diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-10-09 22:59:03 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-10-09 22:59:03 +0200 |
commit | 972dcfcdbfe75dcfeb777150c136576cf1a71e99 (patch) | |
tree | 97a61cd7e293d7ae9d56ef7ed0f81253365bb026 /meta/recipes-devtools/subversion | |
download | poky-972dcfcdbfe75dcfeb777150c136576cf1a71e99.tar.gz |
initial commit for Enea Linux 5.0 arm
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-devtools/subversion')
15 files changed, 1583 insertions, 0 deletions
diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/disable_macos.patch b/meta/recipes-devtools/subversion/subversion-1.8.9/disable_macos.patch new file mode 100644 index 0000000000..ec3be496f3 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion-1.8.9/disable_macos.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | These tests don't work in cross compiling, just disable them for now, we don't | ||
2 | build subversion on OS-X at this time. | ||
3 | |||
4 | RP 1014/7/16 | ||
5 | |||
6 | Upstream-Status: Pending [needs a rewrite to support a cache value] | ||
7 | |||
8 | Index: subversion-1.8.9/build/ac-macros/macosx.m4 | ||
9 | =================================================================== | ||
10 | --- subversion-1.8.9.orig/build/ac-macros/macosx.m4 2012-11-26 03:04:27.000000000 +0000 | ||
11 | +++ subversion-1.8.9/build/ac-macros/macosx.m4 2014-07-16 12:28:58.357300403 +0000 | ||
12 | @@ -24,21 +24,7 @@ | ||
13 | AC_DEFUN(SVN_LIB_MACHO_ITERATE, | ||
14 | [ | ||
15 | AC_MSG_CHECKING([for Mach-O dynamic module iteration functions]) | ||
16 | - AC_RUN_IFELSE([AC_LANG_PROGRAM([[ | ||
17 | - #include <mach-o/dyld.h> | ||
18 | - #include <mach-o/loader.h> | ||
19 | - ]],[[ | ||
20 | - const struct mach_header *header = _dyld_get_image_header(0); | ||
21 | - const char *name = _dyld_get_image_name(0); | ||
22 | - if (name && header) return 0; | ||
23 | - return 1; | ||
24 | - ]])],[ | ||
25 | - AC_DEFINE([SVN_HAVE_MACHO_ITERATE], [1], | ||
26 | - [Is Mach-O low-level _dyld API available?]) | ||
27 | - AC_MSG_RESULT([yes]) | ||
28 | - ],[ | ||
29 | AC_MSG_RESULT([no]) | ||
30 | - ]) | ||
31 | ]) | ||
32 | |||
33 | dnl SVN_LIB_MACOS_PLIST | ||
34 | @@ -46,34 +32,7 @@ | ||
35 | AC_DEFUN(SVN_LIB_MACOS_PLIST, | ||
36 | [ | ||
37 | AC_MSG_CHECKING([for Mac OS property list utilities]) | ||
38 | - | ||
39 | - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | ||
40 | - #include <AvailabilityMacros.h> | ||
41 | - #if !defined(MAC_OS_X_VERSION_MAX_ALLOWED) \ | ||
42 | - || !defined(MAC_OS_X_VERSION_10_0) \ | ||
43 | - || (MAC_OS_X_VERSION_MAX_ALLOWED <= MAC_OS_X_VERSION_10_0) | ||
44 | - #error ProperyList API unavailable. | ||
45 | - #endif | ||
46 | - ]],[[]])],[ | ||
47 | - dnl ### Hack. We should only need to pass the -framework options when | ||
48 | - dnl linking libsvn_subr, since it is the only library that uses Keychain. | ||
49 | - dnl | ||
50 | - dnl Unfortunately, libtool 1.5.x doesn't track transitive dependencies for | ||
51 | - dnl OS X frameworks like it does for normal libraries, so we need to | ||
52 | - dnl explicitly pass the option to all the users of libsvn_subr to allow | ||
53 | - dnl static builds to link successfully. | ||
54 | - dnl | ||
55 | - dnl This does mean that all executables we link will be linked directly | ||
56 | - dnl to these frameworks - even when building shared libraries - but that | ||
57 | - dnl shouldn't cause any problems. | ||
