From c9ac8e9c1189abf0c9bb9c14f9aaf4c8f5ed9857 Mon Sep 17 00:00:00 2001 From: panxiaohe Date: Fri, 22 Apr 2022 11:53:16 +0800 Subject: [PATCH] fix CVE-2021-28544 CVE-2022-24070 --- backport-CVE-2021-28544.patch | 138 ++++++++++++++++++++++++++++++++++ backport-CVE-2022-24070.patch | 61 +++++++++++++++ subversion.spec | 7 +- 3 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-28544.patch create mode 100644 backport-CVE-2022-24070.patch diff --git a/backport-CVE-2021-28544.patch b/backport-CVE-2021-28544.patch new file mode 100644 index 0000000..4293a86 --- /dev/null +++ b/backport-CVE-2021-28544.patch @@ -0,0 +1,138 @@ +Description: Subversion servers reveal 'copyfrom' paths that should be hidden + according to configured path-based authorization (authz) rules. When a node + has been copied from a protected location, users with access to the copy can + see the 'copyfrom' path of the original. This also reveals the fact that the + node was copied. Only the 'copyfrom' path is revealed; not its contents. Both + httpd and svnserve servers are vulnerable. +Author: Stefan Sperling +Origin: upstream +Last-Update: 2022-04-04 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/subversion/libsvn_repos/log.c ++++ b/subversion/libsvn_repos/log.c +@@ -337,42 +337,36 @@ detect_changed(svn_repos_revision_access + if ( (change->change_kind == svn_fs_path_change_add) + || (change->change_kind == svn_fs_path_change_replace)) + { +- const char *copyfrom_path = change->copyfrom_path; +- svn_revnum_t copyfrom_rev = change->copyfrom_rev; +- + /* the following is a potentially expensive operation since on FSFS + we will follow the DAG from ROOT to PATH and that requires + actually reading the directories along the way. */ + if (!change->copyfrom_known) + { +- SVN_ERR(svn_fs_copied_from(©from_rev, ©from_path, ++ SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev, &change->copyfrom_path, + root, path, iterpool)); + change->copyfrom_known = TRUE; + } + +- if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev)) ++ if (change->copyfrom_path && SVN_IS_VALID_REVNUM(change->copyfrom_rev)) + { +- svn_boolean_t readable = TRUE; +- + if (callbacks->authz_read_func) + { + svn_fs_root_t *copyfrom_root; ++ svn_boolean_t readable; + + SVN_ERR(svn_fs_revision_root(©from_root, fs, +- copyfrom_rev, iterpool)); ++ change->copyfrom_rev, iterpool)); + SVN_ERR(callbacks->authz_read_func(&readable, + copyfrom_root, +- copyfrom_path, ++ change->copyfrom_path, + callbacks->authz_read_baton, + iterpool)); + if (! readable) +- found_unreadable = TRUE; +- } +- +- if (readable) +- { +- change->copyfrom_path = copyfrom_path; +- change->copyfrom_rev = copyfrom_rev; ++ { ++ found_unreadable = TRUE; ++ change->copyfrom_path = NULL; ++ change->copyfrom_rev = SVN_INVALID_REVNUM; ++ } + } + } + } +--- subversion-1.13.0.orig/subversion/tests/cmdline/authz_tests.py ++++ subversion-1.13.0/subversion/tests/cmdline/authz_tests.py +@@ -1524,6 +1524,61 @@ def authz_del_from_subdir(sbox): + 'rm', sbox.repo_url + '/A/mu', + '-m', '') + ++# test for the bug also known as CVE-2021-28544 ++@Skip(svntest.main.is_ra_type_file) ++def log_inaccessible_copyfrom(sbox): ++ "log doesn't leak inaccessible copyfrom paths" ++ ++ sbox.build(empty=True) ++ sbox.simple_add_text('secret', 'private') ++ sbox.simple_commit(message='log message for r1') ++ sbox.simple_copy('private', 'public') ++ sbox.simple_commit(message='log message for r2') ++ ++ svntest.actions.enable_revprop_changes(sbox.repo_dir) ++ # Remove svn:date and svn:author for predictable output. ++ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop', ++ '-r2', 'svn:date', sbox.repo_url) ++ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop', ++ '-r2', 'svn:author', sbox.repo_url) ++ ++ write_restrictive_svnserve_conf(sbox.repo_dir) ++ ++ # First test with blanket access. ++ write_authz_file(sbox, ++ {"/" : "* = rw"}) ++ expected_output = svntest.verify.ExpectedOutput([ ++ "------------------------------------------------------------------------\n", ++ "r2 | (no author) | (no date) | 1 line\n", ++ "Changed paths:\n", ++ " A /public (from /private:1)\n", ++ "\n", ++ "log message for r2\n", ++ "------------------------------------------------------------------------\n", ++ ]) ++ svntest.actions.run_and_verify_svn(expected_output, [], ++ 'log', '-r2', '-v', ++ sbox.repo_url) ++ ++ # Now test with an inaccessible copy source (/private). ++ write_authz_file(sbox, ++ {"/" : "* = rw"}, ++ {"/private" : "* ="}) ++ expected_output = svntest.verify.ExpectedOutput([ ++ "------------------------------------------------------------------------\n", ++ "r2 | (no author) | (no date) | 1 line\n", ++ "Changed paths:\n", ++ # The copy is shown as a plain add with no copyfrom info. ++ " A /public\n", ++ "\n", ++ # No log message, as the revision is only partially visible. ++ "\n", ++ "------------------------------------------------------------------------\n", ++ ]) ++ svntest.actions.run_and_verify_svn(expected_output, [], ++ 'log', '-r2', '-v', ++ sbox.repo_url) ++ + + @SkipUnless(svntest.main.is_ra_type_dav) # dontdothat is dav only + def log_diff_dontdothat(sbox): +@@ -1771,6 +1826,7 @@ test_list = [ None, + inverted_group_membership, + group_member_empty_string, + empty_group, ++ log_inaccessible_copyfrom, + ] + serial_only = True + diff --git a/backport-CVE-2022-24070.patch b/backport-CVE-2022-24070.patch new file mode 100644 index 0000000..2353898 --- /dev/null +++ b/backport-CVE-2022-24070.patch @@ -0,0 +1,61 @@ +Description: Fix issue #4880 "Use-after-free of object-pools when used as httpd module" + Ensure that we initialize authz again if the pool which our authz + caches depend on is cleared. Apache HTTPD may run pre/post config + hooks multiple times and clear its global configuration pool which + our authz caching pools depend on. + + Reported-by: Thomas Weißschuh (thomas {at} t-8ch dot de) + + Thomas has also confirmed that this patch fixes the problem. + + * subversion/libsvn_repos/authz.c + (deinit_authz): New pool cleanup handler which resets authz initialization + in case the parent pool of our authz caches is cleared. + (synchronized_authz_initialize): Register new pool cleanup handler. +Author: Stefan Sperling +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1894734 +Bug: https://issues.apache.org/jira/browse/SVN-4880 +Last-Update: 2022-04-04 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/subversion/libsvn_repos/authz.c ++++ b/subversion/libsvn_repos/authz.c +@@ -130,6 +130,30 @@ + static svn_object_pool__t *filtered_pool = NULL; + static svn_atomic_t authz_pool_initialized = FALSE; + ++/* ++ * Ensure that we will initialize authz again if the pool which ++ * our authz caches depend on is cleared. ++ * ++ * HTTPD may run pre/post config hooks multiple times and clear ++ * its global configuration pool which our authz pools depend on. ++ * This happens in a non-threaded context during HTTPD's intialization ++ * and HTTPD's main loop, so it is safe to reset static variables here. ++ * (And any applications which cleared this pool while SVN threads ++ * were running would crash no matter what.) ++ * ++ * See issue #4880, "Use-after-free of object-pools in ++ * subversion/libsvn_repos/authz.c when used as httpd module" ++ */ ++static apr_status_t ++deinit_authz(void *data) ++{ ++ /* The two object pools run their own cleanup handlers. */ ++ authz_pool = NULL; ++ filtered_pool = NULL; ++ authz_pool_initialized = FALSE; ++ return APR_SUCCESS; ++} ++ + /* Implements svn_atomic__err_init_func_t. */ + static svn_error_t * + synchronized_authz_initialize(void *baton, apr_pool_t *pool) +@@ -143,6 +167,7 @@ + SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool)); + SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool)); + ++ apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null); + return SVN_NO_ERROR; + } + diff --git a/subversion.spec b/subversion.spec index 1f0d6e7..5975ca1 100644 --- a/subversion.spec +++ b/subversion.spec @@ -10,13 +10,15 @@ Summary: Subversion, a version control system. Name: subversion Version: 1.12.2 -Release: 3 +Release: 4 License: ASL 2.0 URL: https://subversion.apache.org/ Source0: https://www.apache.org/dist/subversion/subversion-%{version}.tar.bz2 Patch1: backport-CVE-2020-17525.patch +Patch2: backport-CVE-2021-28544.patch +Patch3: backport-CVE-2022-24070.patch BuildRequires: autoconf libtool texinfo which swig gettext apr-devel apr-util-devel libserf-devel cyrus-sasl-devel sqlite-devel file-devel utf8proc-devel lz4-devel apr-util-openssl dbus-devel, libsecret-devel httpd-devel git Requires: httpd @@ -310,6 +312,9 @@ make check-javahl %endif %changelog +* Fri Apr 22 2022 panxiaohe - 1.12.2-4 +- fix CVE-2021-28544 CVE-2022-24070 + * Tue Feb 23 2021 yixiangzhike - 1.12.2-3 - fix CVE-2020-17525 -- Gitee