summaryrefslogtreecommitdiffstats
path: root/patches/source/subversion
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/subversion')
-rwxr-xr-xpatches/source/subversion/get-svn-book.sh9
-rw-r--r--patches/source/subversion/slack-desc19
-rw-r--r--patches/source/subversion/subversion.CVE-2015-5343.diff16
-rw-r--r--patches/source/subversion/subversion.CVE-2016-2167.diff11
-rw-r--r--patches/source/subversion/subversion.CVE-2016-2168.diff32
-rw-r--r--patches/source/subversion/subversion.CVE-2017-9800.diff105
-rwxr-xr-xpatches/source/subversion/subversion.SlackBuild183
7 files changed, 375 insertions, 0 deletions
diff --git a/patches/source/subversion/get-svn-book.sh b/patches/source/subversion/get-svn-book.sh
new file mode 100755
index 000000000..e88530d32
--- /dev/null
+++ b/patches/source/subversion/get-svn-book.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+CWD=`pwd`
+
+# Add the latest copy of the Subversion book:
+( cd $CWD
+ lftpget http://svnbook.red-bean.com/en/1.7/svn-book-html.tar.bz2
+ chmod 644 svn-book-html.tar.bz2
+)
+
diff --git a/patches/source/subversion/slack-desc b/patches/source/subversion/slack-desc
new file mode 100644
index 000000000..af2ef0b61
--- /dev/null
+++ b/patches/source/subversion/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|' on
+# the right side marks the last column you can put a character in. You must make
+# exactly 11 lines for the formatting to be correct. It's also customary to
+# leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+subversion: subversion (a version control system)
+subversion:
+subversion: Subversion is a version control system which allows you to keep old
+subversion: versions of files and directories (usually source code), and keep a
+subversion: log of who, when, and why changes occurred, similar to other such
+subversion: systems like CVS, RCS or SCCS. Subversion keeps all the information
+subversion: to permit extracting previous versions of those files at any time.
+subversion:
+subversion: For more information about the Subversion project, visit:
+subversion: http://subversion.apache.org
+subversion:
diff --git a/patches/source/subversion/subversion.CVE-2015-5343.diff b/patches/source/subversion/subversion.CVE-2015-5343.diff
new file mode 100644
index 000000000..59482aeec
--- /dev/null
+++ b/patches/source/subversion/subversion.CVE-2015-5343.diff
@@ -0,0 +1,16 @@
+--- ./subversion/mod_dav_svn/util.c.orig 2013-11-14 15:11:33.000000000 -0600
++++ ./subversion/mod_dav_svn/util.c 2016-04-05 13:02:22.610756129 -0500
+@@ -753,7 +753,12 @@
+
+ if (content_length)
+ {
+- buf = svn_stringbuf_create_ensure(content_length, pool);
++ /* Do not allocate more than 1 MB until we receive request body. */
++ apr_size_t alloc_len = 1 * 1024 *1024;
++ if (content_length < alloc_len)
++ alloc_len = (apr_size_t) content_length;
++
++ buf = svn_stringbuf_create_ensure(alloc_len, pool);
+ }
+ else
+ {
diff --git a/patches/source/subversion/subversion.CVE-2016-2167.diff b/patches/source/subversion/subversion.CVE-2016-2167.diff
new file mode 100644
index 000000000..891cc59aa
--- /dev/null
+++ b/patches/source/subversion/subversion.CVE-2016-2167.diff
@@ -0,0 +1,11 @@
+--- ./subversion/svnserve/cyrus_auth.c.orig 2014-01-26 22:04:31.000000000 -0600
++++ ./subversion/svnserve/cyrus_auth.c 2016-04-30 15:00:31.936038054 -0500
+@@ -73,6 +73,8 @@
+ {
+ /* The only valid realm is user_realm (i.e. the repository's realm).
