Bug#704940: Bug#705552: unblock: subversion/1.6.17dfsg-4+deb7u2

2013-04-18 Thread Adam D. Barratt 

On 17.04.2013 05:35, Salvatore Bonaccorso wrote:

On Tue, Apr 16, 2013 at 06:05:23PM +0200, Thomas Preud'homme wrote:

For #704940 I took the patch from the corresponding CVE entries
(CVE-2013-1845, CVE-2013-1846, CVE-2013-1847, CVE-2013-1849). There 
is

no patch for CVE-2013-1884 since it doesn't affect the version in
wheezy.


For CVE-2013-1884: could you please double check this with Mike
Gilbert? He mentioned in IRC that this also affects the older 
versions

and updated the tracker[1].

 [1]: https://security-tracker.debian.org/tracker/CVE-2013-1884


Upstream appear to believe it {does,should}n't - 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704940#32


Regards,

Adam


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#704940: Bug#705552: unblock: subversion/1.6.17dfsg-4+deb7u2

2013-04-18 Thread Thomas Preud'homme 
Le jeudi 18 avril 2013 14:38:15, Adam D. Barratt a écrit :
 
 Upstream appear to believe it {does,should}n't -
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704940#32

Oh good. I hadn't time to look at that yet. Should I upload the NMU then?

 
 Regards,
 
 Adam

Best regards,

Thomas


signature.asc
Description: This is a digitally signed message part.

Bug#704940: Bug#705552: unblock: subversion/1.6.17dfsg-4+deb7u2

2013-04-18 Thread Adam D. Barratt 
Control: tags 705552 + confirmed

On Thu, 2013-04-18 at 14:54 +0200, Thomas Preud'homme wrote:
 Le jeudi 18 avril 2013 14:38:15, Adam D. Barratt a écrit :
  
  Upstream appear to believe it {does,should}n't -
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704940#32
 
 Oh good. I hadn't time to look at that yet. Should I upload the NMU then?

Please go ahead; thanks.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#704940: Bug#705552: unblock: subversion/1.6.17dfsg-4+deb7u2

2013-04-18 Thread Thomas Preud'homme 
Le jeudi 18 avril 2013 21:46:18, Adam D. Barratt a écrit :
 Control: tags 705552 + confirmed
 
 On Thu, 2013-04-18 at 14:54 +0200, Thomas Preud'homme wrote:
  Le jeudi 18 avril 2013 14:38:15, Adam D. Barratt a écrit :
   Upstream appear to believe it {does,should}n't -
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704940#32
  
  Oh good. I hadn't time to look at that yet. Should I upload the NMU then?
 
 Please go ahead; thanks.

Done.

 
 Regards,
 
 Adam

Thanks.

Thomas


signature.asc
Description: This is a digitally signed message part.

Bug#704940: Bug#705552: unblock: subversion/1.6.17dfsg-4+deb7u2

2013-04-18 Thread Adam D. Barratt 
On Thu, 2013-04-18 at 23:48 +0200, Thomas Preud'homme wrote:
 Le jeudi 18 avril 2013 21:46:18, Adam D. Barratt a écrit :
  Please go ahead; thanks.
 
 Done.

Thanks; unblocked.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#705552: unblock: subversion/1.6.17dfsg-4+deb7u2

2013-04-16 Thread Thomas Preud'homme 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package subversion

I prepared an upload targetting wheezy fixing #683188 and #704940.

For #704940 I took the patch from the corresponding CVE entries
(CVE-2013-1845, CVE-2013-1846, CVE-2013-1847, CVE-2013-1849). There is
no patch for CVE-2013-1884 since it doesn't affect the version in
wheezy.

Concerning #683188, I just refreshed the patch used in unstable for it
to apply on wheezy's version.

unblock subversion/1.6.17dfsg-4+deb7u2

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'stable-updates'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u subversion-1.6.17dfsg/debian/changelog subversion-1.6.17dfsg/debian/changelog
--- subversion-1.6.17dfsg/debian/changelog
+++ subversion-1.6.17dfsg/debian/changelog
@@ -1,3 +1,16 @@
+subversion (1.6.17dfsg-4+deb7u2) wheezy; urgency=low
+
+  * Non-maintainer upload.
+  * Include following security fixes (Closes: #704940):
+- CVE-2013-1845: Remotely triggered memory exhaustion in mod_dav_svn
+- CVE-2013-1846: Remotely triggered crash in mod_dav_svn
+- CVE-2013-1847: Remotely triggered crash in mod_dav_svn
+- CVE-2013-1849: Remotely triggered crash in mod_dav_svn
+  * Convert SVN_STREAM_CHUNK_SIZE to an integer in svn/core.py
+(Closes: #683188).
+
+ -- Thomas Preud'homme robo...@debian.org  Tue, 16 Apr 2013 14:36:14 +0200
+
 subversion (1.6.17dfsg-4+deb7u1) wheezy; urgency=low
 
