devel/subversion -- contrib hook-scripts can allow arbitrary code execution

Subversion team reports:

The script contrib/hook-scripts/check-mime-type.pl does not escape
argv arguments to ‘svnlook’ that start with a hyphen. This could be
used to cause ‘svnlook’, and hence check-mime-type.pl, to error out.
The script contrib/hook-scripts/svn-keyword-check.pl parses filenames
from the output of ‘svnlook changed’ and passes them to a further
shell command (equivalent to the ‘system()’ call of the C standard
library) without escaping them. This could be used to run arbitrary
shell commands in the context of the user whom the pre-commit script
runs as (the user who owns the repository).