58 | - | ||
59 | - LIBS="$LIBS -framework CoreFoundation" | ||
60 | - AC_DEFINE([SVN_HAVE_MACOS_PLIST], [1], | ||
61 | - [Is Mac OS property list API available?]) | ||
62 | - AC_MSG_RESULT([yes]) | ||
63 | - ],[ | ||
64 | AC_MSG_RESULT([no]) | ||
65 | - ]) | ||
66 | ]) | ||
67 | |||
68 | dnl SVN_LIB_MACOS_KEYCHAIN | ||
diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/libtool2.patch b/meta/recipes-devtools/subversion/subversion-1.8.9/libtool2.patch new file mode 100644 index 0000000000..5cd572bfc8 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion-1.8.9/libtool2.patch | |||
@@ -0,0 +1,15 @@ | |||
1 | Upstream-Status: Inappropriate [embedded specific] | ||
2 | |||
3 | --- a/configure.ac 2011-10-20 21:56:02.230663987 +0200 | ||
4 | +++ b/configure.ac 2011-08-17 15:01:30.000000000 +0200 | ||
5 | @@ -227,8 +227,8 @@ | ||
6 | LIBTOOL="$sh_libtool" | ||
7 | SVN_LIBTOOL="$sh_libtool" | ||
8 | else | ||
9 | - sh_libtool="$abs_builddir/libtool" | ||
10 | - SVN_LIBTOOL="\$(SHELL) $sh_libtool" | ||
11 | + sh_libtool="$abs_builddir/$host_alias-libtool" | ||
12 | + SVN_LIBTOOL="\$(SHELL) \$(abs_builddir)/$host_alias-libtool" | ||
13 | fi | ||
14 | AC_SUBST(SVN_LIBTOOL) | ||
15 | |||
diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch b/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch new file mode 100644 index 0000000000..f259e5490a --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch | |||
@@ -0,0 +1,444 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
4 | |||
5 | Index: subversion/include/private/svn_cert.h | ||
6 | =================================================================== | ||
7 | --- subversion/include/private/svn_cert.h (nonexistent) | ||
8 | +++ subversion/include/private/svn_cert.h (working copy) | ||
9 | @@ -0,0 +1,68 @@ | ||
10 | +/** | ||
11 | + * @copyright | ||
12 | + * ==================================================================== | ||
13 | + * Licensed to the Apache Software Foundation (ASF) under one | ||
14 | + * or more contributor license agreements. See the NOTICE file | ||
15 | + * distributed with this work for additional information | ||
16 | + * regarding copyright ownership. The ASF licenses this file | ||
17 | + * to you under the Apache License, Version 2.0 (the | ||
18 | + * "License"); you may not use this file except in compliance | ||
19 | + * with the License. You may obtain a copy of the License at | ||
20 | + * | ||
21 | + * http://www.apache.org/licenses/LICENSE-2.0 | ||
22 | + * | ||
23 | + * Unless required by applicable law or agreed to in writing, | ||
24 | + * software distributed under the License is distributed on an | ||
25 | + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
26 | + * KIND, either express or implied. See the License for the | ||
27 | + * specific language governing permissions and limitations | ||
28 | + * under the License. | ||
29 | + * ==================================================================== | ||
30 | + * @endcopyright | ||
31 | + * | ||
32 | + * @file svn_cert.h | ||
33 | + * @brief Implementation of certificate validation functions | ||
34 | + */ | ||
35 | + | ||
36 | +#ifndef SVN_CERT_H | ||
37 | +#define SVN_CERT_H | ||
38 | + | ||
39 | +#include <apr.h> | ||
40 | + | ||
41 | +#include "svn_types.h" | ||
42 | +#include "svn_string.h" | ||
43 | + | ||
44 | +#ifdef __cplusplus | ||
45 | +extern "C" { | ||
46 | +#endif /* __cplusplus */ | ||
47 | + | ||
48 | + | ||
