Bug#891611: marked as done (jessie-pu: package subversion/1.8.10-6+deb8u6)

Sat, 23 Jun 2018 04:39:02 -0700 

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <[email protected]>
and subject line Closing bugs for requests included in the EoL jessie point 
release
has caused the Debian Bug report #891611,
regarding jessie-pu: package subversion/1.8.10-6+deb8u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
891611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891611
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu

This upload would fix crashes that are seen when using subversion's Perl
bindings.  In particular, git-svn has been a common victim since its
memory usage patterns tend to cause the right conditions.

I've verified this against the originally reported issue[0] and
Salvatore Bonaccorso, who prodded me to prepare the upload, has verified
it against their problematic repository.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diffstat for subversion_1.8.10-6+deb8u5 subversion_1.8.10-6+deb8u6

 debian/patches/perl-swig-crash          |  244 ++++++++++++++++++++++++++++++++
 subversion-1.8.10/debian/changelog      |    7 
 subversion-1.8.10/debian/patches/series |    1 
 3 files changed, 252 insertions(+)

diff -u subversion-1.8.10/debian/changelog subversion-1.8.10/debian/changelog
--- subversion-1.8.10/debian/changelog
+++ subversion-1.8.10/debian/changelog
@@ -1,3 +1,10 @@
+subversion (1.8.10-6+deb8u6) jessie; urgency=medium
+
+  * Backport patches/perl-swig-crash from upstream to fix crashes with Perl
+    bindings, commonly seen when using git-svn (Closes: #780246, #534763).
+
+ -- James McCoy <[email protected]>  Mon, 26 Feb 2018 22:00:47 -0500
+
 subversion (1.8.10-6+deb8u5) jessie-security; urgency=high
 
