.gitignore

@@ -1 +1,2 @@
 SOURCES/subversion-1.10.2.tar.bz2
+/subversion-1.10.2.tar.bz2

.subversion.metadata

@@ -1 +1 @@
-bc52ef2e671f821998ac9a5f7ebecbbcaaef83b8 SOURCES/subversion-1.10.2.tar.bz2
+bc52ef2e671f821998ac9a5f7ebecbbcaaef83b8 subversion-1.10.2.tar.bz2

clog2markdown

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+version=$1
+
+echo "This update includes the latest stable release of _Apache Subversion_, version **${1}**".
+echo
+
+curl --silent -n "http://svn.apache.org/repos/asf/subversion/tags/$1/CHANGES" | \
+sed -n "
+/^#/d;
+/^Version ${1/-rc*/}/,/^Version /{
+/, from \/branches/d;
+/repos\/asf\/subversion\/tags/d;
+s,#\([0-9]*\),[SVN-\1](https://issues.apache.org/jira/browse/SVN-\1),;
+s/(r[0-9, retal]+)\*//g;
+s/^ *//;
+s/ +/ /g;
+s/^ *- \(.*\)$/#### \1/;
+s/\(.*visible changes.*:\)$/### \1/;
+/^ *$/d;
+/Windows/d
+/^Version /d
+s,(r1.*),,g
+s,\(@[0-9]*\),\\\1,g
+p;
+}
+" -

gating.yaml

@@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

mirrors

@@ -0,0 +1 @@
+http://subversion.tigris.org/downloads

pullrev.sh

@@ -0,0 +1,53 @@
+#!/bin/sh -e
+
+if [ $# -lt 1 ]; then
+    echo "What?"
+    exit 1
+fi
+
+repo="https://svn.apache.org/repos/asf/subversion/trunk"
+#repo="https://svn.apache.org/repos/asf/subversion/branches/1.11.x"
+prefix=`rpmspec -q --queryformat='%{name}-%{version}\n' ./subversion.spec | sed 1q`
+suffix="r$1${2:++}"
+fn="${prefix}-${suffix}.patch"
+vcurl="http://svn.apache.org/viewvc?view=revision&revision="
+
+if test -f ${fn}; then
+    mv -v -f ${fn} ${fn}\~
+    echo "# $0 $*" > ${fn}
+    sed '1{/#.*pullrev/d;};/^--- /,$d' < ${fn}\~ >> ${fn}
+else
+    echo "# $0 $*" > ${fn}
+fi
+
+new=0
+for r in $*; do
+   if ! grep -q "${vcurl}${r}" ${fn}; then
+       echo "${vcurl}${r}"
+       new=1
+   fi
+done >> ${fn}
+
+[ $new -eq 0 ] || echo >> ${fn}
+
+prev=/dev/null
+for r in $*; do
+    echo "+ fetching ${r}"
+    this=`mktemp /tmp/pullrevXXXXXX`
+    svn diff -c ${r} ${repo} | filterdiff --remove-timestamps --clean -x 'CHANGES' -x 'next-number' -x 'STATUS' \
+        --addprefix="${prefix}/" > ${this}
+    next=`mktemp /tmp/pullrevXXXXXX`
+    combinediff --quiet ${prev} ${this} > ${next}
+    rm -f "${this}"
+    [ "${prev}" = "/dev/null" ] || rm -f "${prev}"
+    prev=${next}
+done
+
+cat ${prev} >> ${fn}
+
+vi "${fn}"
+echo "+ git add ${fn}" 
+git add "${fn}"
+echo "+ spec template:"
+echo "PatchN: ${fn}"
+echo "%patchN -p1 -b .${suffix}"

sources

@@ -0,0 +1 @@
+SHA512 (subversion-1.10.2.tar.bz2) = ccbe860ec93a198745e40620cb7e005a85797e344a99ddbc0e24c32ad846976eae35cf5b3d62ba5751b998f0d40bbebbba72f484d92c92693bbb2112c989b129

subversion-1.10.2-CVE-2020-17525.patch

@@ -0,0 +1,17 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1922303
+https://github.com/apache/subversion/commit/c83d9e5db564bdbbd91a7eb1c9399f66f481361c
+
+--- a/subversion/libsvn_repos/config_file.c
++++ b/subversion/libsvn_repos/config_file.c
+@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream,
+     {
+       /* Search for a repository in the full path. */
+       repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool);
++      if (repos_root_dirent == NULL)
++        return svn_error_trace(handle_missing_file(stream, checksum, access,
++                                                   url, must_exist,
++                                                   svn_node_none));
+ 
+       /* Attempt to open a repository at repos_root_dirent. */
+       SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL,