49 | +/* Return TRUE iff @a pattern matches @a hostname as defined | ||
50 | + * by the matching rules of RFC 6125. In the context of RFC | ||
51 | + * 6125 the pattern is the domain name portion of the presented | ||
52 | + * identifier (which comes from the Common Name or a DNSName | ||
53 | + * portion of the subjectAltName of an X.509 certificate) and | ||
54 | + * the hostname is the source domain (i.e. the host portion | ||
55 | + * of the URI the user entered). | ||
56 | + * | ||
57 | + * @note With respect to wildcards we only support matching | ||
58 | + * wildcards in the left-most label and as the only character | ||
59 | + * in the left-most label (i.e. we support RFC 6125 s. 6.4.3 | ||
60 | + * Rule 1 and 2 but not the optional Rule 3). This may change | ||
61 | + * in the future. | ||
62 | + * | ||
63 | + * @note Subversion does not at current support internationalized | ||
64 | + * domain names. Both values are presumed to be in NR-LDH label | ||
65 | + * or A-label form (see RFC 5890 for the definition). | ||
66 | + * | ||
67 | + * @since New in 1.9. | ||
68 | + */ | ||
69 | +svn_boolean_t | ||
70 | +svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname); | ||
71 | + | ||
72 | + | ||
73 | +#ifdef __cplusplus | ||
74 | +} | ||
75 | +#endif /* __cplusplus */ | ||
76 | + | ||
77 | +#endif /* SVN_CERT_H */ | ||
78 | Index: subversion/libsvn_ra_serf/util.c | ||
79 | =================================================================== | ||
80 | --- subversion/libsvn_ra_serf/util.c (revision 1615128) | ||
81 | +++ subversion/libsvn_ra_serf/util.c (working copy) | ||
82 | @@ -28,7 +28,6 @@ | ||
83 | #define APR_WANT_STRFUNC | ||
84 | #include <apr.h> | ||
85 | #include <apr_want.h> | ||
86 | -#include <apr_fnmatch.h> | ||
87 | |||
88 | #include <serf.h> | ||
89 | #include <serf_bucket_types.h> | ||
90 | @@ -49,6 +48,7 @@ | ||
91 | #include "private/svn_fspath.h" | ||
92 | #include "private/svn_subr_private.h" | ||
93 | #include "private/svn_auth_private.h" | ||
94 | +#include "private/svn_cert.h" | ||
95 | |||
96 | #include "ra_serf.h" | ||
97 | |||
98 | @@ -274,7 +274,6 @@ ssl_server_cert(void *baton, int failures, | ||
99 | apr_hash_t *subject = NULL; | ||
100 | apr_hash_t *serf_cert = NULL; | ||
101 | void *creds; | ||
102 | - int found_matching_hostname = 0; | ||
103 | |||
104 | svn_failures = (ssl_convert_serf_failures(failures) | ||
105 | | conn->server_cert_failures); | ||
106 | @@ -286,26 +285,37 @@ ssl_server_cert(void *baton, int failures, | ||
107 | ### This should really be handled by serf, which should pass an error | ||
108 | for this case, but that has backwards compatibility issues. */ | ||
109 | apr_array_header_t *san; | ||
110 | + svn_boolean_t found_san_entry = FALSE; | ||
111 | + svn_boolean_t found_matching_hostname = FALSE; | ||
112 | + svn_string_t *actual_hostname = | ||
113 | + svn_string_create(conn->session->session_url.hostname, scratch_pool); | ||
114 | |||
115 | serf_cert = serf_ssl_cert_certificate(cert, scratch_pool); | ||
116 | |||
117 | san = svn_hash_gets(serf_cert, "subjectAltName"); | ||
118 | /* Try to find matching server name via subjectAltName first... */ | ||
119 | - if (san) { | ||
120 | + if (san) | ||
121 | + { | ||
122 | int i; | ||
123 | - for (i = 0; i < san->nelts; i++) { | ||
124 | + found_san_entry = san->nelts > 0; | ||
125 | + for (i = 0; i < san->nelts; i++) | ||
126 | + { | ||
127 | const char *s = APR_ARRAY_IDX(san, i, const char*); | ||