   * patches/CVE-2016-8734: Unrestricted XML entity expansion in HTTP clients
diff -u subversion-1.8.10/debian/patches/series 
subversion-1.8.10/debian/patches/series
--- subversion-1.8.10/debian/patches/series
+++ subversion-1.8.10/debian/patches/series
@@ -33,0 +34 @@
+perl-swig-crash
only in patch2:
unchanged:
--- subversion-1.8.10.orig/debian/patches/perl-swig-crash
+++ subversion-1.8.10/debian/patches/perl-swig-crash
@@ -0,0 +1,244 @@
+------------------------------------------------------------------------
+r1668618 | philip | 2015-03-23 08:33:22 -0400 (Mon, 23 Mar 2015) | 6 lines
+
+* subversion/bindings/swig/include/svn_types.swg: Change the
+   SWIG Perl binding code that was marked "clearly buggy" so
+   that svn_swig_pl_from_md5 follows the same pattern as
+   svn_swig_pl_from_stream.  This may fix a SEGV reported
+   via Debian: https://bugs.debian.org/780246
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg       (revision 
1668617)
++++ trunk/subversion/bindings/swig/include/svn_types.swg       (revision 
1668618)
+@@ -1116,11 +1116,7 @@
+ }
+ 
+ %typemap(argout) unsigned char *result_digest {
+-  /* FIXME: This code is clearly buggy. The return value of sv_newmortal()
+-     is immediately overwritten by the return value
+-     of svn_swig_pl_from_md5(). */
+-    ST(argvi) = sv_newmortal();
+-    ST(argvi++) = svn_swig_pl_from_md5($1);
++    %append_output(svn_swig_pl_from_md5($1));
+ }
+ #endif
+ 
+
+------------------------------------------------------------------------
+r1671388 | rschupp | 2015-04-05 08:48:45 -0400 (Sun, 05 Apr 2015) | 6 lines
+
+* subversion/bindings/swig/include/svn_types.swg: Following r1668618
+   fix two more instances where the Perl argument stack pointer 
+   was bumped without checking if there's enough space allocated.
+   While we're at it, reduce the size of the temp array - 30 bytes
+   are more than enough to hold a decimal representation of a 64-bit integer.
+
+
+Index: trunk/subversion/bindings/swig/include/apr.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/apr.swg     (revision 1671387)
++++ trunk/subversion/bindings/swig/include/apr.swg     (revision 1671388)
+@@ -31,23 +31,21 @@
+ */
+ #ifdef SWIGPERL
+ %typemap(out) long long {
+-    char temp[256];
++    char temp[30];
+     sprintf(temp, "%" APR_INT64_T_FMT, (apr_int64_t) $1);
+-    ST(argvi) = sv_newmortal();
+-    sv_setpv((SV*)ST(argvi++), temp);
++    %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+ 
+ %typemap(out) unsigned long long {
+-    char temp[256];
++    char temp[30];
+     sprintf(temp, "%" APR_UINT64_T_FMT, (apr_uint64_t) $1);
+-    ST(argvi) = sv_newmortal();
+-    sv_setpv((SV*)ST(argvi++), temp);
++    %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+ 
+ %typemap(in, numinputs=0) long long *OUTPUT (apr_int64_t temp)
+     "$1 = &temp;";
+ %typemap(argout) long long *OUTPUT {
+-  char temp[256];
++  char temp[30];
+   sprintf(temp, "%" APR_INT64_T_FMT, (apr_int64_t)*($1));
+   %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+@@ -55,7 +53,7 @@
+ %typemap(in, numinputs=0) unsigned long long *OUTPUT (apr_uint64_t temp)
+     "$1 = &temp;";
+ %typemap(argout) unsigned long long *OUTPUT {
+-  char temp[256];
++  char temp[30];
+   sprintf(temp, "%" APR_UINT64_T_FMT, (apr_uint64_t)*($1));
+   %append_output(sv_2mortal(newSVpv(temp, 0)));
+ }
+
+------------------------------------------------------------------------
+r1683266 | rschupp | 2015-06-03 05:50:59 -0400 (Wed, 03 Jun 2015) | 8 lines
+
+* subversion/bindings/swig/include/svn_types.swg:
+  Bracket calls with PUTBACK/SPAGAIN to helper functions 
+  that call back into Perl:
+  - svn_swig_pl_make_stream
+  - svn_swig_pl_from_stream
+  - svn_swig_pl_from_md5
+  Note: calls in typemaps need only SPAGAIN.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg       (revision 
1683265)
++++ trunk/subversion/bindings/swig/include/svn_types.swg       (revision 
1683266)
+@@ -935,15 +935,24 @@
+ #ifdef SWIGPERL
+ %typemap(in) svn_stream_t * {
+     svn_swig_pl_make_stream (&$1, $input);
++    SPAGAIN;
+ }
+ 
+ %typemap(out) svn_stream_t * {
+-    $result = svn_swig_pl_from_stream ($1);
++    SV* tmp;
++    PUTBACK;
++    tmp = svn_swig_pl_from_stream ($1);
++    SPAGAIN;
++    $result = tmp;
+     argvi++;
+ }
+ 
+ %typemap(argout) svn_stream_t ** {
+-  %append_output(svn_swig_pl_from_stream(*$1));
++    SV *tmp;
++    PUTBACK;
++    tmp = svn_swig_pl_from_stream(*$1);
++    SPAGAIN;
++    %append_output(tmp);
+ }
+ #endif
+ 
+@@ -1116,7 +1125,11 @@
+ }
+ 
+ %typemap(argout) unsigned char *result_digest {
