Update to Subversion 1.7.9 which includes the CVE patches committed earlier.
This commit is contained in:
stsp
parent
c4c645927e
commit
4939ab3ee9
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: Makefile,v 1.120 2013/04/05 14:51:35 stsp Exp $
|
||||
# $OpenBSD: Makefile,v 1.121 2013/05/03 07:46:12 stsp Exp $
|
||||
|
||||
COMMENT-main= subversion revision control system
|
||||
COMMENT-perl= perl interface to subversion
|
||||
@ -7,8 +7,7 @@ COMMENT-ruby= ruby interface to subversion
|
||||
COMMENT-ap2= apache2 subversion modules
|
||||
COMMENT-gnome-keyring= GNOME keyring support for subversion
|
||||
|
||||
VERSION= 1.7.8
|
||||
REVISION= 0
|
||||
VERSION= 1.7.9
|
||||
DISTNAME= subversion-${VERSION}
|
||||
PKGNAME-main= ${DISTNAME}
|
||||
FULLPKGNAME-perl= p5-SVN-${VERSION}
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
SHA256 (subversion-1.7.8.tar.bz2) = /IPU2YzOqLe/qPXCD/9UXIuqfQNduTCXdVDFHGyiNoY=
|
||||
SIZE (subversion-1.7.8.tar.bz2) = 6023912
|
||||
SHA256 (subversion-1.7.9.tar.bz2) = +EVMWF+Zr+12QjKlBI2bi/0KJamrjjOepp/hIExFPvQ=
|
||||
SIZE (subversion-1.7.9.tar.bz2) = 6040347
|
||||
|
||||
@ -1,104 +0,0 @@
|
||||
$OpenBSD: patch-subversion_mod_dav_svn_deadprops_c,v 1.1 2013/04/05 14:51:35 stsp Exp $
|
||||
CVE-2013-1845
|
||||
--- subversion/mod_dav_svn/deadprops.c.orig Thu Dec 30 21:46:50 2010
|
||||
+++ subversion/mod_dav_svn/deadprops.c Wed Apr 3 20:56:32 2013
|
||||
@@ -168,6 +168,7 @@ save_value(dav_db *db, const dav_prop_name *name,
|
||||
const char *propname;
|
||||
svn_error_t *serr;
|
||||
const dav_resource *resource = db->resource;
|
||||
+ apr_pool_t *subpool;
|
||||
|
||||
/* get the repos-local name */
|
||||
get_repos_propname(db, name, &propname);
|
||||
@@ -202,13 +203,16 @@ save_value(dav_db *db, const dav_prop_name *name,
|
||||
|
||||
*/
|
||||
|
||||
+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
|
||||
+ PROPPATCH with multiple values. */
|
||||
+ subpool = svn_pool_create(db->resource->pool);
|
||||
if (db->resource->baselined)
|
||||
{
|
||||
if (db->resource->working)
|
||||
{
|
||||
serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
|
||||
propname, value,
|
||||
- resource->pool);
|
||||
+ subpool);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -219,7 +223,7 @@ save_value(dav_db *db, const dav_prop_name *name,
|
||||
TRUE, TRUE,
|
||||
db->authz_read_func,
|
||||
db->authz_read_baton,
|
||||
- resource->pool);
|
||||
+ subpool);
|
||||
|
||||
/* Prepare any hook failure message to get sent over the wire */
|
||||
if (serr)
|
||||
@@ -242,20 +246,21 @@ save_value(dav_db *db, const dav_prop_name *name,
|
||||
dav_svn__operational_log(resource->info,
|
||||
svn_log__change_rev_prop(
|
||||
resource->info->root.rev,
|
||||
- propname, resource->pool));
|
||||
+ propname, subpool));
|
||||
}
|
||||
}
|
||||
else if (resource->info->restype == DAV_SVN_RESTYPE_TXN_COLLECTION)
|
||||
{
|
||||
serr = svn_repos_fs_change_txn_prop(resource->info->root.txn,
|
||||
- propname, value, resource->pool);
|
||||
+ propname, value, subpool);
|
||||
}
|
||||
else