128 | - if (apr_fnmatch(s, conn->session->session_url.hostname, | ||
129 | - APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS) | ||
130 | - { | ||
131 | - found_matching_hostname = 1; | ||
132 | + svn_string_t *cert_hostname = svn_string_create(s, scratch_pool); | ||
133 | + | ||
134 | + if (svn_cert__match_dns_identity(cert_hostname, actual_hostname)) | ||
135 | + { | ||
136 | + found_matching_hostname = TRUE; | ||
137 | break; | ||
138 | - } | ||
139 | - } | ||
140 | - } | ||
141 | + } | ||
142 | + } | ||
143 | + } | ||
144 | |||
145 | - /* Match server certificate CN with the hostname of the server */ | ||
146 | - if (!found_matching_hostname) | ||
147 | + /* Match server certificate CN with the hostname of the server iff | ||
148 | + * we didn't find any subjectAltName fields and try to match them. | ||
149 | + * Per RFC 2818 they are authoritative if present and CommonName | ||
150 | + * should be ignored. */ | ||
151 | + if (!found_matching_hostname && !found_san_entry) | ||
152 | { | ||
153 | const char *hostname = NULL; | ||
154 | |||
155 | @@ -314,13 +324,20 @@ ssl_server_cert(void *baton, int failures, | ||
156 | if (subject) | ||
157 | hostname = svn_hash_gets(subject, "CN"); | ||
158 | |||
159 | - if (!hostname | ||
160 | - || apr_fnmatch(hostname, conn->session->session_url.hostname, | ||
161 | - APR_FNM_PERIOD | APR_FNM_CASE_BLIND) != APR_SUCCESS) | ||
162 | - { | ||
163 | - svn_failures |= SVN_AUTH_SSL_CNMISMATCH; | ||
164 | - } | ||
165 | - } | ||
166 | + if (hostname) | ||
167 | + { | ||
168 | + svn_string_t *cert_hostname = svn_string_create(hostname, | ||
169 | + scratch_pool); | ||
170 | + | ||
171 | + if (svn_cert__match_dns_identity(cert_hostname, actual_hostname)) | ||
172 | + { | ||
173 | + found_matching_hostname = TRUE; | ||
174 | + } | ||
175 | + } | ||
176 | + } | ||
177 | + | ||
178 | + if (!found_matching_hostname) | ||
179 | + svn_failures |= SVN_AUTH_SSL_CNMISMATCH; | ||
180 | } | ||
181 | |||
182 | if (!svn_failures) | ||
183 | Index: subversion/libsvn_subr/dirent_uri.c | ||
184 | =================================================================== | ||
185 | --- subversion/libsvn_subr/dirent_uri.c (revision 1615128) | ||
186 | +++ subversion/libsvn_subr/dirent_uri.c (working copy) | ||
187 | @@ -38,6 +38,7 @@ | ||
188 | |||
189 | #include "dirent_uri.h" | ||
190 | #include "private/svn_fspath.h" | ||
191 | +#include "private/svn_cert.h" | ||
192 | |||
193 | /* The canonical empty path. Can this be changed? Well, change the empty | ||
194 | test below and the path library will work, not so sure about the fs/wc | ||
195 | @@ -2597,3 +2598,81 @@ svn_urlpath__canonicalize(const char *uri, | ||
196 | } | ||
197 | return uri; | ||
198 | } | ||
199 | + | ||
200 | + | ||
201 | +/* -------------- The cert API (see private/svn_cert.h) ------------- */ | ||
202 | + | ||
203 | +svn_boolean_t | ||
204 | +svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname) | ||
205 | +{ | ||
206 | + apr_size_t pattern_pos = 0, hostname_pos = 0; | ||
207 | + | ||
208 | + /* support leading wildcards that composed of the only character in the | ||
209 | + * left-most label. */ | ||
210 | + if (pattern->len >= 2 && | ||
211 | + pattern->data[pattern_pos] == '*' && | ||
212 | + pattern->data[pattern_pos + 1] == '.') | ||
213 | + { | ||
214 | + while (hostname_pos < hostname->len && | ||
215 | + hostname->data[hostname_pos] != '.') | ||
216 | + { | ||