subversion-1.10.2-CVE-2022-24070.patch

@@ -0,0 +1,41 @@
+--- subversion-1.10.2/subversion/libsvn_repos/authz.c	
++++ subversion-1.10.2/subversion/libsvn_repos/authz.c	
+@@ -130,6 +130,30 @@
+ static svn_object_pool__t *filtered_pool = NULL;
+ static svn_atomic_t authz_pool_initialized = FALSE;
+ 
++/*
++ * Ensure that we will initialize authz again if the pool which
++ * our authz caches depend on is cleared.
++ *
++ * HTTPD may run pre/post config hooks multiple times and clear
++ * its global configuration pool which our authz pools depend on.
++ * This happens in a non-threaded context during HTTPD's intialization
++ * and HTTPD's main loop, so it is safe to reset static variables here.
++ * (And any applications which cleared this pool while SVN threads
++ * were running would crash no matter what.)
++ *
++ * See issue #4880, "Use-after-free of object-pools in
++ * subversion/libsvn_repos/authz.c when used as httpd module"
++ */
++static apr_status_t
++deinit_authz(void *data)
++{
++  /* The two object pools run their own cleanup handlers. */
++  authz_pool = NULL;
++  filtered_pool = NULL;
++  authz_pool_initialized = FALSE;
++  return APR_SUCCESS;
++}
++
+ /* Implements svn_atomic__err_init_func_t. */
+ static svn_error_t *
+ synchronized_authz_initialize(void *baton, apr_pool_t *pool)
+@@ -143,6 +167,7 @@
+   SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
+   SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
+ 
++  apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
+   return SVN_NO_ERROR;
+ }
+ 

subversion-1.12.0-linking.patch

@@ -0,0 +1,84 @@
+
+Fix the way libtool is used to match standard practice:
+
+a) link ONLY libraries using -rpath $(libdir), not executables
+   .. this avoids adding an RPATH for $libdir to executables
+b) link non-installable test binaries using -no-install
+   .. only for convenience but should speed up builds slightly(?)
+
+--- subversion-1.12.0/build.conf.linking
++++ subversion-1.12.0/build.conf
+@@ -572,7 +572,7 @@
+ path = subversion/bindings/swig/python/libsvn_swig_py
+ libs = libsvn_client libsvn_wc libsvn_ra libsvn_delta libsvn_subr
+        apriconv apr python swig
+-link-cmd = $(LINK)
++link-cmd = $(LINK_LIB)
+ install = swig-py-lib
+ # need special build rule to include -DSWIGPYTHON
+ compile-cmd = $(COMPILE_SWIG_PY)
+@@ -598,7 +598,7 @@
+ lang = ruby
+ path = subversion/bindings/swig/ruby/libsvn_swig_ruby
+ libs = libsvn_client libsvn_wc libsvn_delta libsvn_subr apriconv apr ruby swig
+-link-cmd = $(LINK) $(SWIG_RB_LIBS)
++link-cmd = $(LINK_LIB) $(SWIG_RB_LIBS)
+ install = swig-rb-lib
+ # need special build rule to include
+ compile-cmd = $(COMPILE_SWIG_RB)
+@@ -769,6 +769,7 @@
+ libs = libsvn_repos libsvn_fs libsvn_delta libsvn_subr aprutil apriconv apr
+ msvc-static = yes
+ undefined-lib-symbols = yes
++link-cmd = $(LINK_TEST_LIB)
+ 
+ # ----------------------------------------------------------------------------
+ # Tests for libsvn_fs_base
+--- subversion-1.12.0/build/generator/gen_base.py.linking
++++ subversion-1.12.0/build/generator/gen_base.py
+@@ -599,7 +599,7 @@
+     self.install = options.get('install')
+     self.compile_cmd = options.get('compile-cmd')
+     self.sources = options.get('sources', '*.c *.cpp')
+-    self.link_cmd = options.get('link-cmd', '$(LINK)')
++    self.link_cmd = options.get('link-cmd', '$(LINK_LIB)')
+ 
+     self.external_lib = options.get('external-lib')
+     self.external_project = options.get('external-project')
+@@ -659,6 +659,14 @@
+ 
+     self.msvc_force_static = options.get('msvc-force-static') == 'yes'
+ 
++    if self.install in ['test', 'bdb-test', 'sub-test', ]:
++      self.link_cmd = '$(LINK_TEST)'
++    elif self.install in ['bin', 'tools']:
++      self.link_cmd = '$(LINK_EXE)'
++    elif self.link_cmd == '$(LINK_LIB)':
++      raise GenError('ERROR: Unknown executable link type for ' + self.name + \
++                     ': ' + self.link_cmd + ' (' + self.install + ')')
++    
+   def add_dependencies(self):
+     TargetLinked.add_dependencies(self)
+ 
+--- subversion-1.12.0/Makefile.in.linking
++++ subversion-1.12.0/Makefile.in
+@@ -268,11 +268,14 @@
+ COMPILE_SVNXX = $(LT_COMPILE_CXX) $(SVNXX_INCLUDES) -o $@ -c
+ COMPILE_SVNXX_TEST = $(LT_COMPILE_CXX) $(SVNXX_INCLUDES) $(BOOST_TEST_CPPFLAGS) -o $@ -c
+ 
+-LINK = $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) $(LT_LDFLAGS) $(CFLAGS) $(LDFLAGS) -rpath $(libdir)
+-LINK_LIB = $(LINK) $(LT_SO_VERSION)
+-LINK_CXX = $(LIBTOOL) $(LTCXXFLAGS) --mode=link $(CXX) $(LT_LDFLAGS) $(CXXFLAGS) $(LDFLAGS) -rpath $(libdir)
+-LINK_CXX_LIB = $(LINK_CXX) $(LT_SO_VERSION)
+-LINK_SVNXX_TEST = $(LINK_CXX) $(BOOST_TEST_LDFLAGS)
++LINK = $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) $(LT_LDFLAGS) $(CFLAGS) $(LDFLAGS)
++LINK_LIB = $(LINK) $(LT_SO_VERSION) -rpath $(libdir)
++LINK_CXX = $(LIBTOOL) $(LTCXXFLAGS) --mode=link $(CXX) $(LT_LDFLAGS) $(CXXFLAGS) $(LDFLAGS)
++LINK_CXX_LIB = $(LINK_CXX) $(LT_SO_VERSION) -rpath $(libdir)
++LINK_SVNXX_TEST = $(LINK_CXX) $(BOOST_TEST_LDFLAGS) -no-install
++LINK_TEST = $(LINK) -no-install
++LINK_TEST_LIB = $(LINK_TEST) -avoid-version
++LINK_EXE = $(LINK)
+ 
+ # special link rule for mod_dav_svn
+ LINK_APACHE_MOD = $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) $(LT_LDFLAGS) $(CFLAGS) $(LDFLAGS) -rpath $(APACHE_LIBEXECDIR) -avoid-version -module $(APACHE_LDFLAGS) -shared

