[oe-commits] Yue Tao : subversion: fix for Security Advisory CVE-2013-1849
git at git.openembedded.org
git at git.openembedded.org
Thu May 22 15:46:13 UTC 2014
Module: openembedded-core.git
Branch: master-next
Commit: 94e8b503e8a5ae476037d4aa86f8e27d4a8c23ea
URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=94e8b503e8a5ae476037d4aa86f8e27d4a8c23ea
Author: Yue Tao <Yue.Tao at windriver.com>
Date: Fri Apr 4 13:35:31 2014 +0800
subversion: fix for Security Advisory CVE-2013-1849
Reject operations on getcontentlength and getcontenttype properties
if the resource is an activity.
Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
Signed-off-by: Roy Li <rongqing.li at windriver.com>
Signed-off-by: Saul Wold <sgw at linux.intel.com>
---
.../subversion/subversion-CVE-2013-1849.patch | 25 ++++++++++++++++++++++
.../subversion/subversion_1.6.15.bb | 1 +
2 files changed, 26 insertions(+)
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch
new file mode 100644
index 0000000..734f9b0
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch
@@ -0,0 +1,25 @@
+Upstream-Status: Backport
+
+--- a/subversion/mod_dav_svn/liveprops.c
++++ b/subversion/mod_dav_svn/liveprops.c
+@@ -410,7 +410,8 @@ insert_prop(const dav_resource *resource
+ svn_filesize_t len = 0;
+
+ /* our property, but not defined on collection resources */
+- if (resource->collection || resource->baselined)
++ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY
++ || resource->collection || resource->baselined)
+ return DAV_PROP_INSERT_NOTSUPP;
+
+ serr = svn_fs_file_length(&len, resource->info->root.root,
+@@ -434,7 +435,9 @@ insert_prop(const dav_resource *resource
+ svn_string_t *pval;
+ const char *mime_type = NULL;
+
+- if (resource->baselined && resource->type == DAV_RESOURCE_TYPE_VERSION)
++ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY
++ || (resource->baselined
++ && resource->type == DAV_RESOURCE_TYPE_VERSION))
+ return DAV_PROP_INSERT_NOTSUPP;
+
+ if (resource->type == DAV_RESOURCE_TYPE_PRIVATE
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
index f225671..74cd149 100644
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
file://disable-revision-install.patch \
file://libtool2.patch \
file://fix-install-depends.patch \
+ file://subversion-CVE-2013-1849.patch \
"
SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
More information about the Openembedded-commits
mailing list