+ If the user gave us another realm, complain. */
++ if (realm_len != inlen-(pos-in+1))
++ return SASL_BADPROT;
+ if (strncmp(pos+1, user_realm, inlen-(pos-in+1)) != 0)
+ return SASL_BADPROT;
+ }
diff --git a/patches/source/subversion/subversion.CVE-2016-2168.diff b/patches/source/subversion/subversion.CVE-2016-2168.diff
new file mode 100644
index 000000000..24741ca66
--- /dev/null
+++ b/patches/source/subversion/subversion.CVE-2016-2168.diff
@@ -0,0 +1,32 @@
+--- ./subversion/mod_authz_svn/mod_authz_svn.c.orig 2015-07-26 19:23:40.000000000 -0500
++++ ./subversion/mod_authz_svn/mod_authz_svn.c 2016-04-30 15:03:26.649048795 -0500
+@@ -415,6 +415,8 @@
+
+ if (r->method_number == M_MOVE || r->method_number == M_COPY)
+ {
++ apr_status_t status;
++
+ dest_uri = apr_table_get(r->headers_in, "Destination");
+
+ /* Decline MOVE or COPY when there is no Destination uri, this will
+@@ -423,7 +425,19 @@
+ if (!dest_uri)
+ return DECLINED;
+
+- apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
++ status = apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
++ if (status)
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
++ "Invalid URI in Destination header");
++ return HTTP_BAD_REQUEST;
++ }
++ if (!parsed_dest_uri.path)
++ {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Invalid URI in Destination header");
++ return HTTP_BAD_REQUEST;
++ }
+
+ ap_unescape_url(parsed_dest_uri.path);
+ dest_uri = parsed_dest_uri.path;
diff --git a/patches/source/subversion/subversion.CVE-2017-9800.diff b/patches/source/subversion/subversion.CVE-2017-9800.diff
new file mode 100644
index 000000000..56562213a
--- /dev/null
+++ b/patches/source/subversion/subversion.CVE-2017-9800.diff
@@ -0,0 +1,105 @@
+Patch for Subversion 1.8.18 (works on 1.7.x with an offset)
+Index: subversion/libsvn_ra_svn/client.c
+===================================================================
+--- subversion/libsvn_ra_svn/client.c (revision 1803926)
++++ subversion/libsvn_ra_svn/client.c (working copy)
+@@ -46,6 +46,7 @@
+ #include "svn_props.h"
+ #include "svn_mergeinfo.h"
+ #include "svn_version.h"
++#include "svn_ctype.h"
+
+ #include "svn_private_config.h"
+
+@@ -395,7 +396,7 @@
+ * versions have it too. If the user is using some other ssh
+ * implementation that doesn't accept it, they can override it
+ * in the [tunnels] section of the config. */
+- val = "$SVN_SSH ssh -q";
++ val = "$SVN_SSH ssh -q --";
+ }
+
+ if (!val || !*val)
+@@ -435,7 +436,7 @@
+ ;
+ *argv = apr_palloc(pool, (n + 4) * sizeof(char *));
+ memcpy((void *) *argv, cmd_argv, n * sizeof(char *));
+- (*argv)[n++] = svn_path_uri_decode(hostinfo, pool);
++ (*argv)[n++] = hostinfo;
+ (*argv)[n++] = "svnserve";
+ (*argv)[n++] = "-t";
+ (*argv)[n] = NULL;
+@@ -716,7 +717,33 @@
+ }
+
+
++/* A simple whitelist to ensure the following are valid:
++ * user@server
++ * [::1]:22
++ * server-name
++ * server_name
++ * 127.0.0.1
++ * with an extra restriction that a leading '-' is invalid.
++ */
++static svn_boolean_t
++is_valid_hostinfo(const char *hostinfo)
++{
++ const char *p = hostinfo;
+
++ if (p[0] == '-')
++ return FALSE;
++
++ while (*p)
++ {
++ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
++ return FALSE;
++
++ ++p;
++ }
++
++ return TRUE;
++}
++
+ static svn_error_t *ra_svn_open(svn_ra_session_t *session,
+ const char **corrected_url,
+ const char *url,
+@@ -740,8 +767,17 @@
+ parse_tunnel(url, &tunnel, pool);
+
+ if (tunnel)
+- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
+- pool));
++ {
++ const char *decoded_hostinfo;
++
++ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, pool);
++ if (!is_valid_hostinfo(decoded_hostinfo))
++ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
++ uri.hostinfo);
++
++ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
++ config, pool));
++ }
+ else
+ tunnel_argv = NULL;
+
+Index: subversion/libsvn_subr/config_file.c
+===================================================================
+--- subversion/libsvn_subr/config_file.c (revision 1803926)
++++ subversion/libsvn_subr/config_file.c (working copy)
+@@ -1134,12 +1134,12 @@
+ "### passed to the tunnel agent as <user>@<hostname>.) If the" NL
+ "### built-in ssh scheme were not predefined, it could be defined" NL
+ "### as:" NL
+- "# ssh = $SVN_SSH ssh -q" NL
++ "# ssh = $SVN_SSH ssh -q --" NL
+ "### If you wanted to define a new 'rsh' scheme, to be used with" NL
+ "### 'svn+rsh:' URLs, you could do so as follows:" NL
+- "# rsh = rsh" NL
++ "# rsh = rsh --" NL
+ "### Or, if you wanted to specify a full path and arguments:" NL
