Debian Bug report logs - #664451
apr: [PATCH] apr_file_trunc() bug causes svn repository corruption

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Blair Zajac <blair@orcaware.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apr: [PATCH] apr_file_trunc() bug causes svn repository corruption

Date: Sat, 17 Mar 2012 13:06:10 -0700

Package: apr
Severity: important
Tags: upstream squeeze wheezy sid

Dear Maintainer,

All APR released before 1.4.6 have a bug in apr_file_trunc() that can
result in files being longer than they should be:

http://svn.apache.org/repos/asf/apr/apr/branches/1.4.x/CHANGES

This can cause corruption in Subversion fsfs repositories.  The next
release of svn 1.6.x and the 1.7.3 release works around this issue by
flushing the APR file buffer before truncating it:

http://svn.apache.org/viewvc?view=revision&revision=1240892

For Debian versions on 1.4.x, updating to 1.4.6 is probably easiest.
For older releases, one could take these two commits from apr's trunk
and apply them to the 1.x.y branch. I haven't done this myself, but my
hunch says it should work without much effort:

http://svn.apache.org/viewvc?view=revision&revision=1044432

http://svn.apache.org/viewvc?view=revision&revision=1044440

Regards,
Blair




-- System Information:
Debian Release: wheezy/sid
  APT prefers oneiric-updates
  APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric'), (100, 'oneiric-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-16-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 664451-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 664451-close@bugs.debian.org

Subject: Bug#664451: fixed in apr 1.4.6-1

Date: Sun, 18 Mar 2012 22:47:16 +0000

Source: apr
Source-Version: 1.4.6-1

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:

apr_1.4.6-1.diff.gz
  to main/a/apr/apr_1.4.6-1.diff.gz
apr_1.4.6-1.dsc
  to main/a/apr/apr_1.4.6-1.dsc
apr_1.4.6.orig.tar.gz
  to main/a/apr/apr_1.4.6.orig.tar.gz
libapr1-dbg_1.4.6-1_i386.deb
  to main/a/apr/libapr1-dbg_1.4.6-1_i386.deb
libapr1-dev_1.4.6-1_i386.deb
  to main/a/apr/libapr1-dev_1.4.6-1_i386.deb
libapr1_1.4.6-1_i386.deb
  to main/a/apr/libapr1_1.4.6-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 664451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Mar 2012 23:22:59 +0100
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.4.6-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libapr1    - Apache Portable Runtime Library
 libapr1-dbg - Apache Portable Runtime Library - Debugging Symbols
 libapr1-dev - Apache Portable Runtime Library - Development Headers
Closes: 655435 664451
Changes: 
 apr (1.4.6-1) unstable; urgency=low
 .
   * New upstream release:
     - Fixes apr_file_trunc() bug which could lead to subversion repository
       corruption. Closes: #664451
     - Adds randomization to hashes. CVE-2012-0840 (but not known to be
       exploitable in httpd or svn). Closes: #655435
   * Remove Tollef Fog Heen and Ryan Niebur from uploaders. Thanks for your
     work in the past.
Checksums-Sha1: 
 b9928b4bf42c086c493f2716eb3bbee512c8dbfd 1393 apr_1.4.6-1.dsc
 3f5e3f1f67cb4fe0cc46e8c3740105c35a020308 982243 apr_1.4.6.orig.tar.gz
 8ac6b5b63d6ee129427e171018288d9404cf5fbe 18361 apr_1.4.6-1.diff.gz
 b4ab54104de784f4535896f4a5684962a083edc5 100438 libapr1_1.4.6-1_i386.deb
 0ef38f9a20eb0e34f79a120ea4b3f4468e5a56ad 1079792 libapr1-dev_1.4.6-1_i386.deb
 1bd7241f48aaf8e9d7a1d3f93fdb869c6cd936e6 26806 libapr1-dbg_1.4.6-1_i386.deb
Checksums-Sha256: 
 4235d71d3392b302f01a0224a66bc48495d026213931f99fdb6b0b4906ba8139 1393 apr_1.4.6-1.dsc
 538d593d805c36985fc6d200d31bf6c1b5f90df2a50b917902743a13bbc10e05 982243 apr_1.4.6.orig.tar.gz
 6213af2c7d20fbf06abda072ff971ceb1552f8df98cdebfd15092940bb374b80 18361 apr_1.4.6-1.diff.gz
 e7325570bf68f9b19339764665b5b25ab57093081e921eb535eb9426bb0ca249 100438 libapr1_1.4.6-1_i386.deb
 d55c2de5eb37a1841eb571b80d53303f76d2aece99ed71b71cdd8d1dfc2909c0 1079792 libapr1-dev_1.4.6-1_i386.deb
 10b37587ab7f622af7908397d2bc4721ae5969d7c77d5545825184beb05f220c 26806 libapr1-dbg_1.4.6-1_i386.deb
Files: 
 e33bc203b92f70a3a1d602bb55c11a72 1393 libs optional apr_1.4.6-1.dsc
 76cc4457fbb71eefdafa27dba8f511fb 982243 libs optional apr_1.4.6.orig.tar.gz
 25c7c257da84c4818b25c6070f0217d2 18361 libs optional apr_1.4.6-1.diff.gz
 1997bf270ebfbc2c3aabdb3bd50dbfb3 100438 libs optional libapr1_1.4.6-1_i386.deb
 dfd2943bb504c726e66690d7555b5745 1079792 libdevel optional libapr1-dev_1.4.6-1_i386.deb
 6f564e89905c45af90d6cc25115e74c1 26806 debug extra libapr1-dbg_1.4.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFPZmJBbxelr8HyTqQRAln+AKDcy+SlDEma8uMTOzwj2zrNeHOsFACgncq5
j42gCph2+cX+2OXy12z+wXs=
=PZvw
-----END PGP SIGNATURE-----

