From 172f7725ae985a757ab34dfd39277419bc46086d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Feb 10 2015 21:37:36 +0000
Subject: import subversion-1.7.14-7.el7_0


---

diff --git a/SOURCES/subversion-1.7.14-CVE-2014-3528.patch b/SOURCES/subversion-1.7.14-CVE-2014-3528.patch
new file mode 100644
index 0000000..25465c1
--- /dev/null
+++ b/SOURCES/subversion-1.7.14-CVE-2014-3528.patch
@@ -0,0 +1,30 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3528
+
+http://subversion.apache.org/security/CVE-2014-3528-advisory.txt
+
+http://svn.apache.org/viewvc?view=revision&revision=r1615193
+
+--- subversion-1.7.14/subversion/libsvn_subr/config_auth.c.cve3528
++++ subversion-1.7.14/subversion/libsvn_subr/config_auth.c
+@@ -90,6 +90,7 @@ svn_config_read_auth_data(apr_hash_t **h
+   if (kind == svn_node_file)
+     {
+       svn_stream_t *stream;
++      svn_string_t *stored_realm;
+ 
+       SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
+                 _("Unable to open auth file for reading"));
+@@ -100,6 +101,12 @@ svn_config_read_auth_data(apr_hash_t **h
+                 apr_psprintf(pool, _("Error parsing '%s'"),
+                              svn_dirent_local_style(auth_path, pool)));
+ 
++      stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
++                                  APR_HASH_KEY_STRING);
++
++      if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
++        *hash = NULL; /* Hash collision, or somebody tampering with storage */
++
+       SVN_ERR(svn_stream_close(stream));
+     }
+ 
diff --git a/SOURCES/subversion-1.7.14-CVE-2014-3580.patch b/SOURCES/subversion-1.7.14-CVE-2014-3580.patch
new file mode 100644
index 0000000..9abe947
--- /dev/null
+++ b/SOURCES/subversion-1.7.14-CVE-2014-3580.patch
@@ -0,0 +1,77 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3580
+
+http://subversion.apache.org/security/CVE-2014-3580-advisory.txt
+
+--- subversion-1.7.14/subversion/mod_dav_svn/reports/deleted-rev.c.cve3580
++++ subversion-1.7.14/subversion/mod_dav_svn/reports/deleted-rev.c
+@@ -56,6 +56,9 @@ dav_svn__get_deleted_rev_report(const da
+   dav_error *derr = NULL;
+ 
+   /* Sanity check. */
++  if (!resource->info->repos_path)
++    return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++                              "The request does not specify a repository path");
+   ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+   if (ns == -1)
+     return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0,
+--- subversion-1.7.14/subversion/mod_dav_svn/reports/file-revs.c.cve3580
++++ subversion-1.7.14/subversion/mod_dav_svn/reports/file-revs.c
+@@ -251,6 +251,9 @@ dav_svn__file_revs_report(const dav_reso
+   arb.repos = resource->info->repos;
+ 
+   /* Sanity check. */
++  if (!resource->info->repos_path)
++    return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++                              "The request does not specify a repository path");
+   ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+   /* ### This is done on other places, but the document element is
+      in this namespace, so is this necessary at all? */
+--- subversion-1.7.14/subversion/mod_dav_svn/reports/get-locations.c.cve3580
++++ subversion-1.7.14/subversion/mod_dav_svn/reports/get-locations.c
+@@ -106,6 +106,9 @@ dav_svn__get_locations_report(const dav_
+                                       sizeof(svn_revnum_t));
+ 
+   /* Sanity check. */
++  if (!resource->info->repos_path)
++    return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++                              "The request does not specify a repository path");
+   ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+   if (ns == -1)
+     {
+--- subversion-1.7.14/subversion/mod_dav_svn/reports/get-location-segments.c.cve3580
++++ subversion-1.7.14/subversion/mod_dav_svn/reports/get-location-segments.c
+@@ -123,6 +123,9 @@ dav_svn__get_location_segments_report(co
+   struct location_segment_baton location_segment_baton;
+ 
+   /* Sanity check. */
++  if (!resource->info->repos_path)
++    return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++                              "The request does not specify a repository path");
+   ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+   if (ns == -1)
+     {
+--- subversion-1.7.14/subversion/mod_dav_svn/reports/log.c.cve3580
++++ subversion-1.7.14/subversion/mod_dav_svn/reports/log.c
+@@ -307,6 +307,9 @@ dav_svn__log_report(const dav_resource *
+     = apr_array_make(resource->pool, 1, sizeof(const char *));
+ 
+   /* Sanity check. */
++  if (!resource->info->repos_path)
