath list. Fixes the segfault for `svn ls http://svn.example.com` when SVN is handling the server root and SVNListParentPath is on. CVE-2014-0032 * subversion/mod_dav_svn/repos.c (get_resource): Return an error when we try to get a parentpath list resource and the method isn't GET. Found by: lgo ------------------------------------------------------------------------ --- subversion/mod_dav_svn/repos.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) Index: subversion-1.8.5/subversion/mod_dav_svn/repos.c =================================================================== --- subversion-1.8.5.orig/subversion/mod_dav_svn/repos.c 2013-11-14 21:02:26.000000000 +0000 +++ subversion-1.8.5/subversion/mod_dav_svn/repos.c 2014-02-09 22:25:05.000000000 +0000 @@ -1971,6 +1971,25 @@ get_resource(request_rec *r, of private resource, iff the SVNListParentPath directive is 'on'. */ if (dav_svn__is_parentpath_list(r)) { + /* Only allow GET and HEAD on the parentpath resource + * httpd uses the same method_number for HEAD as GET */ + if (r->method_number != M_GET) + { + int status; + + /* Marshall the error back to the client by generating by + * way of the dav_svn__error_response_tag trick. */ + err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, + SVN_ERR_APMOD_MALFORMED_URI, + "The URI does not contain the name " + "of a repository."); + /* can't use r->allowed since the default handler isn't called */ + apr_table_setn(r->headers_out, "Allow", "GET,HEAD"); + status = dav_svn__error_response_tag(r, err); + + return dav_push_error(r->pool, status, err->error_id, NULL, err); + } + err = get_parentpath_resource(r, resource); if (err) return err; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