+-    %append_output(svn_swig_pl_from_md5($1));
++    SV *tmp;
++    PUTBACK;
++    tmp = svn_swig_pl_from_md5($1);
++    SPAGAIN;
++    %append_output(tmp);
+ }
+ #endif
+ 
+
+------------------------------------------------------------------------
+r1683267 | rschupp | 2015-06-03 05:56:16 -0400 (Wed, 03 Jun 2015) | 8 lines
+
+* subversion/bindings/swig/core.i, subversion/bindings/swig/svn_client.i,
+  subversion/bindings/swig/include/svn_containers.swg,
+  subversion/bindings/swig/include/svn_string.swg,
+  subversion/bindings/swig/include/svn_types.swg:
+  Bracket calls with PUTBACK/SPAGAIN to helper function svn_swig_pl_make_pool
+  as it calls back into Perl.
+  Note: calls in typemaps need only SPAGAIN.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_string.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_string.swg      (revision 
1683266)
++++ trunk/subversion/bindings/swig/include/svn_string.swg      (revision 
1683267)
+@@ -90,6 +90,7 @@
+ %typemap(in) svn_stringbuf_t * {
+     apr_size_t len;
+     char *buf;
++    apr_pool_t *pool;
+ 
+     if (!SvOK($input)) {
+         $1 = NULL;
+@@ -97,8 +98,9 @@
+         buf = SvPV($input, len);
+         /* Another case of ugly pool handling, this should use the current
+            default pool, or make a new one if it doesn't exist yet */
+-        $1 = svn_stringbuf_ncreate(buf,len,
+-                                   svn_swig_pl_make_pool ((SV *)NULL));
++        pool = svn_swig_pl_make_pool ((SV *)NULL);
++        SPAGAIN;
++        $1 = svn_stringbuf_ncreate(buf,len, pool);
+     } else {
+         croak("Not a string");
+     }
+Index: trunk/subversion/bindings/swig/include/svn_containers.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_containers.swg  (revision 
1683266)
++++ trunk/subversion/bindings/swig/include/svn_containers.swg  (revision 
1683267)
+@@ -269,8 +269,10 @@
+ %typemap(in) apr_hash_t *PROPHASH
+   (apr_pool_t *_global_pool = NULL)
+ {
+-  if (_global_pool == NULL)
++  if (_global_pool == NULL) {
+     _global_pool = svn_swig_pl_make_pool((SV *)NULL);
++    SPAGAIN;
++  }
+   $1 = svn_swig_pl_hash_to_prophash($input, _global_pool);  
+ }
+ %typemap(out) apr_hash_t *PROPHASH
+Index: trunk/subversion/bindings/swig/svn_client.i
+===================================================================
+--- trunk/subversion/bindings/swig/svn_client.i        (revision 1683266)
++++ trunk/subversion/bindings/swig/svn_client.i        (revision 1683267)
+@@ -293,8 +293,9 @@
+  */
+ #ifdef SWIGPERL
+ %typemap(in) apr_hash_t *config {
+-  $1 = svn_swig_pl_objs_to_hash_by_name ($input, "svn_config_t *",
+-                                         svn_swig_pl_make_pool ((SV *)NULL));
++  apr_pool_t *pool = svn_swig_pl_make_pool ((SV *)NULL);
++  SPAGAIN;
++  $1 = svn_swig_pl_objs_to_hash_by_name ($input, "svn_config_t *", pool);
+ }
+ 
+ %typemap(out) apr_hash_t *config {
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg       (revision 
1683266)
++++ trunk/subversion/bindings/swig/include/svn_types.swg       (revision 
1683267)
+@@ -548,6 +548,7 @@
+ %typemap(in) apr_pool_t *pool "";
+ %typemap(default) apr_pool_t *pool(apr_pool_t *_global_pool) {
+     _global_pool = $1 = svn_swig_pl_make_pool (ST(items-1));
++    SPAGAIN;
+ }
+ #endif
+ #ifdef SWIGRUBY
+------------------------------------------------------------------------
+r1683269 | rschupp | 2015-06-03 05:59:38 -0400 (Wed, 03 Jun 2015) | 4 lines
+
+* subversion/bindings/swig/include/svn_types.swg:
+  Bracket calls with PUTBACK/SPAGAIN to helper function 
+  svn_swig_pl_callback_thunk as it calls back into Perl.
+
+
+Index: trunk/subversion/bindings/swig/include/svn_types.swg
+===================================================================
+--- trunk/subversion/bindings/swig/include/svn_types.swg       (revision 
1683268)
++++ trunk/subversion/bindings/swig/include/svn_types.swg       (revision 
1683269)
+@@ -423,9 +423,11 @@
+         if (SvOK(exception_handler)) {
+             SV *callback_result;
+ 
++            PUTBACK;
+             svn_swig_pl_callback_thunk (CALL_SV, exception_handler,
+                                         &callback_result, "S", $1,
+                                         $1_descriptor);
++            SPAGAIN;
+         } else {
+             $result = SWIG_NewPointerObj($1, $1_descriptor, 0);
+             argvi++;
+
+------------------------------------------------------------------------

--- End Message ---
--- Begin Message --- 
Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---

Reply via email to