diff --git a/SOURCES/subversion-1.7.14-CVE-2014-3528.patch b/SOURCES/subversion-1.7.14-CVE-2014-3528.patch new file mode 100644 index 0000000..25465c1 --- /dev/null +++ b/SOURCES/subversion-1.7.14-CVE-2014-3528.patch @@ -0,0 +1,30 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3528 + +http://subversion.apache.org/security/CVE-2014-3528-advisory.txt + +http://svn.apache.org/viewvc?view=revision&revision=r1615193 + +--- subversion-1.7.14/subversion/libsvn_subr/config_auth.c.cve3528 ++++ subversion-1.7.14/subversion/libsvn_subr/config_auth.c +@@ -90,6 +90,7 @@ svn_config_read_auth_data(apr_hash_t **h + if (kind == svn_node_file) + { + svn_stream_t *stream; ++ svn_string_t *stored_realm; + + SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool), + _("Unable to open auth file for reading")); +@@ -100,6 +101,12 @@ svn_config_read_auth_data(apr_hash_t **h + apr_psprintf(pool, _("Error parsing '%s'"), + svn_dirent_local_style(auth_path, pool))); + ++ stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY, ++ APR_HASH_KEY_STRING); ++ ++ if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0) ++ *hash = NULL; /* Hash collision, or somebody tampering with storage */ ++ + SVN_ERR(svn_stream_close(stream)); + } + diff --git a/SOURCES/subversion-1.7.14-CVE-2014-3580.patch b/SOURCES/subversion-1.7.14-CVE-2014-3580.patch new file mode 100644 index 0000000..9abe947 --- /dev/null +++ b/SOURCES/subversion-1.7.14-CVE-2014-3580.patch @@ -0,0 +1,77 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3580 + +http://subversion.apache.org/security/CVE-2014-3580-advisory.txt + +--- subversion-1.7.14/subversion/mod_dav_svn/reports/deleted-rev.c.cve3580 ++++ subversion-1.7.14/subversion/mod_dav_svn/reports/deleted-rev.c +@@ -56,6 +56,9 @@ dav_svn__get_deleted_rev_report(const da + dav_error *derr = NULL; + + /* Sanity check. */ ++ if (!resource->info->repos_path) ++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, ++ "The request does not specify a repository path"); + ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); + if (ns == -1) + return dav_svn__new_error_tag(resource->pool, HTTP_BAD_REQUEST, 0, +--- subversion-1.7.14/subversion/mod_dav_svn/reports/file-revs.c.cve3580 ++++ subversion-1.7.14/subversion/mod_dav_svn/reports/file-revs.c +@@ -251,6 +251,9 @@ dav_svn__file_revs_report(const dav_reso + arb.repos = resource->info->repos; + + /* Sanity check. */ ++ if (!resource->info->repos_path) ++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, ++ "The request does not specify a repository path"); + ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); + /* ### This is done on other places, but the document element is + in this namespace, so is this necessary at all? */ +--- subversion-1.7.14/subversion/mod_dav_svn/reports/get-locations.c.cve3580 ++++ subversion-1.7.14/subversion/mod_dav_svn/reports/get-locations.c +@@ -106,6 +106,9 @@ dav_svn__get_locations_report(const dav_ + sizeof(svn_revnum_t)); + + /* Sanity check. */ ++ if (!resource->info->repos_path) ++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, ++ "The request does not specify a repository path"); + ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); + if (ns == -1) + { +--- subversion-1.7.14/subversion/mod_dav_svn/reports/get-location-segments.c.cve3580 ++++ subversion-1.7.14/subversion/mod_dav_svn/reports/get-location-segments.c +@@ -123,6 +123,9 @@ dav_svn__get_location_segments_report(co + struct location_segment_baton location_segment_baton; + + /* Sanity check. */ ++ if (!resource->info->repos_path) ++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, ++ "The request does not specify a repository path"); + ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); + if (ns == -1) + { +--- subversion-1.7.14/subversion/mod_dav_svn/reports/log.c.cve3580 ++++ subversion-1.7.14/subversion/mod_dav_svn/reports/log.c +@@ -307,6 +307,9 @@ dav_svn__log_report(const dav_resource * + = apr_array_make(resource->pool, 1, sizeof(const char *)); + + /* Sanity check. */ ++ if (!resource->info->repos_path) ++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, ++ "The request does not