++    return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++                              "The request does not specify a repository path");
+   ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+   if (ns == -1)
+     {
+--- subversion-1.7.14/subversion/mod_dav_svn/reports/mergeinfo.c.cve3580
++++ subversion-1.7.14/subversion/mod_dav_svn/reports/mergeinfo.c
+@@ -67,6 +67,9 @@ dav_svn__get_mergeinfo_report(const dav_
+     = apr_array_make(resource->pool, 0, sizeof(const char *));
+ 
+   /* Sanity check. */
++  if (!resource->info->repos_path)
++    return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0,
++                              "The request does not specify a repository path");
+   ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE);
+   if (ns == -1)
+     {
diff --git a/SOURCES/subversion-1.7.14-CVE-2014-8108.patch b/SOURCES/subversion-1.7.14-CVE-2014-8108.patch
new file mode 100644
index 0000000..acd9ccf
--- /dev/null
+++ b/SOURCES/subversion-1.7.14-CVE-2014-8108.patch
@@ -0,0 +1,54 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8108
+
+http://subversion.apache.org/security/CVE-2014-8108-advisory.txt
+
+--- subversion-1.7.14/subversion/mod_dav_svn/repos.c.cve8108
++++ subversion-1.7.14/subversion/mod_dav_svn/repos.c
+@@ -506,6 +506,9 @@ parse_vtxnstub_uri(dav_resource_combined
+   if (parse_txnstub_uri(comb, path, label, use_checked_in))
+     return TRUE;
+ 
++  if (!comb->priv.root.txn_name)
++    return TRUE;
++
+   comb->priv.root.vtxn_name = comb->priv.root.txn_name;
+   comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos,
+                                               comb->priv.root.vtxn_name);
+@@ -574,6 +577,9 @@ parse_vtxnroot_uri(dav_resource_combined
+   if (parse_txnroot_uri(comb, path, label, use_checked_in))
+     return TRUE;
+ 
++  if (!comb->priv.root.txn_name)
++    return TRUE;
++
+   comb->priv.root.vtxn_name = comb->priv.root.txn_name;
+   comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos,
+                                               comb->priv.root.vtxn_name);
+@@ -919,6 +925,10 @@ prep_working(dav_resource_combined *comb
+      point. */
+   if (txn_name == NULL)
+     {
++      if (!comb->priv.root.activity_id)
++        return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0,
++                                  "The request did not specify an activity ID");
++
+       txn_name = dav_svn__get_txn(comb->priv.repos,
+                                   comb->priv.root.activity_id);
+       if (txn_name == NULL)
+@@ -1029,8 +1039,13 @@ prep_working(dav_resource_combined *comb
+ static dav_error *
+ prep_activity(dav_resource_combined *comb)
+ {
+-  const char *txn_name = dav_svn__get_txn(comb->priv.repos,
+-                                          comb->priv.root.activity_id);
++  const char *txn_name;
++
++  if (!comb->priv.root.activity_id)
++    return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0,
++                              "The request did not specify an activity ID");
++
++  txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.activity_id);
+ 
+   comb->priv.root.txn_name = txn_name;
+   comb->res.exists = txn_name != NULL;
diff --git a/SPECS/subversion.spec b/SPECS/subversion.spec
index 17c2103..9a359f9 100644
--- a/SPECS/subversion.spec
+++ b/SPECS/subversion.spec
@@ -20,7 +20,7 @@
 Summary: A Modern Concurrent Version Control System
 Name: subversion
 Version: 1.7.14
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: ASL 2.0
 Group: Development/Tools
 URL: http://subversion.apache.org/
@@ -42,6 +42,9 @@ Patch9: subversion-1.7.9-rubybind.patch
 Patch10: subversion-1.7.9-swighash.patch
 Patch11: subversion-1.7.10-aarch64.patch
 Patch12: subversion-1.7.14-CVE-2014-0032.patch
+Patch13: subversion-1.7.14-CVE-2014-3528.patch
+Patch14: subversion-1.7.14-CVE-2014-3580.patch
+Patch15: subversion-1.7.14-CVE-2014-8108.patch
 BuildRequires: autoconf, libtool, python, python-devel, texinfo, which
 BuildRequires: libdb-devel, swig >= 1.3.24, gettext
 BuildRequires: apr-devel >= 1.3.0, apr-util-devel >= 1.3.0
@@ -183,6 +186,9 @@ This package includes supplementary tools for use with Subversion.
 %patch10 -p1 -b .swighash
 %patch11 -p1 -b .aarch64
 %patch12 -p1 -b .cve0032
+%patch13 -p1 -b .cve3528
+%patch14 -p1 -b .cve3580
+%patch15 -p1 -b .cve8108
 
 %build
 # Regenerate the buildsystem, so that:
@@ -474,6 +480,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Fri Jan  9 2015 Joe Orton <jorton@redhat.com> - 1.7.14-7
+- add security fixes for CVE-2014-3528, CVE-2014-3580, CVE-2014-8108
+
 * Wed Mar  5 2014 Joe Orton <jorton@redhat.com> - 1.7.14-6
 - drop dependency on db4-devel (#1072969)