+- "# rsh = /path/to/rsh -l myusername" NL
++ "# rsh = /path/to/rsh -l myusername --" NL
+ "### On Windows, if you are specifying a full path to a command," NL
+ "### use a forward slash (/) or a paired backslash (\\\\) as the" NL
+ "### path separator. A single backslash will be treated as an" NL
diff --git a/patches/source/subversion/subversion.SlackBuild b/patches/source/subversion/subversion.SlackBuild
new file mode 100755
index 000000000..6f9370d7e
--- /dev/null
+++ b/patches/source/subversion/subversion.SlackBuild
@@ -0,0 +1,183 @@
+#!/bin/sh
+
+# Copyright 2008, 2009, 2010, 2011, 2012, 2016 Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+VERSION=${VERSION:-$(echo subversion-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-3_slack14.1}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i486 ;;
+ arm*) export ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+fi
+
+NUMJOBS=${NUMJOBS:-" -j7 "}
+
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
+else
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+fi
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-subversion
+
+rm -rf $PKG
+mkdir -p $TMP $PKG
+
+cd $TMP
+rm -rf subversion-$VERSION
+tar xvf $CWD/subversion-$VERSION.tar.?z* || exit 1
+cd subversion-$VERSION || exit 1
+
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+zcat $CWD/subversion.CVE-2015-5343.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/subversion.CVE-2016-2167.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/subversion.CVE-2016-2168.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/subversion.CVE-2017-9800.diff.gz | patch -p0 --verbose || exit 1
+
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --mandir=/usr/man \
+ --docdir=/usr/doc/subversion-$VERSION \
+ --enable-shared \
+ --disable-static \
+ --with-apr=/usr \
+ --with-apr-util=/usr \
+ --with-apxs=/usr/bin/apxs \
+ --with-neon=/usr \
+ --with-zlib=/usr \
+ --with-pic \
+ --with-ssl \
+ --build=$ARCH-slackware-linux || exit 1
+
+# Not currently compiling with gcc-4.7.1, but we'll try it again later:
+# --with-kwallet \
+#
+
+make $NUMJOBS || make || exit 1
+make install DESTDIR=$PKG || exit 1
+make install-tools DESTDIR=$PKG || exit 1
+make install-docs DESTDIR=$PKG || exit 1
+
+# Install python bindings
+make swig-py
+make install-swig-py DESTDIR=$PKG
+PYTHON_VER=$(python -c 'import sys; print "%d.%d" % sys.version_info[:2]')
+mkdir -p $PKG/usr/lib${LIBDIRSUFFIX}/python${PYTHON_VER}/site-packages
+mv $PKG/usr/lib${LIBDIRSUFFIX}/svn-python/* \
+ $PKG/usr/lib${LIBDIRSUFFIX}/python${PYTHON_VER}/site-packages
+rmdir $PKG/usr/lib${LIBDIRSUFFIX}/svn-python
+
+# Perl bindings
+make swig-pl-lib
+make install-swig-pl-lib DESTDIR=$PKG
+( cd subversion/bindings/swig/perl/native
+ perl Makefile.PL
+ make install_vendor DESTDIR=$PKG
+)
+eval $(perl '-V:archlib')
+mv $PKG/$archlib/perllocal.pod $PKG/$archlib/subversion.pod
+
+# Ruby bindings
+make swig-rb
+make install-swig-rb DESTDIR=$PKG
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+
+rm -rf $PKG/usr/info
+# Something doesn't honor --mandir
+mv $PKG/usr/share/man/man3 $PKG/usr/man
+gzip -9 $PKG/usr/man/man?/*
+rmdir $PKG/usr/share/man
+
+# What is this junk for? Since I don't know, I'll erase it. :-)
+rm -rf $PKG/usr/build
+
+mkdir -p $PKG/usr/doc/subversion-$VERSION
+cp -a \
+ BUGS COMMITTERS COPYING* HACKING INSTALL README TRANSLATING doc \
+ $PKG/usr/doc/subversion-$VERSION
+# too big && useless for most || if you think not, can be found in the source tarball
+rm -rf $PKG/usr/doc/subversion-$VERSION/doc/tools
+# Add the HTML svn book:
+( cd $PKG/usr/doc/subversion-$VERSION
+ tar xf $CWD/svn-book-html.tar.bz2
+ mv svn-book-html book
+ cd book
+ chown -R root:root .
+ find . -type d -exec chmod 0755 {} \;
+ find . -type f -exec chmod 0644 {} \;
+ find . -perm 2755 -exec chmod 0755 {} \;
+ find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+)
+
+# If there's a CHANGES file, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r CHANGES ]; then
+ DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION)
+ cat CHANGES | head -n 1000 > $DOCSDIR/CHANGES
+ touch -r CHANGES $DOCSDIR/CHANGES
+fi
+
+# This removes our DESTDIR from the packlist filenames, to keep perl's
+# internal inventories consistent and correct.
+find $PKG -name .packlist | while read plist ; do
+ sed -e "s%$PKG%%g" \
+ -e "s%/share/man%/man%g" \
+ -re "s%\.([1-9]n?|3pm)$%&.gz%g # extend man filenames for .gz" \
+ ${plist} > ${plist}.new
+ mv -f ${plist}.new ${plist}
+done
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/subversion-$VERSION-$ARCH-$BUILD.txz
+