From bfffd5df0ae017b800b3c5d4b34e06fc31a48ba5 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 28 Jul 2020 05:54:32 -0400
Subject: [PATCH] import subversion-1.10.2-3.module+el8.3.0+6671+2675c974

---
 .../subversion-1.10.2-CVE-2018-11782.patch    | 221 ++++++++++++++++++
 SPECS/subversion.spec                         |  12 +-
 2 files changed, 228 insertions(+), 5 deletions(-)
 create mode 100644 SOURCES/subversion-1.10.2-CVE-2018-11782.patch

diff --git a/SOURCES/subversion-1.10.2-CVE-2018-11782.patch b/SOURCES/subversion-1.10.2-CVE-2018-11782.patch
new file mode 100644
index 0000000..a298173
--- /dev/null
+++ b/SOURCES/subversion-1.10.2-CVE-2018-11782.patch
@@ -0,0 +1,221 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=17330884
+
+https://subversion.apache.org/security/CVE-2018-11782-advisory.txt
+
+Fixes for CVE-2018-11782, svnserve get-deleted-rev assertion failure.
+
+The svn protocol prototype for get-deleted-rev does not allow for a reply of
+SVN_INVALID_REVNUM directly. A query having such an answer previously caused
+the server to raise an assertion failure which could crash the whole process
+or a thread or child process of it, depending on the build configuration of
+the server.
+
+To work around the problem without changing the protocol, we re-purpose the
+obsolete error code 'SVN_ERR_ENTRY_MISSING_REVISION' to communicate this
+'not deleted' reply to the client.
+
+  - With a new client against a new server, such queries are now handled
+    correctly.
+
+  - With an old client against a new server, the client will report a more
+    informative error message, and the server will not crash.
+
+  - With a new client against an old server, the behaviour is the same as
+    with an old client against an old server.
+
+In addition, this fixes a similar problem whereby any regular error response
+to a 'get-deleted-rev' query resulted in the server closing the connection,
+process and/or thread (again depending on the build configuration). Now such
+errors are correctly passed back to the client.
+
+* subversion/libsvn_ra_svn/client.c
+  (ra_svn_get_deleted_rev): Detect error SVN_ERR_ENTRY_MISSING_REVISION
+    and convert it to a response of SVN_INVALID_REVNUM.
+
+* subversion/svnserve/serve.c
+  (get_deleted_rev): Respond with error SVN_ERR_ENTRY_MISSING_REVISION
+    instead of an assertion failure if the answer is SVN_INVALID_REVNUM.
+    If svn_repos_deleted_rev() returns an error, pass that error back to
+    the client.
+
+* subversion/tests/libsvn_ra/ra-test.c
+  (commit_two_changes): New.
+  (test_get_deleted_rev_no_delete,
+   test_get_deleted_rev_errors): New tests.
+  (test_funcs): Run them.
+--This line, and those below, will be ignored--
+
+Index: subversion/libsvn_ra_svn/client.c
+===================================================================
+--- subversion-1.10.2/subversion/libsvn_ra_svn/client.c.cve11782
++++ subversion-1.10.2/subversion/libsvn_ra_svn/client.c
+@@ -3105,6 +3105,7 @@
+ {
+   svn_ra_svn__session_baton_t *sess_baton = session->priv;
+   svn_ra_svn_conn_t *conn = sess_baton->conn;
++  svn_error_t *err;
+ 
+   path = reparent_path(session, path, pool);
+ 
+@@ -3116,8 +3117,20 @@
+   SVN_ERR(handle_unsupported_cmd(handle_auth_request(sess_baton, pool),
+                                  N_("'get-deleted-rev' not implemented")));
+ 
+-  return svn_error_trace(svn_ra_svn__read_cmd_response(conn, pool, "r",
+-                                                       revision_deleted));
++  err = svn_error_trace(svn_ra_svn__read_cmd_response(conn, pool, "r",
++                                                      revision_deleted));
++  /* The protocol does not allow for a reply of SVN_INVALID_REVNUM directly.
++     Instead, a new enough server returns SVN_ERR_ENTRY_MISSING_REVISION to
++     indicate the answer to the query is SVN_INVALID_REVNUM. (An older server
++     closes the connection and returns SVN_ERR_RA_SVN_CONNECTION_CLOSED.) */