217 | + hostname_pos++; | ||
218 | + } | ||
219 | + /* Assume that the wildcard must match something. Rule 2 says | ||
220 | + * that *.example.com should not match example.com. If the wildcard | ||
221 | + * ends up not matching anything then it matches .example.com which | ||
222 | + * seems to be essentially the same as just example.com */ | ||
223 | + if (hostname_pos == 0) | ||
224 | + return FALSE; | ||
225 | + | ||
226 | + pattern_pos++; | ||
227 | + } | ||
228 | + | ||
229 | + while (pattern_pos < pattern->len && hostname_pos < hostname->len) | ||
230 | + { | ||
231 | + char pattern_c = pattern->data[pattern_pos]; | ||
232 | + char hostname_c = hostname->data[hostname_pos]; | ||
233 | + | ||
234 | + /* fold case as described in RFC 4343. | ||
235 | + * Note: We actually convert to lowercase, since our URI | ||
236 | + * canonicalization code converts to lowercase and generally | ||
237 | + * most certs are issued with lowercase DNS names, meaning | ||
238 | + * this avoids the fold operation in most cases. The RFC | ||
239 | + * suggests the opposite transformation, but doesn't require | ||
240 | + * any specific implementation in any case. It is critical | ||
241 | + * that this folding be locale independent so you can't use | ||
242 | + * tolower(). */ | ||
243 | + pattern_c = canonicalize_to_lower(pattern_c); | ||
244 | + hostname_c = canonicalize_to_lower(hostname_c); | ||
245 | + | ||
246 | + if (pattern_c != hostname_c) | ||
247 | + { | ||
248 | + /* doesn't match */ | ||
249 | + return FALSE; | ||
250 | + } | ||
251 | + else | ||
252 | + { | ||
253 | + /* characters match so skip both */ | ||
254 | + pattern_pos++; | ||
255 | + hostname_pos++; | ||
256 | + } | ||
257 | + } | ||
258 | + | ||
259 | + /* ignore a trailing period on the hostname since this has no effect on the | ||
260 | + * security of the matching. See the following for the long explanation as | ||
261 | + * to why: | ||
262 | + * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28 | ||
263 | + */ | ||
264 | + if (pattern_pos == pattern->len && | ||
265 | + hostname_pos == hostname->len - 1 && | ||
266 | + hostname->data[hostname_pos] == '.') | ||
267 | + hostname_pos++; | ||
268 | + | ||
269 | + if (pattern_pos != pattern->len || hostname_pos != hostname->len) | ||
270 | + { | ||
271 | + /* end didn't match */ | ||
272 | + return FALSE; | ||
273 | + } | ||
274 | + | ||
275 | + return TRUE; | ||
276 | +} | ||
277 | Index: subversion/tests/libsvn_subr/dirent_uri-test.c | ||
278 | =================================================================== | ||
279 | --- subversion/tests/libsvn_subr/dirent_uri-test.c (revision 1615128) | ||
280 | +++ subversion/tests/libsvn_subr/dirent_uri-test.c (working copy) | ||
281 | @@ -37,6 +37,7 @@ | ||
282 | #include "svn_pools.h" | ||
283 | #include "svn_dirent_uri.h" | ||
284 | #include "private/svn_fspath.h" | ||
285 | +#include "private/svn_cert.h" | ||
286 | |||
287 | #include "../svn_test.h" | ||
288 | |||
289 | @@ -2714,6 +2715,145 @@ test_fspath_get_longest_ancestor(apr_pool_t *pool) | ||
290 | return SVN_NO_ERROR; | ||
291 | } | ||
292 | |||
293 | +struct cert_match_dns_test { | ||
294 | + const char *pattern; | ||
295 | + const char *hostname; | ||
296 | + svn_boolean_t expected; | ||
297 | +}; | ||
298 | + | ||
299 | +static svn_error_t * | ||
300 | +run_cert_match_dns_tests(struct cert_match_dns_test *tests, apr_pool_t *pool) | ||
301 | +{ | ||
302 | + struct cert_match_dns_test *ct; | ||