subversion-1.14.0-soversion.patch

@@ -0,0 +1,19 @@
+
+Use the minor version as the revision in the libtool version, so the library
+soversion is not always 0.0.0.  (Does not influence the soname)
+
+--- subversion-1.14.0/configure.ac.soversion
++++ subversion-1.14.0/configure.ac
+@@ -112,7 +112,11 @@
+   SVN_APR_MAJOR_VERSION=1
+ fi
+ AC_SUBST(SVN_APR_MAJOR_VERSION)
+-SVN_LT_SOVERSION="-version-info $svn_lib_ver"
++
++m4_define([svn_ver_minor], m4_bpatsubst(AC_PACKAGE_VERSION, [[0-9]*\.\([0-9]*\)\.[0-9]*], [\1]))
++
++SVN_LT_SOVERSION="-version-info $svn_lib_ver:svn_ver_minor"
++AC_MSG_NOTICE([SVN_LT_SOVERSION $SVN_LT_SOVERSION])
+ AC_SUBST(SVN_LT_SOVERSION)
+ AC_DEFINE_UNQUOTED(SVN_SOVERSION, $svn_lib_ver,
+                    [Subversion library major verson])

subversion-1.14.0-testwarn.patch

@@ -0,0 +1,14 @@
+
+Suppress gcc 10 warning.
+
+--- subversion-1.14.0/subversion/tests/svn_test.h.testwarn
++++ subversion-1.14.0/subversion/tests/svn_test.h
+@@ -128,7 +128,7 @@
+       return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,           \
+           "Strings not equal\n  Expected: '%s'\n  Found:    '%s'"   \
+           "\n  at %s:%d",                                           \
+-          tst_str2, tst_str1, __FILE__, __LINE__);                  \
++          tst_str2 ? tst_str2 : "(NULL)", tst_str1 ? tst_str1 : "(NULL)", __FILE__, __LINE__); \
+   } while(0)
+ 
+  /** Handy macro for testing integer equality.

