diff --git a/backport-CVE-2021-28544.patch b/backport-CVE-2021-28544.patch deleted file mode 100644 index 4293a86cf0835e646960a11c146317099031317c..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-28544.patch +++ /dev/null @@ -1,138 +0,0 @@ -Description: Subversion servers reveal 'copyfrom' paths that should be hidden - according to configured path-based authorization (authz) rules. When a node - has been copied from a protected location, users with access to the copy can - see the 'copyfrom' path of the original. This also reveals the fact that the - node was copied. Only the 'copyfrom' path is revealed; not its contents. Both - httpd and svnserve servers are vulnerable. -Author: Stefan Sperling -Origin: upstream -Last-Update: 2022-04-04 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ---- a/subversion/libsvn_repos/log.c -+++ b/subversion/libsvn_repos/log.c -@@ -337,42 +337,36 @@ detect_changed(svn_repos_revision_access - if ( (change->change_kind == svn_fs_path_change_add) - || (change->change_kind == svn_fs_path_change_replace)) - { -- const char *copyfrom_path = change->copyfrom_path; -- svn_revnum_t copyfrom_rev = change->copyfrom_rev; -- - /* the following is a potentially expensive operation since on FSFS - we will follow the DAG from ROOT to PATH and that requires - actually reading the directories along the way. */ - if (!change->copyfrom_known) - { -- SVN_ERR(svn_fs_copied_from(©from_rev, ©from_path, -+ SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev, &change->copyfrom_path, - root, path, iterpool)); - change->copyfrom_known = TRUE; - } - -- if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev)) -+ if (change->copyfrom_path && SVN_IS_VALID_REVNUM(change->copyfrom_rev)) - { -- svn_boolean_t readable = TRUE; -- - if (callbacks->authz_read_func) - { - svn_fs_root_t *copyfrom_root; -+ svn_boolean_t readable; - - SVN_ERR(svn_fs_revision_root(©from_root, fs, -- copyfrom_rev, iterpool)); -+ change->copyfrom_rev, iterpool)); - SVN_ERR(callbacks->authz_read_func(&readable, - copyfrom_root, -- copyfrom_path, -+ change->copyfrom_path, - callbacks->authz_read_baton, - iterpool)); - if (! readable) -- found_unreadable = TRUE; -- } -- -- if (readable) -- { -- change->copyfrom_path = copyfrom_path; -- change->copyfrom_rev = copyfrom_rev; -+ { -+ found_unreadable = TRUE; -+ change->copyfrom_path = NULL; -+ change->copyfrom_rev = SVN_INVALID_REVNUM; -+ } - } - } - } ---- subversion-1.13.0.orig/subversion/tests/cmdline/authz_tests.py -+++ subversion-1.13.0/subversion/tests/cmdline/authz_tests.py -@@ -1524,6 +1524,61 @@ def authz_del_from_subdir(sbox): - 'rm', sbox.repo_url + '/A/mu', - '-m', '') - -+# test for the bug also known as CVE-2021-28544 -+@Skip(svntest.main.is_ra_type_file) -+def log_inaccessible_copyfrom(sbox): -+ "log doesn't leak inaccessible copyfrom paths" -+ -+ sbox.build(empty=True) -+ sbox.simple_add_text('secret', 'private') -+ sbox.simple_commit(message='log message for r1') -+ sbox.simple_copy('private', 'public') -+ sbox.simple_commit(message='log message for r2') -+ -+ svntest.actions.enable_revprop_changes(sbox.repo_dir) -+ # Remove svn:date and svn:author for predictable output. -+ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop', -+ '-r2', 'svn:date', sbox.repo_url) -+ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop', -+ '-r2', 'svn:author', sbox.repo_url) -+ -+ write_restrictive_svnserve_conf(sbox.repo_dir) -+ -+ # First test with blanket access. -+ write_authz_file(sbox, -+ {"/" : "* = rw"}) -+ expected_output = svntest.verify.ExpectedOutput([ -+ "------------------------------------------------------------------------\n", -+ "r2 | (no author) | (no date) | 1 line\n", -+ "Changed paths:\n", -+ " A /public (from /private:1)\n", -+ "\n", -+ "log message for r2\n", -+ "------------------------------------------------------------------------\n", -+ ]) -+ svntest.actions.run_and_verify_svn(expected_output, [], -+ 'log', '-r2', '-v', -+ sbox.repo_url) -+ -+ # Now test with an inaccessible copy source (/private). -+ write_authz_file(sbox, -+ {"/" : "* = rw"}, -+ {"/private" : "* ="}) -+ expected_output = svntest.verify.ExpectedOutput([ -+ "------------------------------------------------------------------------\n", -+ "r2 | (no author) | (no date) | 1 line\n", -+ "Changed paths:\n", -+ # The copy is shown as a plain add with no copyfrom info. -+ " A /public\n", -+ "\n", -+ # No log message, as the revision is only partially visible. -+ "\n", -+ "------------------------------------------------------------------------\n", -+ ]) -+ svntest.actions.run_and_verify_svn(expected_output, [], -+ 'log', '-r2', '-v', -+ sbox.repo_url) -+ - - @SkipUnless(svntest.main.is_ra_type_dav) # dontdothat is dav only - def log_diff_dontdothat(sbox): -@@ -1771,6 +1826,7 @@ test_list = [ None, - inverted_group_membership, - group_member_empty_string, - empty_group, -+ log_inaccessible_copyfrom, - ] - serial_only = True - diff --git a/backport-CVE-2022-24070.patch b/backport-CVE-2022-24070.patch deleted file mode 100644 index 23538989529dabe42646522c62059f876c33af93..