303 | + apr_pool_t *iterpool = svn_pool_create(pool); | ||
304 | + | ||
305 | + for (ct = tests; ct->pattern; ct++) | ||
306 | + { | ||
307 | + svn_boolean_t result; | ||
308 | + svn_string_t *pattern, *hostname; | ||
309 | + | ||
310 | + svn_pool_clear(iterpool); | ||
311 | + | ||
312 | + pattern = svn_string_create(ct->pattern, iterpool); | ||
313 | + hostname = svn_string_create(ct->hostname, iterpool); | ||
314 | + | ||
315 | + result = svn_cert__match_dns_identity(pattern, hostname); | ||
316 | + if (result != ct->expected) | ||
317 | + return svn_error_createf(SVN_ERR_TEST_FAILED, NULL, | ||
318 | + "Expected %s but got %s for pattern '%s' on " | ||
319 | + "hostname '%s'", | ||
320 | + ct->expected ? "match" : "no match", | ||
321 | + result ? "match" : "no match", | ||
322 | + pattern->data, hostname->data); | ||
323 | + | ||
324 | + } | ||
325 | + | ||
326 | + svn_pool_destroy(iterpool); | ||
327 | + | ||
328 | + return SVN_NO_ERROR; | ||
329 | +} | ||
330 | + | ||
331 | +static struct cert_match_dns_test cert_match_dns_tests[] = { | ||
332 | + { "foo.example.com", "foo.example.com", TRUE }, /* exact match */ | ||
333 | + { "foo.example.com", "FOO.EXAMPLE.COM", TRUE }, /* case differences */ | ||
334 | + { "FOO.EXAMPLE.COM", "foo.example.com", TRUE }, | ||
335 | + { "*.example.com", "FoO.ExAmPlE.CoM", TRUE }, | ||
336 | + { "*.ExAmPlE.CoM", "foo.example.com", TRUE }, | ||
337 | + { "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz", TRUE }, | ||
338 | + { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", TRUE }, | ||
339 | + { "foo.example.com", "bar.example.com", FALSE }, /* difference at start */ | ||
340 | + { "foo.example.com", "foo.example.net", FALSE }, /* difference at end */ | ||
341 | + { "foo.example.com", "foo.example.commercial", FALSE }, /* hostname longer */ | ||
342 | + { "foo.example.commercial", "foo.example.com", FALSE }, /* pattern longer */ | ||
343 | + { "foo.example.comcom", "foo.example.com", FALSE }, /* repeated suffix */ | ||
344 | + { "foo.example.com", "foo.example.comcom", FALSE }, | ||
345 | + { "foo.example.com.com", "foo.example.com", FALSE }, | ||
346 | + { "foo.example.com", "foo.example.com.com", FALSE }, | ||
347 | + { "foofoo.example.com", "foo.example.com", FALSE }, /* repeated prefix */ | ||
348 | + { "foo.example.com", "foofoo.example.com", FALSE }, | ||
349 | + { "foo.foo.example.com", "foo.example.com", FALSE }, | ||
350 | + { "foo.example.com", "foo.foo.example.com", FALSE }, | ||
351 | + { "foo.*.example.com", "foo.bar.example.com", FALSE }, /* RFC 6125 s. 6.4.3 | ||
352 | + Rule 1 */ | ||
353 | + { "*.example.com", "foo.example.com", TRUE }, /* RFC 6125 s. 6.4.3 Rule 2 */ | ||
354 | + { "*.example.com", "bar.foo.example.com", FALSE }, /* Rule 2 */ | ||
355 | + { "*.example.com", "example.com", FALSE }, /* Rule 2 */ | ||
356 | + { "*.example.com", ".example.com", FALSE }, /* RFC doesn't say what to do | ||
357 | + here and a leading period on | ||
358 | + a hostname doesn't make sense | ||
359 | + so we'll just reject this. */ | ||
360 | + { "*", "foo.example.com", FALSE }, /* wildcard must be left-most label, | ||
361 | + implies that there must be more than | ||
362 | + one label. */ | ||
363 | + { "*", "example.com", FALSE }, | ||
364 | + { "*", "com", FALSE }, | ||
365 | + { "*.example.com", "foo.example.net", FALSE }, /* difference in literal text | ||
366 | + with a wildcard. */ | ||
