Ubuntu
apr package

apr: update to 1.4.6 to fix svn fsfs repository corruption

Bug #957727 reported by Blair Zajac
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
APR
New
Undecided
Unassigned
apr (Ubuntu)
Fix Released
Medium
Unassigned
Ubuntu ubuntu-12.04-beta-2
Lucid
Won't Fix
Undecided
Unassigned
Maverick
Won't Fix
Undecided
Unassigned
Natty
Won't Fix
Undecided
Unassigned
Oneiric
Won't Fix
Undecided
Unassigned
Precise
Fix Released
Medium
Unassigned
Ubuntu ubuntu-12.04-beta-2

Bug Description

APR releases before 1.4.6 have a faulty truncate() implementation that can cause svn fsfs repository corruption. The next release of svn 1.6.x has a workaround for the issue, see:

http://svn.apache.org/viewvc?view=revision&revision=1240892

But since svn added the workaround, APR released 1.4.6 which has the fix in it:

http://www.apache.org/dist/apr/CHANGES-APR-1.4

So updating to 1.4.6 will resolve any corruption issues in svn (due to this issue).

Thanks,
Blair (svn committer)

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libapr1 1.4.5-1.1ubuntu2
ProcVersionSignature: Ubuntu 3.2.0-18.29-generic 3.2.9
Uname: Linux 3.2.0-18-generic x86_64
ApportVersion: 1.94.1-0ubuntu2
Architecture: amd64
Date: Sat Mar 17 00:13:46 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha amd64 (20120122)
ProcEnviron:
 SHELL=/bin/bash
 TERM=xterm
 PATH=(custom, user)
 LANG=en_US.UTF-8
SourcePackage: apr
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Revision history for this message
Blair Zajac (blair) wrote :
Revision history for this message
Blair Zajac (blair) wrote :

Also affects oneiric and lucid. For oneiric and precise, it would be great just to update to 1.4.6 since it's ABI compatible.

For lucid, one could take these two commits from apr's trunk and apply them to the 1.3.x branch. I haven't done this myself, but my hunch says it should work without much effort:

http://svn.apache.org/viewvc?view=revision&revision=1044432

http://svn.apache.org/viewvc?view=revision&revision=1044440

Revision history for this message
Blair Zajac (blair) wrote :

I opened a bug in Debian to track the same issue: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664451

Revision history for this message
Blair Zajac (blair) wrote :

Debian uploaded 1.4.6 that could be synced to 12.04.

Revision history for this message
James Page (james-page) wrote :

Looking at the upstream changelog this should not need a FFe as its bugfixes only.

Sync sounds sensible as soon as LP notices its landed in Debian unstable.

James Page (james-page)
Changed in apr (Ubuntu):
importance: Undecided → Medium
milestone: none → ubuntu-12.04-beta-2
Revision history for this message
James Page (james-page) wrote :

This bug was fixed in the package apr - 1.4.6-1
Sponsored for Blair Zajac (blair)

---------------
apr (1.4.6-1) unstable; urgency=low

  * New upstream release:
    - Fixes apr_file_trunc() bug which could lead to subversion repository
      corruption. Closes: #664451
    - Adds randomization to hashes. CVE-2012-0840 (but not known to be
      exploitable in httpd or svn). Closes: #655435
  * Remove Tollef Fog Heen and Ryan Niebur from uploaders. Thanks for your
    work in the past.

 -- Stefan Fritsch <email address hidden> Sun, 18 Mar 2012 23:22:59 +0100

Changed in apr (Ubuntu):
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in apr (Ubuntu Maverick):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in apr (Ubuntu Natty):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in apr (Ubuntu Oneiric):
status: New → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in apr (Ubuntu Lucid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.