++  if (err && err->apr_err == SVN_ERR_ENTRY_MISSING_REVISION)
++    {
++      *revision_deleted = SVN_INVALID_REVNUM;
++      svn_error_clear(err);
++    }
++  else
++    SVN_ERR(err);
++  return SVN_NO_ERROR;
+ }
+ 
+ static svn_error_t *
+--- subversion-1.10.2/subversion/svnserve/serve.c.cve11782
++++ subversion-1.10.2/subversion/svnserve/serve.c
+@@ -3505,8 +3505,21 @@
+                                svn_relpath_canonicalize(path, pool), pool);
+   SVN_ERR(log_command(b, conn, pool, "get-deleted-rev"));
+   SVN_ERR(trivial_auth_request(conn, pool, b));
+-  SVN_ERR(svn_repos_deleted_rev(b->repository->fs, full_path, peg_revision,
+-                                end_revision, &revision_deleted, pool));
++  SVN_CMD_ERR(svn_repos_deleted_rev(b->repository->fs, full_path, peg_revision,
++                                    end_revision, &revision_deleted, pool));
++
++  /* The protocol does not allow for a reply of SVN_INVALID_REVNUM directly.
++     Instead, return SVN_ERR_ENTRY_MISSING_REVISION. A new enough client
++     knows that this means the answer to the query is SVN_INVALID_REVNUM.
++     (An older client reports this as an error.) */
++  if (revision_deleted == SVN_INVALID_REVNUM)
++    SVN_CMD_ERR(svn_error_createf(SVN_ERR_ENTRY_MISSING_REVISION, NULL,
++                                  "svn protocol command 'get-deleted-rev': "
++                                  "path '%s' was not deleted in r%ld-%ld; "
++                                  "NOTE: newer clients handle this case "
++                                  "and do not report it as an error",
++                                  full_path, peg_revision, end_revision));
++
+   SVN_ERR(svn_ra_svn__write_cmd_response(conn, pool, "r", revision_deleted));
+   return SVN_NO_ERROR;
+ }
+--- subversion-1.10.2/subversion/tests/libsvn_ra/ra-test.c.cve11782
++++ subversion-1.10.2/subversion/tests/libsvn_ra/ra-test.c
+@@ -94,6 +94,41 @@
+   return SVN_NO_ERROR;
+ }
+ 
++/* Commit two revisions: add 'B', then delete 'A' */
++static svn_error_t *
++commit_two_changes(svn_ra_session_t *session,
++                   apr_pool_t *pool)
++{
++  apr_hash_t *revprop_table = apr_hash_make(pool);
++  const svn_delta_editor_t *editor;
++  void *edit_baton;
++  void *root_baton, *dir_baton;
++
++  /* mkdir B */
++  SVN_ERR(svn_ra_get_commit_editor3(session, &editor, &edit_baton,
++                                    revprop_table,
++                                    NULL, NULL, NULL, TRUE, pool));
++  SVN_ERR(editor->open_root(edit_baton, SVN_INVALID_REVNUM,
++                            pool, &root_baton));
++  SVN_ERR(editor->add_directory("B", root_baton, NULL, SVN_INVALID_REVNUM,
++                               pool, &dir_baton));
++  SVN_ERR(editor->close_directory(dir_baton, pool));
++  SVN_ERR(editor->close_directory(root_baton, pool));
++  SVN_ERR(editor->close_edit(edit_baton, pool));
++
++  /* delete A */
++  SVN_ERR(svn_ra_get_commit_editor3(session, &editor, &edit_baton,
++                                    revprop_table,
++                                    NULL, NULL, NULL, TRUE, pool));
++  SVN_ERR(editor->open_root(edit_baton, SVN_INVALID_REVNUM,
++                            pool, &root_baton));
++  SVN_ERR(editor->delete_entry("A", SVN_INVALID_REVNUM, root_baton, pool));
++  SVN_ERR(editor->close_directory(root_baton, pool));
++  SVN_ERR(editor->close_edit(edit_baton, pool));
++
++  return SVN_NO_ERROR;
++}
++
+ static svn_error_t *
+ commit_tree(svn_ra_session_t *session,
+             apr_pool_t *pool)
+@@ -1784,6 +1819,56 @@
+   return SVN_NO_ERROR;
+ }
+ 
++/* Cases of 'get-deleted-rev' that should return SVN_INVALID_REVNUM. */
++static svn_error_t *
++test_get_deleted_rev_no_delete(const svn_test_opts_t *opts,
++                               apr_pool_t *pool)
++{
++  svn_ra_session_t *ra_session;
++  svn_revnum_t revision_deleted;
++
