fix CVE-2021-28544 CVE-2022-24070

2022-04-22 11:40:37 +08:00 · 2022-04-22 11:40:37 +08:00 · 14f077fe0e
commit 14f077fe0e
parent d7a900e793
3 changed files with 205 additions and 1 deletions
--- a/backport-CVE-2021-28544.patch
+++ b/backport-CVE-2021-28544.patch
@ -0,0 +1,138 @@
+Description: Subversion servers reveal 'copyfrom' paths that should be hidden
+ according to configured path-based authorization (authz) rules.  When a node
+ has been copied from a protected location, users with access to the copy can
+ see the 'copyfrom' path of the original.  This also reveals the fact that the
+ node was copied.  Only the 'copyfrom' path is revealed; not its contents. Both
+ httpd and svnserve servers are vulnerable.
+Author: Stefan Sperling <stsp@apache.org>
+Origin: upstream
+Last-Update: 2022-04-04
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/subversion/libsvn_repos/log.c
+++ b/subversion/libsvn_repos/log.c
+@@ -337,42 +337,36 @@ detect_changed(svn_repos_revision_access
+       if (   (change->change_kind == svn_fs_path_change_add)
+           || (change->change_kind == svn_fs_path_change_replace))
+         {
+-          const char *copyfrom_path = change->copyfrom_path;
+-          svn_revnum_t copyfrom_rev = change->copyfrom_rev;
+-
+           /* the following is a potentially expensive operation since on FSFS
+              we will follow the DAG from ROOT to PATH and that requires
+              actually reading the directories along the way. */
+           if (!change->copyfrom_known)
+             {
+-              SVN_ERR(svn_fs_copied_from(&copyfrom_rev, &copyfrom_path,
+              SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev, &change->copyfrom_path,
+                                         root, path, iterpool));
+               change->copyfrom_known = TRUE;
+             }
+ 
+-          if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev))
+          if (change->copyfrom_path && SVN_IS_VALID_REVNUM(change->copyfrom_rev))
+             {
+-              svn_boolean_t readable = TRUE;
+-
+               if (callbacks->authz_read_func)
+                 {
+                   svn_fs_root_t *copyfrom_root;
+                  svn_boolean_t readable;
+ 
+                   SVN_ERR(svn_fs_revision_root(&copyfrom_root, fs,
+-                                               copyfrom_rev, iterpool));
+                                               change->copyfrom_rev, iterpool));
+                   SVN_ERR(callbacks->authz_read_func(&readable,
+                                                      copyfrom_root,
+-                                                     copyfrom_path,
+                                                     change->copyfrom_path,
+                                                      callbacks->authz_read_baton,
+                                                      iterpool));
+                   if (! readable)
+-                    found_unreadable = TRUE;
+-                }
+-
+-              if (readable)
+-                {
+-                  change->copyfrom_path = copyfrom_path;
+-                  change->copyfrom_rev = copyfrom_rev;
+                    {
+                      found_unreadable = TRUE;
+                      change->copyfrom_path = NULL;
+                      change->copyfrom_rev = SVN_INVALID_REVNUM;
+                    }
+                 }
+             }
+         }
+--- subversion-1.13.0.orig/subversion/tests/cmdline/authz_tests.py
+++ subversion-1.13.0/subversion/tests/cmdline/authz_tests.py
+@@ -1524,6 +1524,61 @@ def authz_del_from_subdir(sbox):
+                                       'rm', sbox.repo_url + '/A/mu',
+                                       '-m', '')
+ 
+# test for the bug also known as CVE-2021-28544
+@Skip(svntest.main.is_ra_type_file)
+def log_inaccessible_copyfrom(sbox):
+  "log doesn't leak inaccessible copyfrom paths"
+
+  sbox.build(empty=True)
+  sbox.simple_add_text('secret', 'private')
+  sbox.simple_commit(message='log message for r1')
+  sbox.simple_copy('private', 'public')
+  sbox.simple_commit(message='log message for r2')
+
+  svntest.actions.enable_revprop_changes(sbox.repo_dir)
+  # Remove svn:date and svn:author for predictable output.
+  svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
+                                     '-r2', 'svn:date', sbox.repo_url)
+  svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
+                                     '-r2', 'svn:author', sbox.repo_url)
+
+  write_restrictive_svnserve_conf(sbox.repo_dir)
+
+  # First test with blanket access.
+  write_authz_file(sbox,
+                   {"/" : "* = rw"})
+  expected_output = svntest.verify.ExpectedOutput([
+    "------------------------------------------------------------------------\n",
+    "r2 | (no author) | (no date) | 1 line\n",
+    "Changed paths:\n",
+    "   A /public (from /private:1)\n",
