Fix for CVE-2014-0032, mod_dav_svn DoS vulnerability with SVNListParentPath

ok aja, jasper
2014-02-20 21:15:31 +00:00 · 2014-02-20 21:15:31 +00:00 · afb1a361f7
commit afb1a361f7
parent d2847d11c9
2 changed files with 32 additions and 1 deletions
--- a/devel/subversion/Makefile
+++ b/devel/subversion/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.130 2014/01/20 15:12:24 stsp Exp $
+# $OpenBSD: Makefile,v 1.131 2014/02/20 21:15:31 stsp Exp $

 COMMENT-main=		subversion revision control system
 COMMENT-perl=		perl interface to subversion
@ -10,6 +10,7 @@ COMMENT-gnome-keyring=	GNOME keyring support for subversion
 VERSION=		1.8.5
 DISTNAME=		subversion-${VERSION}
 REVISION-main = 	0
+REVISION-ap2 =		0
 PKGNAME-main=		${DISTNAME}
 FULLPKGNAME-perl=	p5-SVN-${VERSION}
 FULLPKGPATH-perl=	devel/subversion,-perl
--- a/devel/subversion/patches/patch-subversion_mod_dav_svn_repos_c
+++ b/devel/subversion/patches/patch-subversion_mod_dav_svn_repos_c
@ -0,0 +1,30 @@
+$OpenBSD: patch-subversion_mod_dav_svn_repos_c,v 1.2 2014/02/20 21:15:31 stsp Exp $
+CVE-2014-0032: mod_dav_svn DoS vulnerability with SVNListParentPath
+--- subversion/mod_dav_svn/repos.c.orig	Thu Nov 14 22:02:26 2013
+++ subversion/mod_dav_svn/repos.c	Thu Feb 20 19:55:28 2014
+@@ -1971,6 +1971,25 @@ get_resource(request_rec *r,
+      of private resource, iff the SVNListParentPath directive is 'on'. */
+   if (dav_svn__is_parentpath_list(r))
+     {
+      /* Only allow GET and HEAD on the parentpath resource
+       * httpd uses the same method_number for HEAD as GET */
+      if (r->method_number != M_GET)
+        {
+          int status;
+
+          /* Marshall the error back to the client by generating by
+           * way of the dav_svn__error_response_tag trick. */
+          err = dav_svn__new_error(r->pool, HTTP_METHOD_NOT_ALLOWED,
+                                   SVN_ERR_APMOD_MALFORMED_URI,
+                                   "The URI does not contain the name "
+                                   "of a repository.");
+          /* can't use r->allowed since the default handler isn't called */
+          apr_table_setn(r->headers_out, "Allow", "GET,HEAD");
+          status = dav_svn__error_response_tag(r, err);
+
+          return dav_push_error(r->pool, status, err->error_id, NULL, err);
+        }
+
+       err = get_parentpath_resource(r, resource);
+       if (err)
+         return err;