|
||||
{
|
||||
serr = svn_repos_fs_change_node_prop(resource->info->root.root,
|
||||
get_repos_path(resource->info),
|
||||
- propname, value, resource->pool);
|
||||
+ propname, value, subpool);
|
||||
}
|
||||
+ svn_pool_destroy(subpool);
|
||||
|
||||
if (serr != NULL)
|
||||
return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
|
||||
@@ -540,6 +545,7 @@ db_remove(dav_db *db, const dav_prop_name *name)
|
||||
{
|
||||
svn_error_t *serr;
|
||||
const char *propname;
|
||||
+ apr_pool_t *subpool;
|
||||
|
||||
/* get the repos-local name */
|
||||
get_repos_propname(db, name, &propname);
|
||||
@@ -548,11 +554,15 @@ db_remove(dav_db *db, const dav_prop_name *name)
|
||||
if (propname == NULL)
|
||||
return NULL;
|
||||
|
||||
+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
|
||||
+ PROPPATCH with multiple values. */
|
||||
+ subpool = svn_pool_create(db->resource->pool);
|
||||
+
|
||||
/* Working Baseline or Working (Version) Resource */
|
||||
if (db->resource->baselined)
|
||||
if (db->resource->working)
|
||||
serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
|
||||
- propname, NULL, db->resource->pool);
|
||||
+ propname, NULL, subpool);
|
||||
else
|
||||
/* ### VIOLATING deltaV: you can't proppatch a baseline, it's
|
||||
not a working resource! But this is how we currently
|
||||
@@ -564,11 +574,12 @@ db_remove(dav_db *db, const dav_prop_name *name)
|
||||
propname, NULL, NULL, TRUE, TRUE,
|
||||
db->authz_read_func,
|
||||
db->authz_read_baton,
|
||||
- db->resource->pool);
|
||||
+ subpool);
|
||||
else
|
||||
serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
|
||||
get_repos_path(db->resource->info),
|
||||
- propname, NULL, db->resource->pool);
|
||||
+ propname, NULL, subpool);
|
||||
+ svn_pool_destroy(subpool);
|
||||
if (serr != NULL)
|
||||
return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
|
||||
"could not remove a property",
|
||||
@ -1,25 +0,0 @@
|
||||
$OpenBSD: patch-subversion_mod_dav_svn_liveprops_c,v 1.1 2013/04/05 14:51:35 stsp Exp $
|
||||
CVE-2013-1849
|
||||
--- subversion/mod_dav_svn/liveprops.c.orig Fri Feb 3 21:04:00 2012
|
||||
+++ subversion/mod_dav_svn/liveprops.c Wed Apr 3 20:56:32 2013
|
||||
@@ -429,7 +429,8 @@ insert_prop_internal(const dav_resource *resource,
|
||||
svn_filesize_t len = 0;
|
||||
|
||||
/* our property, but not defined on collection resources */
|
||||
- if (resource->collection || resource->baselined)
|
||||
+ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY
|
||||
+ || resource->collection || resource->baselined)
|
||||
return DAV_PROP_INSERT_NOTSUPP;
|
||||
|
||||
serr = svn_fs_file_length(&len, resource->info->root.root,
|
||||
@@ -453,7 +454,9 @@ insert_prop_internal(const dav_resource *resource,
|
||||
svn_string_t *pval;
|
||||
const char *mime_type = NULL;
|
||||
|
||||
- if (resource->baselined && resource->type == DAV_RESOURCE_TYPE_VERSION)
|
||||
+ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY
|
||||
+ || (resource->baselined
|
||||
+ && resource->type == DAV_RESOURCE_TYPE_VERSION))
|
||||
