The first patch below updates the -current port to 1.6.16. The second patch updates the 4.8-stable port. Both fix CVE-2011-0715.
Please test/ok. Release announcement for 1.6.16: http://svn.haxx.se/users/archive-2011-03/0019.shtml Changelog: Version 1.6.16 (02 Mar 2011, from /branches/1.6.x) http://svn.apache.org/repos/asf/subversion/tags/1.6.16 User-visible changes: * more improvement to the 'blame -g' memory leak from 1.6.15 (r1041438) * avoid a crash in mod_dav_svn when using locks (r1071239, -307) See CVE-2011-0715, and descriptive advisory at http://subversion.apache.org/security/CVE-2011-0715-advisory.txt * avoid unnecessary globbing for performance (r1068988) * don't add tree conflicts when one already exists (issue #3486) * fix potential crash when requesting mergeinfo (r902467) * don't attempt to resolve prop conflicts in 'merge --dry-run' (r880146) * more fixes for issue #3270. Developer-visible changes: * ensure report_info_t is properly initialized by ra_serf (r1058722) * locate errors properly on a malfunction (r1053208) * fix output param timing of svn_fs_commit_txn() on fsfs (r1051751) * for svn_fs_commit_txn(), set invalid rev on failed commit (r1051632, -8) * fix sporadic Ruby bindings test failures (r1038792) * fix JavaHL JVM object leak when dumping large revisions (r947006) * use Perl to resolve symlinks when building swig-pl (r1039040) * allow Perl bindings to build within a symlinked working copy (r1036534) * don't overwrite the LD_LIBRARY_PATH during make check-swig-pl (r946355) * improve unit tests for some fs functions (r1051744, -5, -3185, -241) = Patch for current = Index: Makefile =================================================================== RCS file: /cvs/ports/devel/subversion/Makefile,v retrieving revision 1.87 diff -u -p -r1.87 Makefile --- Makefile 15 Jan 2011 01:09:43 -0000 1.87 +++ Makefile 23 Feb 2011 19:24:21 -0000 @@ -6,7 +6,7 @@ COMMENT-python= python interface to sub COMMENT-ruby= ruby interface to subversion COMMENT-ap2= apache2 subversion modules -VERSION= 1.6.15 +VERSION= 1.6.16 DISTNAME= subversion-${VERSION} PKGNAME-main= ${DISTNAME} FULLPKGNAME-perl= p5-SVN-${VERSION} @@ -17,8 +17,6 @@ FULLPKGNAME-ruby= ruby-subversion-${VERS FULLPKGPATH-ruby= devel/subversion,-ruby FULLPKGNAME-ap2= ap2-subversion-${VERSION} FULLPKGPATH-ap2= devel/subversion,-ap2 -REVISION-main= 0 -REVISION-ruby= 0 SO_VERSION= 1.2 SVN_LIBS= svn_client-1 svn_delta-1 svn_diff-1 svn_fs-1 \ Index: distinfo =================================================================== RCS file: /cvs/ports/devel/subversion/distinfo,v retrieving revision 1.26 diff -u -p -r1.26 distinfo --- distinfo 25 Nov 2010 11:43:28 -0000 1.26 +++ distinfo 23 Feb 2011 19:24:31 -0000 @@ -1,5 +1,5 @@ -MD5 (subversion-1.6.15.tar.bz2) = ET/KHZ5Ko4nX3CshABD6aQ== -RMD160 (subversion-1.6.15.tar.bz2) = 0aG7h3AK9iSyHYTS8forvN85F+s= -SHA1 (subversion-1.6.15.tar.bz2) = tvrflEqUuG+Ynwe8LXgb5B3wF78= -SHA256 (subversion-1.6.15.tar.bz2) = spGdYDpfPBn0LjJlxLkw4jdsQ7OWm5DvnEKy9y1aqkU= -SIZE (subversion-1.6.15.tar.bz2) = 5515056 +MD5 (subversion-1.6.16.tar.bz2) = MvJaZyRVn+hpHR9Xpj9jbg== +RMD160 (subversion-1.6.16.tar.bz2) = 8S1+sxNySGKQ4IFD7Br9oCl2fTQ= +SHA1 (subversion-1.6.16.tar.bz2) = waBQvYrSRE62cpuKf0UZYHEa8t8= +SHA256 (subversion-1.6.16.tar.bz2) = 3OSJfWLQ3CmrA4NO0dZu3pXAdwLjKgBC+WwkxvEhM4Y= +SIZE (subversion-1.6.16.tar.bz2) = 5509729 = Patch for 4.8-stable = Index: Makefile =================================================================== RCS file: /cvs/ports/devel/subversion/Makefile,v retrieving revision 1.74.2.1 diff -u -p -r1.74.2.1 Makefile --- Makefile 1 Dec 2010 14:17:34 -0000 1.74.2.1 +++ Makefile 24 Feb 2011 11:42:28 -0000 @@ -9,7 +9,7 @@ COMMENT-ap2= apache2 subversion modules VERSION= 1.6.12 DISTNAME= subversion-${VERSION} PKGNAME-main= ${DISTNAME} -REVISION-main= 1 +REVISION-main= 2 FULLPKGNAME-perl= p5-SVN-${VERSION} FULLPKGPATH-perl= devel/subversion,-perl FULLPKGNAME-python= py-subversion-${VERSION} Index: patches/patch-subversion_mod_dav_svn_repos_c =================================================================== RCS file: /cvs/ports/devel/subversion/patches/Attic/patch-subversion_mod_dav_svn_repos_c,v retrieving revision 1.1.2.1 diff -u -p -r1.1.2.1 patch-subversion_mod_dav_svn_repos_c --- patches/patch-subversion_mod_dav_svn_repos_c 1 Dec 2010 14:17:35 -0000 1.1.2.1 +++ patches/patch-subversion_mod_dav_svn_repos_c 24 Feb 2011 11:58:05 -0000 @@ -1,18 +1,32 @@ $OpenBSD: patch-subversion_mod_dav_svn_repos_c,v 1.1.2.1 2010/12/01 14:17:35 jasper Exp $ Fix NULL-deref in mod_dav_svn. http://svn.apache.org/viewvc?view=revision&revision=1033265 + +Also: http://subversion.apache.org/security/CVE-2011-0715-advisory.txt --- subversion/mod_dav_svn/repos.c.orig Wed Oct 14 20:05:15 2009 -+++ subversion/mod_dav_svn/repos.c Wed Nov 24 18:01:58 2010 -@@ -3781,6 +3781,12 @@ walk(const dav_walk_params *params, int depth, dav_res ++++ subversion/mod_dav_svn/repos.c Thu Feb 24 12:55:58 2011 +@@ -1923,8 +1923,10 @@ get_resource(request_rec *r, + dav_locktoken_list *list = ltl; + + serr = svn_fs_get_access(&access_ctx, repos->fs); +- if (serr) ++ if (serr || !access_ctx) + { ++ if (serr == NULL) ++ serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); + return dav_svn__sanitize_error(serr, "Lock token is in request, " + "but no user name", + HTTP_BAD_REQUEST, r); +@@ -3780,6 +3782,12 @@ walk(const dav_walk_params *params, int depth, dav_res + walker_ctx_t ctx = { 0 }; dav_error *err; - ++ + if (params->root->info->restype == DAV_SVN_RESTYPE_PARENTPATH_COLLECTION) + { + /* Cannot walk an SVNParentPath collection, there is no repository. */ + return NULL; + } -+ + ctx.params = params; - ctx.wres.walk_ctx = params->walk_ctx; Index: patches/patch-subversion_mod_dav_svn_version_c =================================================================== RCS file: patches/patch-subversion_mod_dav_svn_version_c diff -N patches/patch-subversion_mod_dav_svn_version_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-subversion_mod_dav_svn_version_c 24 Feb 2011 11:57:38 -0000 @@ -0,0 +1,19 @@ +$OpenBSD$ +http://subversion.apache.org/security/CVE-2011-0715-advisory.txt +--- subversion/mod_dav_svn/version.c.orig Mon Nov 3 04:15:17 2008 ++++ subversion/mod_dav_svn/version.c Thu Feb 24 12:56:10 2011 +@@ -1172,11 +1172,13 @@ dav_svn__push_locks(dav_resource *resource, + svn_error_t *serr; + + serr = svn_fs_get_access(&fsaccess, resource->info->repos->fs); +- if (serr) ++ if (serr || !fsaccess) + { + /* If an authenticated user name was attached to the request, + then dav_svn_get_resource() should have already noticed and + created an fs_access_t in the filesystem. */ ++ if (serr == NULL) ++ serr = svn_error_create(SVN_ERR_FS_LOCK_OWNER_MISMATCH, NULL, NULL); + return dav_svn__sanitize_error(serr, "Lock token(s) in request, but " + "missing an user name", HTTP_BAD_REQUEST, + resource->info->r);