+    "\n",
+    "log message for r2\n",
+    "------------------------------------------------------------------------\n",
+  ])
+  svntest.actions.run_and_verify_svn(expected_output, [],
+                                     'log', '-r2', '-v',
+                                     sbox.repo_url)
+
+  # Now test with an inaccessible copy source (/private).
+  write_authz_file(sbox,
+                   {"/" : "* = rw"},
+                   {"/private" : "* ="})
+  expected_output = svntest.verify.ExpectedOutput([
+    "------------------------------------------------------------------------\n",
+    "r2 | (no author) | (no date) | 1 line\n",
+    "Changed paths:\n",
+    # The copy is shown as a plain add with no copyfrom info.
+    "   A /public\n",
+    "\n",
+    # No log message, as the revision is only partially visible.
+    "\n",
+    "------------------------------------------------------------------------\n",
+  ])
+  svntest.actions.run_and_verify_svn(expected_output, [],
+                                     'log', '-r2', '-v',
+                                     sbox.repo_url)
+
+ 
+ @SkipUnless(svntest.main.is_ra_type_dav) # dontdothat is dav only
+ def log_diff_dontdothat(sbox):
+@@ -1771,6 +1826,7 @@ test_list = [ None,
+               inverted_group_membership,
+               group_member_empty_string,
+               empty_group,
+              log_inaccessible_copyfrom,
+              ]
+ serial_only = True
+ 
--- a/backport-CVE-2022-24070.patch
+++ b/backport-CVE-2022-24070.patch
@ -0,0 +1,61 @@
+Description: Fix issue #4880 "Use-after-free of object-pools when used as httpd module"
+    Ensure that we initialize authz again if the pool which our authz
+    caches depend on is cleared. Apache HTTPD may run pre/post config
+    hooks multiple times and clear its global configuration pool which
+    our authz caching pools depend on.
+
+    Reported-by: Thomas Weißschuh (thomas {at} t-8ch dot de)
+
+    Thomas has also confirmed that this patch fixes the problem.
+
+    * subversion/libsvn_repos/authz.c
+      (deinit_authz): New pool cleanup handler which resets authz initialization
+       in case the parent pool of our authz caches is cleared.
+      (synchronized_authz_initialize): Register new pool cleanup handler.
+Author: Stefan Sperling <stsp@apache.org>
+Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1894734
+Bug: https://issues.apache.org/jira/browse/SVN-4880
+Last-Update: 2022-04-04
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/subversion/libsvn_repos/authz.c
+++ b/subversion/libsvn_repos/authz.c
+@@ -130,6 +130,30 @@
+ static svn_object_pool__t *filtered_pool = NULL;
+ static svn_atomic_t authz_pool_initialized = FALSE;
+
+/*
+ * Ensure that we will initialize authz again if the pool which
+ * our authz caches depend on is cleared.
+ *
+ * HTTPD may run pre/post config hooks multiple times and clear
+ * its global configuration pool which our authz pools depend on.
+ * This happens in a non-threaded context during HTTPD's intialization
+ * and HTTPD's main loop, so it is safe to reset static variables here.
+ * (And any applications which cleared this pool while SVN threads
+ * were running would crash no matter what.)
+ *
+ * See issue #4880, "Use-after-free of object-pools in
+ * subversion/libsvn_repos/authz.c when used as httpd module"
+ */
+static apr_status_t
+deinit_authz(void *data)
+{
+  /* The two object pools run their own cleanup handlers. */
+  authz_pool = NULL;
+  filtered_pool = NULL;
+  authz_pool_initialized = FALSE;
+  return APR_SUCCESS;
+}
+
+ /* Implements svn_atomic__err_init_func_t. */
+ static svn_error_t *
+ synchronized_authz_initialize(void *baton, apr_pool_t *pool)
+@@ -143,6 +167,7 @@
+   SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
+   SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
+
+  apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
+   return SVN_NO_ERROR;
+ }
+
--- a/subversion.spec
+++ b/subversion.spec
@ -10,7 +10,7 @@
 Summary: Subversion, a version control system.
 Name: subversion
 Version: 1.14.1
-Release: 1
+Release: 2
 License: ASL 2.0
 URL: https://subversion.apache.org/

@ -21,6 +21,8 @@ Patch1: subversion-1.14.0-testwarn.patch
 Patch2: subversion-1.14.0-soversion.patch
 Patch3: subversion-1.8.0-rubybind.patch
 Patch4: subversion-1.8.5-swigplWall.patch
+Patch5: backport-CVE-2021-28544.patch
+Patch6: backport-CVE-2022-24070.patch

 BuildRequires: autoconf libtool texinfo which swig gettext apr-devel apr-util-devel libserf-devel cyrus-sasl-devel sqlite-devel file-devel utf8proc-devel lz4-devel apr-util-openssl dbus-devel, libsecret-devel httpd-devel 
 Requires: httpd
@ -316,6 +318,9 @@ make check-javahl
 %endif

 %changelog
+* Fri Apr 22 2022 panxiaohe<panxh.life@foxmail.com> - 1.14.1-2
+- fix CVE-2021-28544 CVE-2022-24070
+
 * Tue Dec 28 2021 fuanan <fuanan3@huawei.com> - 1.14.1-1
 - Type:enhancement
 - ID:NA