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-24070.patch +++ /dev/null @@ -1,61 +0,0 @@ -Description: Fix issue #4880 "Use-after-free of object-pools when used as httpd module" - Ensure that we initialize authz again if the pool which our authz - caches depend on is cleared. Apache HTTPD may run pre/post config - hooks multiple times and clear its global configuration pool which - our authz caching pools depend on. - - Reported-by: Thomas Weißschuh (thomas {at} t-8ch dot de) - - Thomas has also confirmed that this patch fixes the problem. - - * subversion/libsvn_repos/authz.c - (deinit_authz): New pool cleanup handler which resets authz initialization - in case the parent pool of our authz caches is cleared. - (synchronized_authz_initialize): Register new pool cleanup handler. -Author: Stefan Sperling -Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1894734 -Bug: https://issues.apache.org/jira/browse/SVN-4880 -Last-Update: 2022-04-04 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ---- a/subversion/libsvn_repos/authz.c -+++ b/subversion/libsvn_repos/authz.c -@@ -130,6 +130,30 @@ - static svn_object_pool__t *filtered_pool = NULL; - static svn_atomic_t authz_pool_initialized = FALSE; - -+/* -+ * Ensure that we will initialize authz again if the pool which -+ * our authz caches depend on is cleared. -+ * -+ * HTTPD may run pre/post config hooks multiple times and clear -+ * its global configuration pool which our authz pools depend on. -+ * This happens in a non-threaded context during HTTPD's intialization -+ * and HTTPD's main loop, so it is safe to reset static variables here. -+ * (And any applications which cleared this pool while SVN threads -+ * were running would crash no matter what.) -+ * -+ * See issue #4880, "Use-after-free of object-pools in -+ * subversion/libsvn_repos/authz.c when used as httpd module" -+ */ -+static apr_status_t -+deinit_authz(void *data) -+{ -+ /* The two object pools run their own cleanup handlers. */ -+ authz_pool = NULL; -+ filtered_pool = NULL; -+ authz_pool_initialized = FALSE; -+ return APR_SUCCESS; -+} -+ - /* Implements svn_atomic__err_init_func_t. */ - static svn_error_t * - synchronized_authz_initialize(void *baton, apr_pool_t *pool) -@@ -143,6 +167,7 @@ - SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool)); - SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool)); - -+ apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null); - return SVN_NO_ERROR; - } - diff --git a/subversion-1.14.1.tar.bz2 b/subversion-1.14.2.tar.bz2 similarity index 52% rename from subversion-1.14.1.tar.bz2 rename to subversion-1.14.2.tar.bz2 index 7a3fce24fba88d387c3e9920b8eeb3c9412b3d2f..da611620c4aa0224f06922a69cad59367056fd8b 100644 Binary files a/subversion-1.14.1.tar.bz2 and b/subversion-1.14.2.tar.bz2 differ diff --git a/subversion.spec b/subversion.spec index 62c4ef0b661c091fe2f4343ab3ba994e8886087e..7b795c48c083050bd48d05b3d8aac2268c6f29da 100644 --- a/subversion.spec +++ b/subversion.spec @@ -9,8 +9,8 @@ Summary: Subversion, a version control system. Name: subversion -Version: 1.14.1 -Release: 2 +Version: 1.14.2 +Release: 1 License: ASL 2.0 URL: https://subversion.apache.org/ @@ -21,8 +21,6 @@ Patch1: subversion-1.14.0-testwarn.patch Patch2: subversion-1.14.0-soversion.patch Patch3: subversion-1.8.0-rubybind.patch Patch4: subversion-1.8.5-swigplWall.patch -Patch5: backport-CVE-2021-28544.patch -Patch6: backport-CVE-2022-24070.patch BuildRequires: autoconf libtool texinfo which swig gettext apr-devel apr-util-devel libserf-devel cyrus-sasl-devel sqlite-devel file-devel utf8proc-devel lz4-devel apr-util-openssl dbus-devel, libsecret-devel httpd-devel git chrpath Requires: httpd @@ -325,6 +323,9 @@ make check-javahl %endif %changelog +* Sat Nov 05 2022 shixuantong - 1.14.2-1 +- upgrade version to 1.14.2 + * Fri Apr 22 2022 panxiaohe - 1.14.1-2 - fix CVE-2021-28544 CVE-2022-24070