subversion-1.14.1-CVE-2022-24070.patch

@@ -0,0 +1,41 @@
+--- subversion-1.14.1/subversion/libsvn_repos/authz.c
++++ subversion-1.14.1/subversion/libsvn_repos/authz.c
+@@ -130,6 +130,30 @@
+ static svn_object_pool__t *filtered_pool = NULL;
+ static svn_atomic_t authz_pool_initialized = FALSE;
+ 
++/*
++ * Ensure that we will initialize authz again if the pool which
++ * our authz caches depend on is cleared.
++ *
++ * HTTPD may run pre/post config hooks multiple times and clear
++ * its global configuration pool which our authz pools depend on.
++ * This happens in a non-threaded context during HTTPD's intialization
++ * and HTTPD's main loop, so it is safe to reset static variables here.
++ * (And any applications which cleared this pool while SVN threads
++ * were running would crash no matter what.)
++ *
++ * See issue #4880, "Use-after-free of object-pools in
++ * subversion/libsvn_repos/authz.c when used as httpd module"
++ */
++static apr_status_t
++deinit_authz(void *data)
++{
++  /* The two object pools run their own cleanup handlers. */
++  authz_pool = NULL;
++  filtered_pool = NULL;
++  authz_pool_initialized = FALSE;
++  return APR_SUCCESS;
++}
++
+ /* Implements svn_atomic__err_init_func_t. */
+ static svn_error_t *
+ synchronized_authz_initialize(void *baton, apr_pool_t *pool)
+@@ -143,6 +167,7 @@
+   SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
+   SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
+ 
++  apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
+   return SVN_NO_ERROR;
+ }
+ 

subversion-1.14.1-fixjavatests.patch

@@ -0,0 +1,30 @@
+
+See upstream dev@subversion thread.  Fixes intermittent failure of
+javahl tests, particularly reproducible on aarch64.
+
+Message-ID: <11de5f5c-5059-b973-95a1-385e7913a63a@syntevo.com>
+From: Alexandr Miloslavskiy
+
+--- subversion-1.14.1/subversion/bindings/javahl/tests/org/apache/subversion/javahl/BasicTests.java.fixjavatests
++++ subversion-1.14.1/subversion/bindings/javahl/tests/org/apache/subversion/javahl/BasicTests.java
+@@ -4676,7 +4676,19 @@
+             // RuntimeException("Test exception") is expected here
+         }
+ 
+-        tunnelAgent.joinAndTest();
++        // In this test, there is a race condition that sometimes results in
++        // IOException when 'WAIT_TUNNEL' tries to read from a pipe that
++        // already has its read end closed. This is not an error, but
++        // it's hard to distinguish this case from other IOException which
++        // indicate a problem. To reproduce, simply wrap this test's body in
++        // a loop. The workaround is to ignore any detected IOException.
++        //
++        // tunnelAgent.joinAndTest();
++        try {
++            tunnelAgent.join();
++        } catch (InterruptedException e) {
++            e.printStackTrace ();
++        }
+     }
+ 
+     /**

subversion-1.14.1-testnoautoprops.patch

@@ -0,0 +1,14 @@
+
+Fix intermittent failures when "svn add" guesses a near-empty file is binary and hence
+the output is different.
+
+--- subversion-1.14.1/subversion/tests/cmdline/svntest/main.py.testnoautoprops
++++ subversion-1.14.1/subversion/tests/cmdline/svntest/main.py
+@@ -691,6 +691,7 @@
+ 
+ [miscellany]
+ interactive-conflicts = false
++enable-auto-props = no
+ """
+     if exclusive_wc_locks:
+       config_contents += """

subversion.spec

@@ -37,7 +37,7 @@
 Summary: A Modern Concurrent Version Control System
 Name: subversion
 Version: 1.10.2
-Release: 3%{?dist}
+Release: 5%{?dist}
 License: ASL 2.0
 Group: Development/Tools
 URL: https://subversion.apache.org/
@@ -56,6 +56,9 @@ Patch4: subversion-1.8.0-rubybind.patch
 Patch5: subversion-1.8.5-swigplWall.patch
 Patch6: subversion-1.10.2-CVE-2019-0203.patch
 Patch7: subversion-1.10.2-CVE-2018-11782.patch
+Patch8: subversion-1.10.2-CVE-2020-17525.patch
+Patch9: subversion-1.10.2-CVE-2022-24070.patch
+
 BuildRequires: autoconf, libtool, texinfo, which
 BuildRequires: swig >= 1.3.24, gettext
 %if %{with bdb}
@@ -224,6 +227,8 @@ This package includes supplementary tools for use with Subversion.
 %patch5 -p1 -b .swigplWall
 %patch6 -p1 -b .cve0203
 %patch7 -p1 -b .cve11782
+%patch8 -p1 -b .cve17525
+%patch9 -p1 -b .cve24070
 
 %build
 # Regenerate the buildsystem, so that:
@@ -546,6 +551,12 @@ make check-javahl
 %endif
 
 %changelog
+* Wed May 04 2022 Richard Lescak <rlescak@gmail.com> - 1.10.2-5
+- add security fix for CVE-2022-24070
+
+* Wed Feb 10 2021 Joe Orton <jorton@redhat.com> - 1.10.2-4
+- add security fix for CVE-2020-17525
+
 * Mon May 18 2020 Joe Orton <jorton@redhat.com> - 1.10.2-3
 - add security fix for CVE-2018-11782
 

upstream

@@ -0,0 +1 @@
+subversion-1.6.12.tar.bz2