++  SVN_ERR(make_and_open_repos(&ra_session,
++                              "test-repo-get-deleted-rev-no-delete", opts,
++                              pool));
++  SVN_ERR(commit_changes(ra_session, pool));
++  SVN_ERR(commit_two_changes(ra_session, pool));
++
++  /* expect 'no deletion' in the range up to r2, when it is deleted in r3 */
++  /* This was failing over RA-SVN where the 'get-deleted-rev' wire command's
++     prototype cannot directly represent that result. A new enough client and
++     server collaborate on a work-around implemented using an error code. */
++  SVN_ERR(svn_ra_get_deleted_rev(ra_session, "A", 1, 2,
++                                 &revision_deleted, pool));
++  SVN_TEST_INT_ASSERT(revision_deleted, SVN_INVALID_REVNUM);
++
++  /* this connection should still be open: a simple case should still work */
++  SVN_ERR(svn_ra_get_deleted_rev(ra_session, "A", 1, 3,
++                                 &revision_deleted, pool));
++  SVN_TEST_INT_ASSERT(revision_deleted, 3);
++
++  return SVN_NO_ERROR;
++}
++
++/* Cases of 'get-deleted-rev' that should return an error. */
++static svn_error_t *
++test_get_deleted_rev_errors(const svn_test_opts_t *opts,
++                               apr_pool_t *pool)
++{
++  svn_ra_session_t *ra_session;
++  svn_revnum_t revision_deleted;
++
++  SVN_ERR(make_and_open_repos(&ra_session,
++                              "test-repo-get-deleted-rev-errors", opts, pool));
++  SVN_ERR(commit_changes(ra_session, pool));
++
++  /* expect an error when searching up to r3, when repository head is r1 */
++  SVN_TEST_ASSERT_ERROR(svn_ra_get_deleted_rev(ra_session, "A", 1, 3,
++                                               &revision_deleted, pool),
++                        SVN_ERR_FS_NO_SUCH_REVISION);
++
++  return SVN_NO_ERROR;
++}
++
+ 
+ /* The test table.  */
+ 
+@@ -1820,6 +1905,10 @@
+                        "check how last change applies to empty commit"),
+     SVN_TEST_OPTS_PASS(commit_locked_file,
+                        "check commit editor for a locked file"),
++    SVN_TEST_OPTS_PASS(test_get_deleted_rev_no_delete,
++                       "test get-deleted-rev no delete"),
++    SVN_TEST_OPTS_PASS(test_get_deleted_rev_errors,
++                       "test get-deleted-rev errors"),
+     SVN_TEST_NULL
+   };
+ 
diff --git a/SPECS/subversion.spec b/SPECS/subversion.spec
index 48d58a1..1c2e656 100644
--- a/SPECS/subversion.spec
+++ b/SPECS/subversion.spec
@@ -37,7 +37,7 @@
 Summary: A Modern Concurrent Version Control System
 Name: subversion
 Version: 1.10.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: ASL 2.0
 Group: Development/Tools
 URL: https://subversion.apache.org/
@@ -55,6 +55,7 @@ Patch2: subversion-1.10.0-pie.patch
 Patch4: subversion-1.8.0-rubybind.patch
 Patch5: subversion-1.8.5-swigplWall.patch
 Patch6: subversion-1.10.2-CVE-2019-0203.patch
+Patch7: subversion-1.10.2-CVE-2018-11782.patch
 BuildRequires: autoconf, libtool, texinfo, which
 BuildRequires: swig >= 1.3.24, gettext
 %if %{with bdb}
@@ -222,6 +223,7 @@ This package includes supplementary tools for use with Subversion.
 %patch4 -p1 -b .rubybind
 %patch5 -p1 -b .swigplWall
 %patch6 -p1 -b .cve0203
+%patch7 -p1 -b .cve11782
 
 %build
 # Regenerate the buildsystem, so that:
@@ -544,11 +546,11 @@ make check-javahl
 %endif
 
 %changelog
-* Wed Aug  7 2019 Joe Orton <jorton@redhat.com> - 1.10.2-2
-- rebuild to ensure NVR ordering (#1696354)
+* Mon May 18 2020 Joe Orton <jorton@redhat.com> - 1.10.2-3
+- add security fix for CVE-2018-11782
 
-* Thu Aug 01 2019 Lubos Uhliarik <luhliari@redhat.com> - 1.10.2-1.1
-- Resolves: #1733442 - CVE-2019-0203 subversion:1.10/subversion: remote
+* Thu Aug 01 2019 Lubos Uhliarik <luhliari@redhat.com> - 1.10.2-2
+- Resolves: #1733443 - CVE-2019-0203 subversion:1.10/subversion: remote
   unauthenticated denial-of-service in subversion svnserve
 
 * Fri Jul 20 2018 Joe Orton <jorton@redhat.com> - 1.10.2-1