return DAV_PROP_INSERT_NOTSUPP;
|
||||
|
||||
if (resource->type == DAV_RESOURCE_TYPE_PRIVATE
|
||||
@ -1,50 +0,0 @@
|
||||
$OpenBSD: patch-subversion_mod_dav_svn_lock_c,v 1.1 2013/04/05 14:51:35 stsp Exp $
|
||||
CVE-2013-1846 and CVE-2013-1847
|
||||
--- subversion/mod_dav_svn/lock.c.orig Fri Jun 3 20:09:17 2011
|
||||
+++ subversion/mod_dav_svn/lock.c Wed Apr 3 20:56:32 2013
|
||||
@@ -640,7 +640,20 @@ append_locks(dav_lockdb *lockdb,
|
||||
svn_lock_t *slock;
|
||||
svn_error_t *serr;
|
||||
dav_error *derr;
|
||||
+ dav_svn_repos *repos = resource->info->repos;
|
||||
+
|
||||
+ /* We don't allow anonymous locks */
|
||||
+ if (! repos->username)
|
||||
+ return dav_svn__new_error(resource->pool, HTTP_UNAUTHORIZED,
|
||||
+ DAV_ERR_LOCK_SAVE_LOCK,
|
||||
+ "Anonymous lock creation is not allowed.");
|
||||
|
||||
+ /* Not a path in the repository so can't lock it. */
|
||||
+ if (! resource->info->repos_path)
|
||||
+ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST,
|
||||
+ DAV_ERR_LOCK_SAVE_LOCK,
|
||||
+ "Attempted to lock path not in repository.");
|
||||
+
|
||||
/* If the resource's fs path is unreadable, we don't allow a lock to
|
||||
be created on it. */
|
||||
if (! dav_svn__allow_read_resource(resource, SVN_INVALID_REVNUM,
|
||||
@@ -663,7 +676,6 @@ append_locks(dav_lockdb *lockdb,
|
||||
svn_fs_txn_t *txn;
|
||||
svn_fs_root_t *txn_root;
|
||||
const char *conflict_msg;
|
||||
- dav_svn_repos *repos = resource->info->repos;
|
||||
apr_hash_t *revprop_table = apr_hash_make(resource->pool);
|
||||
apr_hash_set(revprop_table, SVN_PROP_REVISION_AUTHOR,
|
||||
APR_HASH_KEY_STRING, svn_string_create(repos->username,
|
||||
@@ -741,14 +753,14 @@ append_locks(dav_lockdb *lockdb,
|
||||
|
||||
/* Convert the dav_lock into an svn_lock_t. */
|
||||
derr = dav_lock_to_svn_lock(&slock, lock, resource->info->repos_path,
|
||||
- info, resource->info->repos->is_svn_client,
|
||||
+ info, repos->is_svn_client,
|
||||
resource->pool);
|
||||
if (derr)
|
||||
return derr;
|
||||
|
||||
/* Now use the svn_lock_t to actually perform the lock. */
|
||||
serr = svn_repos_fs_lock(&slock,
|
||||
- resource->info->repos->repos,
|
||||
+ repos->repos,
|
||||
slock->path,
|
||||
slock->token,
|
||||
slock->comment,
|
||||
@ -1,16 +0,0 @@
|
||||
$OpenBSD: patch-subversion_mod_dav_svn_reports_log_c,v 1.1 2013/04/05 14:51:35 stsp Exp $
|
||||
CVE-2013-1884
|
||||
--- subversion/mod_dav_svn/reports/log.c.orig Wed Jan 11 16:57:13 2012
|
||||
+++ subversion/mod_dav_svn/reports/log.c Wed Apr 3 20:56:32 2013
|
||||
@@ -341,10 +341,9 @@ dav_svn__log_report(const dav_resource *resource,
|
||||
dav_xml_get_cdata(child, resource->pool, 1));
|
||||
if (serr)
|
||||
{
|
||||
- derr = dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
|
||||
+ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
|
||||
"Malformed CDATA in element "
|
||||
"\"limit\"", resource->pool);
|
||||
- goto cleanup;
|
||||
}
|
||||
}
|
||||
else if (strcmp(child->name, "discover-changed-paths") == 0)
|
||||
Loading…
Reference in New Issue
Block a user