import subversion-1.14.1-2.module+el8.7.0+15203+76baa818

This commit is contained in:
CentOS Sources 2022-05-12 00:15:55 +00:00 committed by Stepan Oksanichenko
parent d54a4f229d
commit 4d32f7443f
4 changed files with 96 additions and 1 deletions

View File

@ -0,0 +1,41 @@
--- subversion-1.14.1/subversion/libsvn_repos/authz.c
+++ subversion-1.14.1/subversion/libsvn_repos/authz.c
@@ -130,6 +130,30 @@
static svn_object_pool__t *filtered_pool = NULL;
static svn_atomic_t authz_pool_initialized = FALSE;
+/*
+ * Ensure that we will initialize authz again if the pool which
+ * our authz caches depend on is cleared.
+ *
+ * HTTPD may run pre/post config hooks multiple times and clear
+ * its global configuration pool which our authz pools depend on.
+ * This happens in a non-threaded context during HTTPD's intialization
+ * and HTTPD's main loop, so it is safe to reset static variables here.
+ * (And any applications which cleared this pool while SVN threads
+ * were running would crash no matter what.)
+ *
+ * See issue #4880, "Use-after-free of object-pools in
+ * subversion/libsvn_repos/authz.c when used as httpd module"
+ */
+static apr_status_t
+deinit_authz(void *data)
+{
+ /* The two object pools run their own cleanup handlers. */
+ authz_pool = NULL;
+ filtered_pool = NULL;
+ authz_pool_initialized = FALSE;
+ return APR_SUCCESS;
+}
+
/* Implements svn_atomic__err_init_func_t. */
static svn_error_t *
synchronized_authz_initialize(void *baton, apr_pool_t *pool)
@@ -143,6 +167,7 @@
SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
+ apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
return SVN_NO_ERROR;
}

View File

@ -0,0 +1,30 @@
See upstream dev@subversion thread. Fixes intermittent failure of
javahl tests, particularly reproducible on aarch64.
Message-ID: <11de5f5c-5059-b973-95a1-385e7913a63a@syntevo.com>
From: Alexandr Miloslavskiy
--- subversion-1.14.1/subversion/bindings/javahl/tests/org/apache/subversion/javahl/BasicTests.java.fixjavatests
+++ subversion-1.14.1/subversion/bindings/javahl/tests/org/apache/subversion/javahl/BasicTests.java
@@ -4676,7 +4676,19 @@
// RuntimeException("Test exception") is expected here
}
- tunnelAgent.joinAndTest();
+ // In this test, there is a race condition that sometimes results in
+ // IOException when 'WAIT_TUNNEL' tries to read from a pipe that
+ // already has its read end closed. This is not an error, but
+ // it's hard to distinguish this case from other IOException which
+ // indicate a problem. To reproduce, simply wrap this test's body in
+ // a loop. The workaround is to ignore any detected IOException.
+ //
+ // tunnelAgent.joinAndTest();
+ try {
+ tunnelAgent.join();
+ } catch (InterruptedException e) {
+ e.printStackTrace ();
+ }
}
/**

View File

@ -0,0 +1,14 @@
Fix intermittent failures when "svn add" guesses a near-empty file is binary and hence
the output is different.
--- subversion-1.14.1/subversion/tests/cmdline/svntest/main.py.testnoautoprops
+++ subversion-1.14.1/subversion/tests/cmdline/svntest/main.py
@@ -691,6 +691,7 @@
[miscellany]
interactive-conflicts = false
+enable-auto-props = no
"""
if exclusive_wc_locks:
config_contents += """

View File

@ -52,7 +52,7 @@
Summary: A Modern Concurrent Version Control System
Name: subversion
Version: 1.14.1
Release: 1%{?dist}
Release: 2%{?dist}
License: ASL 2.0
URL: https://subversion.apache.org/
@ -70,6 +70,10 @@ Patch3: subversion-1.14.0-soversion.patch
Patch4: subversion-1.8.0-rubybind.patch
Patch5: subversion-1.8.5-swigplWall.patch
Patch6: subversion-1.14.0-findpy.patch
Patch7: subversion-1.14.1-CVE-2022-24070.patch
Patch8: subversion-1.14.1-testnoautoprops.patch
Patch9: subversion-1.14.1-fixjavatests.patch
BuildRequires: autoconf, libtool, texinfo, which
BuildRequires: swig >= 1.3.24, gettext
%if %{with bdb}
@ -231,6 +235,9 @@ This package includes supplementary tools for use with Subversion.
%patch4 -p1 -b .rubybind
%patch5 -p1 -b .swigplWall
%patch6 -p1 -b .findpy
%patch7 -p1 -b .cve24070
%patch8 -p1 -b .testnoautoprops
%patch9 -p1 -b .fixjavatests
:
@ -573,6 +580,9 @@ make check-javahl
%endif
%changelog
* Mon May 09 2022 Richard Lescak <rlescak@gmail.com> - 1.14.1-2
- add fix for CVE-2022-24070
* Wed Feb 10 2021 Joe Orton <jorton@redhat.com> - 1.14.1-1
- update to 1.14.1 for CVE-2020-17525 (#1923928)