|
|
fcb07f |
|
|
|
fcb07f |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-11782
|
|
|
fcb07f |
|
|
|
fcb07f |
--- subversion-1.7.14/subversion/libsvn_ra_svn/client.c.cve11782
|
|
|
fcb07f |
+++ subversion-1.7.14/subversion/libsvn_ra_svn/client.c
|
|
|
fcb07f |
@@ -2542,6 +2542,7 @@
|
|
|
fcb07f |
{
|
|
|
fcb07f |
svn_ra_svn__session_baton_t *sess_baton = session->priv;
|
|
|
fcb07f |
svn_ra_svn_conn_t *conn = sess_baton->conn;
|
|
|
fcb07f |
+ svn_error_t *err;
|
|
|
fcb07f |
|
|
|
fcb07f |
/* Transmit the parameters. */
|
|
|
fcb07f |
SVN_ERR(svn_ra_svn_write_cmd(conn, pool, "get-deleted-rev", "crr",
|
|
|
fcb07f |
@@ -2551,7 +2552,20 @@
|
|
|
fcb07f |
SVN_ERR(handle_unsupported_cmd(handle_auth_request(sess_baton, pool),
|
|
|
fcb07f |
_("'get-deleted-rev' not implemented")));
|
|
|
fcb07f |
|
|
|
fcb07f |
- return svn_ra_svn_read_cmd_response(conn, pool, "r", revision_deleted);
|
|
|
fcb07f |
+ err = svn_error_trace(svn_ra_svn_read_cmd_response(conn, pool, "r",
|
|
|
fcb07f |
+ revision_deleted));
|
|
|
fcb07f |
+ /* The protocol does not allow for a reply of SVN_INVALID_REVNUM directly.
|
|
|
fcb07f |
+ Instead, a new enough server returns SVN_ERR_ENTRY_MISSING_REVISION to
|
|
|
fcb07f |
+ indicate the answer to the query is SVN_INVALID_REVNUM. (An older server
|
|
|
fcb07f |
+ closes the connection and returns SVN_ERR_RA_SVN_CONNECTION_CLOSED.) */
|
|
|
fcb07f |
+ if (err && err->apr_err == SVN_ERR_ENTRY_MISSING_REVISION)
|
|
|
fcb07f |
+ {
|
|
|
fcb07f |
+ *revision_deleted = SVN_INVALID_REVNUM;
|
|
|
fcb07f |
+ svn_error_clear(err);
|
|
|
fcb07f |
+ }
|
|
|
fcb07f |
+ else
|
|
|
fcb07f |
+ SVN_ERR(err);
|
|
|
fcb07f |
+ return SVN_NO_ERROR;
|
|
|
fcb07f |
}
|
|
|
fcb07f |
|
|
|
fcb07f |
|
|
|
fcb07f |
--- subversion-1.7.14/subversion/svnserve/serve.c.cve11782
|
|
|
fcb07f |
+++ subversion-1.7.14/subversion/svnserve/serve.c
|
|
|
fcb07f |
@@ -2875,8 +2875,21 @@
|
|
|
fcb07f |
svn_relpath_canonicalize(path, pool), pool);
|
|
|
fcb07f |
SVN_ERR(log_command(b, conn, pool, "get-deleted-rev"));
|
|
|
fcb07f |
SVN_ERR(trivial_auth_request(conn, pool, b));
|
|
|
fcb07f |
- SVN_ERR(svn_repos_deleted_rev(b->fs, full_path, peg_revision, end_revision,
|
|
|
fcb07f |
- &revision_deleted, pool));
|
|
|
fcb07f |
+ SVN_CMD_ERR(svn_repos_deleted_rev(b->fs, full_path, peg_revision,
|
|
|
fcb07f |
+ end_revision, &revision_deleted, pool));
|
|
|
fcb07f |
+
|
|
|
fcb07f |
+ /* The protocol does not allow for a reply of SVN_INVALID_REVNUM directly.
|
|
|
fcb07f |
+ Instead, return SVN_ERR_ENTRY_MISSING_REVISION. A new enough client
|
|
|
fcb07f |
+ knows that this means the answer to the query is SVN_INVALID_REVNUM.
|
|
|
fcb07f |
+ (An older client reports this as an error.) */
|
|
|
fcb07f |
+ if (revision_deleted == SVN_INVALID_REVNUM)
|
|
|
fcb07f |
+ SVN_CMD_ERR(svn_error_createf(SVN_ERR_ENTRY_MISSING_REVISION, NULL,
|
|
|
fcb07f |
+ "svn protocol command 'get-deleted-rev': "
|
|
|
fcb07f |
+ "path '%s' was not deleted in r%ld-%ld; "
|
|
|
fcb07f |
+ "NOTE: newer clients handle this case "
|
|
|
fcb07f |
+ "and do not report it as an error",
|
|
|
fcb07f |
+ full_path, peg_revision, end_revision));
|
|
|
fcb07f |
+
|
|
|
fcb07f |
SVN_ERR(svn_ra_svn_write_cmd_response(conn, pool, "r", revision_deleted));
|
|
|
fcb07f |
return SVN_NO_ERROR;
|
|
|
fcb07f |
}
|
|
|
fcb07f |
@@ -3086,7 +3099,7 @@
|
|
|
fcb07f |
svn_error_t *serve(svn_ra_svn_conn_t *conn, serve_params_t *params,
|
|
|
fcb07f |
apr_pool_t *pool)
|
|
|
fcb07f |
{
|
|
|
fcb07f |
- svn_error_t *err, *io_err;
|
|
|
fcb07f |
+ svn_error_t *err;
|
|
|
fcb07f |
apr_uint64_t ver;
|
|
|
fcb07f |
const char *uuid, *client_url, *ra_client_string, *client_string;
|
|
|
fcb07f |
apr_array_header_t *caplist, *cap_words;
|
|
|
fcb07f |
@@ -3198,12 +3211,12 @@
|
|
|
fcb07f |
}
|
|
|
fcb07f |
if (err)
|
|
|
fcb07f |
{
|
|
|
fcb07f |
- log_error(err, b.log_file, svn_ra_svn_conn_remote_host(conn),
|
|
|
fcb07f |
- b.user, NULL, pool);
|
|
|
fcb07f |
- io_err = svn_ra_svn_write_cmd_failure(conn, pool, err);
|
|
|
fcb07f |
- svn_error_clear(err);
|
|
|
fcb07f |
- SVN_ERR(io_err);
|
|
|
fcb07f |
- return svn_ra_svn_flush(conn, pool);
|
|
|
fcb07f |
+ /* Report these errors to the client before closing the connection. */
|
|
|
fcb07f |
+ err = svn_error_compose_create(err,
|
|
|
fcb07f |
+ svn_ra_svn_write_cmd_failure(conn, pool, err));
|
|
|
fcb07f |
+ err = svn_error_compose_create(err,
|
|
|
fcb07f |
+ svn_ra_svn_flush(conn, pool));
|
|
|
fcb07f |
+ return err;
|
|
|
fcb07f |
}
|
|
|
fcb07f |
|
|
|
fcb07f |
/* Log the open. */
|