   * Non-maintainer upload.
diff -u subversion-1.6.17dfsg/debian/patches/series subversion-1.6.17dfsg/debian/patches/series
--- subversion-1.6.17dfsg/debian/patches/series
+++ subversion-1.6.17dfsg/debian/patches/series
@@ -36,0 +37,4 @@
+chunksize-integer.patch
+cve-2013-1845
+cve-2013-1846
+cve-2013-1849
only in patch2:
unchanged:
--- subversion-1.6.17dfsg.orig/debian/patches/cve-2013-1849
+++ subversion-1.6.17dfsg/debian/patches/cve-2013-1849
@@ -0,0 +1,39 @@
+Author: Philip Martin philip.mar...@wandisco.com
+Subject: Reject operations on prop if the resource is an activity
+
+Subversion's mod_dav_svn Apache HTTPD server module will crash when
+a PROPFIND request is made against activity URLs. The patch consists
+in rejecting operations on getcontentlength and getcontenttype
+properties if the resource is an activity.
+
+Origin: upstream, commit:r1453780
+Bug-CVE: http://subversion.apache.org/security/CVE-2013-1849-advisory.txt
+Bug-Debian: http://bugs.debian.org/704940
+Last-Update: 2013-04-16
+Applied-Upstream: commit:r1453780
+
+Index: subversion/mod_dav_svn/liveprops.c
+===
+--- a/subversion/mod_dav_svn/liveprops.c	(revision 1458455)
 b/subversion/mod_dav_svn/liveprops.c	(working copy)
+@@ -410,7 +410,8 @@ insert_prop_internal(const dav_resource *resource,
+ svn_filesize_t len = 0;
+ 
+ /* our property, but not defined on collection resources */
+-if (resource-collection || resource-baselined)
++if (resource-type == DAV_RESOURCE_TYPE_ACTIVITY
++|| resource-collection || resource-baselined)
+   return DAV_PROP_INSERT_NOTSUPP;
+ 
+ serr = svn_fs_file_length(len, resource-info-root.root,
+@@ -434,7 +435,9 @@ insert_prop_internal(const dav_resource *resource,
+ svn_string_t *pval;
+ const char *mime_type = NULL;
+ 
+-if (resource-baselined  resource-type == DAV_RESOURCE_TYPE_VERSION)
++if (resource-type == DAV_RESOURCE_TYPE_ACTIVITY
++|| (resource-baselined
++ resource-type == DAV_RESOURCE_TYPE_VERSION))
+   return DAV_PROP_INSERT_NOTSUPP;
+ 
+ if (resource-type == DAV_RESOURCE_TYPE_PRIVATE
only in patch2:
unchanged:
--- subversion-1.6.17dfsg.orig/debian/patches/cve-2013-1845
+++ subversion-1.6.17dfsg/debian/patches/cve-2013-1845
@@ -0,0 +1,189 @@
+Author: Philip Martin philip.mar...@wandisco.com
+Subject: Introduce a subpool to control memory use
+
+Setting or deleting a large number of properties on a node (file or
+directory)  will result in a large amount of memory use.  Due to the
+memory pooling behavior of Apache httpd and Subversion the completion of
+the request will not result in the immediate release of memory used.
+Repeated commits with the same properties will result in each httpd process
+plateauing out at some amount of memory.  This could result in a Denial of
+Service if the system is exhausted of all available memory.
+
+Origin: upstream, commit:r1443929
+Bug-CVE: http://subversion.apache.org/security/CVE-2013-1845-advisory.txt
+Bug-Debian: http://bugs.debian.org/704940
+Last-Update: 2013-04-16
+Applied-Upstream: commit:r1443929
+
+
+Index:

Bug#704940: Bug#705552: unblock: subversion/1.6.17dfsg-4+deb7u2

2013-04-16 Thread Salvatore Bonaccorso 
Hi Thomas

Cc'in Mike Gilbert and Peter Samuelson.

On Tue, Apr 16, 2013 at 06:05:23PM +0200, Thomas Preud'homme wrote:
 For #704940 I took the patch from the corresponding CVE entries
 (CVE-2013-1845, CVE-2013-1846, CVE-2013-1847, CVE-2013-1849). There is
 no patch for CVE-2013-1884 since it doesn't affect the version in
 wheezy.

For CVE-2013-1884: could you please double check this with Mike
Gilbert? He mentioned in IRC that this also affects the older versions
and updated the tracker[1].

 [1]: https://security-tracker.debian.org/tracker/CVE-2013-1884

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org