Message #17 received at 664451-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 664451-close@bugs.debian.org

Subject: Bug#664451: fixed in apr 1.4.2-6+squeeze4

Date: Sun, 01 Apr 2012 21:17:09 +0000

Source: apr
Source-Version: 1.4.2-6+squeeze4

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:

apr_1.4.2-6+squeeze4.diff.gz
  to main/a/apr/apr_1.4.2-6+squeeze4.diff.gz
apr_1.4.2-6+squeeze4.dsc
  to main/a/apr/apr_1.4.2-6+squeeze4.dsc
libapr1-dbg_1.4.2-6+squeeze4_i386.deb
  to main/a/apr/libapr1-dbg_1.4.2-6+squeeze4_i386.deb
libapr1-dev_1.4.2-6+squeeze4_i386.deb
  to main/a/apr/libapr1-dev_1.4.2-6+squeeze4_i386.deb
libapr1_1.4.2-6+squeeze4_i386.deb
  to main/a/apr/libapr1_1.4.2-6+squeeze4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 664451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 01 Apr 2012 00:50:32 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.4.2-6+squeeze4
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libapr1    - The Apache Portable Runtime Library
 libapr1-dbg - The Apache Portable Runtime Library - Debugging Symbols
 libapr1-dev - The Apache Portable Runtime Library - Development Headers
Closes: 664451
Changes: 
 apr (1.4.2-6+squeeze4) stable; urgency=low
 .
   * Fix apr_file_trunc() bug which could lead to subversion repository
     corruption in some rare cases. Closes: #664451
Checksums-Sha1: 
 2a1e3821b1bfa91e6700e12c9400f2b17493e38b 1396 apr_1.4.2-6+squeeze4.dsc
 11a5f31e5dfd23cf5ff2a169f6dae128e0ebb634 27671 apr_1.4.2-6+squeeze4.diff.gz
 d7685b2f55062018f6038470ea6ea51e42bd499a 86278 libapr1_1.4.2-6+squeeze4_i386.deb
 99d999d5832274fa232b62b8e622200770b7804f 1029402 libapr1-dev_1.4.2-6+squeeze4_i386.deb
 4e60e20a7a2fb8a48085ad27689a82c233f6b46e 24112 libapr1-dbg_1.4.2-6+squeeze4_i386.deb
Checksums-Sha256: 
 93a8f4e936e338b3a411067d8f7c6e16adab05742ebcb40eb1f7b6c0eef28f53 1396 apr_1.4.2-6+squeeze4.dsc
 b1acaf9d620ceae7bdf356e91255312096b3e2355ba87b53e371e726cd4c921a 27671 apr_1.4.2-6+squeeze4.diff.gz
 10fa9fce72679b1abb3337c7a4ca16b0291026716266b80c82f2fbd97ed59966 86278 libapr1_1.4.2-6+squeeze4_i386.deb
 203d43048e03b9b9e591c907f304a2220144fc72452e4d0270eeab9a0725ecaa 1029402 libapr1-dev_1.4.2-6+squeeze4_i386.deb
 ed25447cd556cc0cbd10e2c7138cba8ceae57d7252c440309e5eea2bee5de5e9 24112 libapr1-dbg_1.4.2-6+squeeze4_i386.deb
Files: 
 bb91a457499f6b2bb6a7343673890491 1396 libs optional apr_1.4.2-6+squeeze4.dsc
 827a322a28a57f40dc90c411026ac315 27671 libs optional apr_1.4.2-6+squeeze4.diff.gz
 718106f18ec7c016c6372d839946b439 86278 libs optional libapr1_1.4.2-6+squeeze4_i386.deb
 bc6c11e9061f3ef2b770224898ed7842 1029402 libdevel optional libapr1-dev_1.4.2-6+squeeze4_i386.deb
 92acb1411319d8e8c656601bfd20e685 24112 debug extra libapr1-dbg_1.4.2-6+squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFPd4vBbxelr8HyTqQRApCmAJoCsuy1IMaiE+mBsVnSmk9igWRwQgCfUkfH
HeIEfopPczffx/ROkIdHBtE=
=3Wrb
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.