[Monotone-commits-diffs] org.debian.monotone: fbfd33230edd751a48e33774db

monotone-commits-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Monotone-commits-diffs] org.debian.monotone: fbfd33230edd751a48e33774db

From:	code
Subject:	[Monotone-commits-diffs] org.debian.monotone: fbfd33230edd751a48e33774dbfb4af434eb0910
Date:	Mon, 11 Mar 2013 21:54:57 +0100 (CET)

revision:            fbfd33230edd751a48e33774dbfb4af434eb0910
tag:                 debian-monotone-0.48-3
date:                2010-10-30T13:01:44
author:              Francis Russell <address@hidden>
branch:              org.debian.monotone
changelog:
Add patch to fix empty command-string related issues that can be exploited to
cause a server crash.

manifest:
format_version "1"

new_manifest [639e39f16ca9eb0a980f5adaeaf04df0c2304eb8]

old_revision [099f6964b66ded8018ca38fe94a4ec329bdf755d]

add_file "patches/20-empty-command.diff"
 content [57f26a70ddcacfd5ce05c7a5dc5954ce5d75838e]

patch "changelog"
 from [64a80024bab09b4af798468c19f7ce94c30da9fb]
   to [31468979b9efb1f5b8941a6a116cd03fb46b4c03]

patch "patches/series"
 from [010e54b02a946755c6c68e9a6e9fe9d1c0605648]
   to [faa1e22ee9c7d7b87ac41adf27f45caed6701634]

============================================================
--- changelog	64a80024bab09b4af798468c19f7ce94c30da9fb
+++ changelog	31468979b9efb1f5b8941a6a116cd03fb46b4c03
@@ -1,11 +1,11 @@ monotone (0.48-3) unstable; urgency=high
 monotone (0.48-3) unstable; urgency=high
 
   * Add debian/source/format file as it may become mandatory.
-  * debian/patches/10-sqlite_3.7.3_empty_blob.diff: new.  Backport
-    upstream fix for change in SQLite empty blob behaviour.   Closes: #601700.
-  * debian/patches/????????.diff: new.  Backport upstream security fix
-    to prevent crashing of servers with remote command execution enabled.
-    Closes: #??????.
+  * debian/patches/10-sqlite_3.7.3_empty_blob.diff: new. Backport
+    upstream fix for change in SQLite empty blob behaviour (closes: #601700).
+  * debian/patches/20-empty-command.diff: new. Backport upstream security fix
+    to prevent crashing of servers with remote command execution enabled
+    (closes: #601850).
 
  -- Francis Russell <address@hidden>  Thu, 28 Oct 2010 22:59:20 +0200
 
============================================================
--- /dev/null	
+++ patches/20-empty-command.diff	57f26a70ddcacfd5ce05c7a5dc5954ce5d75838e
@@ -0,0 +1,45 @@
+Description: Prevent remote crashing of certain montone server configurations
+  Monotone versions 0.46, 0.47 and 0.48 are affected by a bug whereby a client
+  sending an empty command string to the server can cause it to terminate if
+  remote command execution is enabled. This was fixed in 0.48.1.
+Bug-Debian: http://bugs.debian.org/601850
+Origin: upstream, commit: 2cc01e1baf1032ccf40053bd9910b12d7b87cce6, 
+  commit: c6d7e5ab7f497d2cbef5f91e6880028a67d1f8e2
+Index: monotone-0.48/commands.cc
+===================================================================
+--- monotone-0.48.orig/commands.cc	2010-10-30 12:00:32.906613057 +0100
++++ monotone-0.48/commands.cc	2010-10-30 12:00:33.168601416 +0100
+@@ -302,8 +302,6 @@
+   {
+     map< command_id, command * > matches;
+ 
+-    I(!prefix().empty());
+-
+     for (children_set::const_iterator iter = children().begin();
+          iter != children().end(); iter++)
+       {
+@@ -426,8 +424,10 @@
+   complete_command(args_vector const & args)
+   {
+     // Handle categories early; no completion allowed.
+-    if (CMD_REF(__root__)->find_command(make_command_id(args[0]())) != NULL)
+-      return make_command_id(args[0]());
++    command_id first_cmd_part = make_command_id(args[0]());
++    if (!first_cmd_part.empty() &&
++         CMD_REF(__root__)->find_command(first_cmd_part) != NULL)
++      return first_cmd_part;
+ 
+     command_id id;
+     for (args_vector::const_iterator iter = args.begin();
+Index: monotone-0.48/tests/empty_command_name/__driver__.lua
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ monotone-0.48/tests/empty_command_name/__driver__.lua	2010-10-30 12:00:33.169601371 +0100
+@@ -0,0 +1,7 @@
++mtn_setup()
++
++check(mtn(''), 1, false, true)
++check(qgrep("is ambiguous", "stderr"))
++
++check(mtn('ls', ''), 1, false, true)
++check(qgrep("is ambiguous", "stderr"))
============================================================
--- patches/series	010e54b02a946755c6c68e9a6e9fe9d1c0605648
+++ patches/series	faa1e22ee9c7d7b87ac41adf27f45caed6701634
@@ -1,3 +1,4 @@ 10-sqlite_3.7.3_empty_blob.diff
 00-fail_cleanly_on_unreadable_db.diff
 10-sqlite_3.7.3_empty_blob.diff
+20-empty-command.diff
 90-stacktrace-on-crash.diff

[Prev in Thread]

Current Thread

[Next in Thread]

[Monotone-commits-diffs] org.debian.monotone: fbfd33230edd751a48e33774dbfb4af434eb0910, code <=

Prev by Date: [Monotone-commits-diffs] org.debian.monotone: eacee73f338122305b01aa65023376065a82981e
Next by Date: [Monotone-commits-diffs] org.debian.monotone: 9252c6a2acadf35c098d437bf84fbcbe515dbf69
Previous by thread: [Monotone-commits-diffs] org.debian.monotone: eacee73f338122305b01aa65023376065a82981e
Next by thread: [Monotone-commits-diffs] org.debian.monotone: 9252c6a2acadf35c098d437bf84fbcbe515dbf69
Index(es):
- Date
- Thread