specify a repository path"); + ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); + if (ns == -1) + { +--- subversion-1.7.14/subversion/mod_dav_svn/reports/mergeinfo.c.cve3580 ++++ subversion-1.7.14/subversion/mod_dav_svn/reports/mergeinfo.c +@@ -67,6 +67,9 @@ dav_svn__get_mergeinfo_report(const dav_ + = apr_array_make(resource->pool, 0, sizeof(const char *)); + + /* Sanity check. */ ++ if (!resource->info->repos_path) ++ return dav_svn__new_error(resource->pool, HTTP_BAD_REQUEST, 0, ++ "The request does not specify a repository path"); + ns = dav_svn__find_ns(doc->namespaces, SVN_XML_NAMESPACE); + if (ns == -1) + { diff --git a/SOURCES/subversion-1.7.14-CVE-2014-8108.patch b/SOURCES/subversion-1.7.14-CVE-2014-8108.patch new file mode 100644 index 0000000..acd9ccf --- /dev/null +++ b/SOURCES/subversion-1.7.14-CVE-2014-8108.patch @@ -0,0 +1,54 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8108 + +http://subversion.apache.org/security/CVE-2014-8108-advisory.txt + +--- subversion-1.7.14/subversion/mod_dav_svn/repos.c.cve8108 ++++ subversion-1.7.14/subversion/mod_dav_svn/repos.c +@@ -506,6 +506,9 @@ parse_vtxnstub_uri(dav_resource_combined + if (parse_txnstub_uri(comb, path, label, use_checked_in)) + return TRUE; + ++ if (!comb->priv.root.txn_name) ++ return TRUE; ++ + comb->priv.root.vtxn_name = comb->priv.root.txn_name; + comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos, + comb->priv.root.vtxn_name); +@@ -574,6 +577,9 @@ parse_vtxnroot_uri(dav_resource_combined + if (parse_txnroot_uri(comb, path, label, use_checked_in)) + return TRUE; + ++ if (!comb->priv.root.txn_name) ++ return TRUE; ++ + comb->priv.root.vtxn_name = comb->priv.root.txn_name; + comb->priv.root.txn_name = dav_svn__get_txn(comb->priv.repos, + comb->priv.root.vtxn_name); +@@ -919,6 +925,10 @@ prep_working(dav_resource_combined *comb + point. */ + if (txn_name == NULL) + { ++ if (!comb->priv.root.activity_id) ++ return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0, ++ "The request did not specify an activity ID"); ++ + txn_name = dav_svn__get_txn(comb->priv.repos, + comb->priv.root.activity_id); + if (txn_name == NULL) +@@ -1029,8 +1039,13 @@ prep_working(dav_resource_combined *comb + static dav_error * + prep_activity(dav_resource_combined *comb) + { +- const char *txn_name = dav_svn__get_txn(comb->priv.repos, +- comb->priv.root.activity_id); ++ const char *txn_name; ++ ++ if (!comb->priv.root.activity_id) ++ return dav_svn__new_error(comb->res.pool, HTTP_BAD_REQUEST, 0, ++ "The request did not specify an activity ID"); ++ ++ txn_name = dav_svn__get_txn(comb->priv.repos, comb->priv.root.activity_id); + + comb->priv.root.txn_name = txn_name; + comb->res.exists = txn_name != NULL; diff --git a/SPECS/subversion.spec b/SPECS/subversion.spec index 17c2103..9a359f9 100644 --- a/SPECS/subversion.spec +++ b/SPECS/subversion.spec @@ -20,7 +20,7 @@ Summary: A Modern Concurrent Version Control System Name: subversion Version: 1.7.14 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 Group: Development/Tools URL: http://subversion.apache.org/ @@ -42,6 +42,9 @@ Patch9: subversion-1.7.9-rubybind.patch Patch10: subversion-1.7.9-swighash.patch Patch11: subversion-1.7.10-aarch64.patch Patch12: subversion-1.7.14-CVE-2014-0032.patch +Patch13: subversion-1.7.14-CVE-2014-3528.patch +Patch14: subversion-1.7.14-CVE-2014-3580.patch +Patch15: subversion-1.7.14-CVE-2014-8108.patch BuildRequires: autoconf, libtool, python, python-devel, texinfo, which BuildRequires: libdb-devel, swig >= 1.3.24, gettext BuildRequires: apr-devel >= 1.3.0, apr-util-devel >= 1.3.0 @@ -183,6 +186,9 @@ This package includes supplementary tools for use with Subversion. %patch10 -p1 -b .swighash %patch11 -p1 -b .aarch64 %patch12 -p1 -b .cve0032 +%patch13 -p1 -b .cve3528 +%patch14 -p1 -b .cve3580 +%patch15 -p1 -b .cve8108 %build # Regenerate the buildsystem, so that: @@ -474,6 +480,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Fri Jan 9 2015 Joe Orton - 1.7.14-7 +- add security fixes for CVE-2014-3528, CVE-2014-3580, CVE-2014-8108 + * Wed Mar 5 2014 Joe Orton - 1.7.14-6 - drop dependency on db4-devel (#1072969)