From fcb07fae8fbe4f74f39739cb193dd374e90cca2a Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 29 2020 07:02:20 +0000
Subject: import subversion-1.7.14-16.el7


---

diff --git a/SOURCES/subversion-1.7.14-CVE-2018-11782.patch b/SOURCES/subversion-1.7.14-CVE-2018-11782.patch
new file mode 100644
index 0000000..5f1cb9f
--- /dev/null
+++ b/SOURCES/subversion-1.7.14-CVE-2018-11782.patch
@@ -0,0 +1,89 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-11782
+
+--- subversion-1.7.14/subversion/libsvn_ra_svn/client.c.cve11782
++++ subversion-1.7.14/subversion/libsvn_ra_svn/client.c
+@@ -2542,6 +2542,7 @@
+ {
+   svn_ra_svn__session_baton_t *sess_baton = session->priv;
+   svn_ra_svn_conn_t *conn = sess_baton->conn;
++  svn_error_t *err;
+ 
+   /* Transmit the parameters. */
+   SVN_ERR(svn_ra_svn_write_cmd(conn, pool, "get-deleted-rev", "crr",
+@@ -2551,7 +2552,20 @@
+   SVN_ERR(handle_unsupported_cmd(handle_auth_request(sess_baton, pool),
+                                  _("'get-deleted-rev' not implemented")));
+ 
+-  return svn_ra_svn_read_cmd_response(conn, pool, "r", revision_deleted);
++  err = svn_error_trace(svn_ra_svn_read_cmd_response(conn, pool, "r",
++                                                     revision_deleted));
++  /* The protocol does not allow for a reply of SVN_INVALID_REVNUM directly.
++     Instead, a new enough server returns SVN_ERR_ENTRY_MISSING_REVISION to
++     indicate the answer to the query is SVN_INVALID_REVNUM. (An older server
++     closes the connection and returns SVN_ERR_RA_SVN_CONNECTION_CLOSED.) */
++  if (err && err->apr_err == SVN_ERR_ENTRY_MISSING_REVISION)
++    {
++      *revision_deleted = SVN_INVALID_REVNUM;
++      svn_error_clear(err);
++    }
++  else
++    SVN_ERR(err);
++  return SVN_NO_ERROR;
+ }
+ 
+ 
+--- subversion-1.7.14/subversion/svnserve/serve.c.cve11782
++++ subversion-1.7.14/subversion/svnserve/serve.c
+@@ -2875,8 +2875,21 @@
+                                svn_relpath_canonicalize(path, pool), pool);
+   SVN_ERR(log_command(b, conn, pool, "get-deleted-rev"));
+   SVN_ERR(trivial_auth_request(conn, pool, b));
+-  SVN_ERR(svn_repos_deleted_rev(b->fs, full_path, peg_revision, end_revision,
+-                                &revision_deleted, pool));
++  SVN_CMD_ERR(svn_repos_deleted_rev(b->fs, full_path, peg_revision,
++                                    end_revision, &revision_deleted, pool));
++
++  /* The protocol does not allow for a reply of SVN_INVALID_REVNUM directly.
++     Instead, return SVN_ERR_ENTRY_MISSING_REVISION. A new enough client
++     knows that this means the answer to the query is SVN_INVALID_REVNUM.
++     (An older client reports this as an error.) */
++  if (revision_deleted == SVN_INVALID_REVNUM)
++    SVN_CMD_ERR(svn_error_createf(SVN_ERR_ENTRY_MISSING_REVISION, NULL,
++                                  "svn protocol command 'get-deleted-rev': "
++                                  "path '%s' was not deleted in r%ld-%ld; "
++                                  "NOTE: newer clients handle this case "
++                                  "and do not report it as an error",
++                                  full_path, peg_revision, end_revision));
++
+   SVN_ERR(svn_ra_svn_write_cmd_response(conn, pool, "r", revision_deleted));
+   return SVN_NO_ERROR;
+ }
+@@ -3086,7 +3099,7 @@
+ svn_error_t *serve(svn_ra_svn_conn_t *conn, serve_params_t *params,
+                    apr_pool_t *pool)
+ {
+-  svn_error_t *err, *io_err;
++  svn_error_t *err;
+   apr_uint64_t ver;
+   const char *uuid, *client_url, *ra_client_string, *client_string;
+   apr_array_header_t *caplist, *cap_words;
+@@ -3198,12 +3211,12 @@
+     }
+   if (err)
+     {
+-      log_error(err, b.log_file, svn_ra_svn_conn_remote_host(conn),
+-                b.user, NULL, pool);
+-      io_err = svn_ra_svn_write_cmd_failure(conn, pool, err);
+-      svn_error_clear(err);
+-      SVN_ERR(io_err);
+-      return svn_ra_svn_flush(conn, pool);
++      /* Report these errors to the client before closing the connection. */
++      err = svn_error_compose_create(err,
++              svn_ra_svn_write_cmd_failure(conn, pool, err));
++      err = svn_error_compose_create(err,
++              svn_ra_svn_flush(conn, pool));
++      return err;
+     }
+ 
+   /* Log the open. */
diff --git a/SPECS/subversion.spec b/SPECS/subversion.spec
index dbf413d..13ed2f3 100644
--- a/SPECS/subversion.spec
+++ b/SPECS/subversion.spec
@@ -22,7 +22,7 @@
 Summary: A Modern Concurrent Version Control System
 Name: subversion
 Version: 1.7.14
-Release: 14%{?dist}
+Release: 16%{?dist}
 License: ASL 2.0
 Group: Development/Tools
 URL: http://subversion.apache.org/
@@ -55,6 +55,7 @@ Patch20: subversion-1.7.14-CVE-2017-9800.patch
 Patch21: subversion-1.7.14-r1439592+.patch
 Patch22: subversion-1.7.14-r1708699.patch
 Patch23: subversion-1.7.14-r1564900.patch
+Patch24: subversion-1.7.14-CVE-2018-11782.patch
 BuildRequires: autoconf, libtool, python, python-devel, texinfo, which
 BuildRequires: libdb-devel, swig >= 1.3.24, gettext
 BuildRequires: apr-devel >= 1.3.0, apr-util-devel >= 1.3.0
@@ -208,6 +209,7 @@ This package includes supplementary tools for use with Subversion.
 %patch21 -p1 -b .r1439592+
 %patch22 -p1 -b .r1708699
 %patch23 -p1 -b .r1564900
+%patch24 -p1 -b .cve11782
 
 %build
 # Regenerate the buildsystem, so that:
@@ -507,6 +509,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Tue Apr 14 2020 Joe Orton <jorton@redhat.com> - 1.7.14-16
+- add security fix for CVE-2018-11782
+
 * Wed Oct 25 2017 Joe Orton <jorton@redhat.com> - 1.7.14-14
 - remove installed backup files (#1379593)