367 | + { "*.com", "example.com", TRUE }, /* See Errata ID 3090 for RFC 6125, | ||
368 | + probably shouldn't allow this but | ||
369 | + we do for now. */ | ||
370 | + { "*.", "example.com", FALSE }, /* test some dubious 2 character wildcard | ||
371 | + patterns */ | ||
372 | + { "*.", "example.", TRUE }, /* This one feels questionable */ | ||
373 | + { "*.", "example", FALSE }, | ||
374 | + { "*.", ".", FALSE }, | ||
375 | + { "a", "a", TRUE }, /* check that single letter exact matches work */ | ||
376 | + { "a", "b", FALSE }, /* and single letter not matches shouldn't */ | ||
377 | + { "*.*.com", "foo.example.com", FALSE }, /* unsupported wildcards */ | ||
378 | + { "*.*.com", "example.com", FALSE }, | ||
379 | + { "**.example.com", "foo.example.com", FALSE }, | ||
380 | + { "**.example.com", "example.com", FALSE }, | ||
381 | + { "f*.example.com", "foo.example.com", FALSE }, | ||
382 | + { "f*.example.com", "bar.example.com", FALSE }, | ||
383 | + { "*o.example.com", "foo.example.com", FALSE }, | ||
384 | + { "*o.example.com", "bar.example.com", FALSE }, | ||
385 | + { "f*o.example.com", "foo.example.com", FALSE }, | ||
386 | + { "f*o.example.com", "bar.example.com", FALSE }, | ||
387 | + { "foo.e*.com", "foo.example.com", FALSE }, | ||
388 | + { "foo.*e.com", "foo.example.com", FALSE }, | ||
389 | + { "foo.e*e.com", "foo.example.com", FALSE }, | ||
390 | + { "foo.example.com", "foo.example.com.", TRUE }, /* trailing dot */ | ||
391 | + { "*.example.com", "foo.example.com.", TRUE }, | ||
392 | + { "foo", "foo.", TRUE }, | ||
393 | + { "foo.example.com.", "foo.example.com", FALSE }, | ||
394 | + { "*.example.com.", "foo.example.com", FALSE }, | ||
395 | + { "foo.", "foo", FALSE }, | ||
396 | + { "foo.example.com", "foo.example.com..", FALSE }, | ||
397 | + { "*.example.com", "foo.example.com..", FALSE }, | ||
398 | + { "foo", "foo..", FALSE }, | ||
399 | + { "foo.example.com..", "foo.example.com", FALSE }, | ||
400 | + { "*.example.com..", "foo.example.com", FALSE }, | ||
401 | + { "foo..", "foo", FALSE }, | ||
402 | + { NULL } | ||
403 | +}; | ||
404 | + | ||
405 | +static svn_error_t * | ||
406 | +test_cert_match_dns_identity(apr_pool_t *pool) | ||
407 | +{ | ||
408 | + return run_cert_match_dns_tests(cert_match_dns_tests, pool); | ||
409 | +} | ||
410 | + | ||
411 | +/* This test table implements results that should happen if we supported | ||
412 | + * RFC 6125 s. 6.4.3 Rule 3. We don't so it's expected to fail for now. */ | ||
413 | +static struct cert_match_dns_test rule3_tests[] = { | ||
414 | + { "baz*.example.net", "baz1.example.net", TRUE }, | ||
415 | + { "*baz.example.net", "foobaz.example.net", TRUE }, | ||
416 | + { "b*z.example.net", "buuz.example.net", TRUE }, | ||
417 | + { "b*z.example.net", "bz.example.net", FALSE }, /* presume wildcard can't | ||
418 | + match nothing */ | ||
419 | + { "baz*.example.net", "baz.example.net", FALSE }, | ||
420 | + { "*baz.example.net", "baz.example.net", FALSE }, | ||
421 | + { "b*z.example.net", "buuzuuz.example.net", TRUE }, /* presume wildcard | ||
422 | + should be greedy */ | ||
423 | + { NULL } | ||
424 | +}; | ||
425 | + | ||
426 | +static svn_error_t * | ||
427 | +test_rule3(apr_pool_t *pool) | ||
428 | +{ | ||
429 | + return run_cert_match_dns_tests(rule3_tests, pool); | ||
430 | +} | ||
431 | + | ||
432 | |||
433 | /* The test table. */ | ||
434 | |||
435 | @@ -2812,5 +2952,9 @@ struct svn_test_descriptor_t test_funcs[] = | ||
436 | "test svn_fspath__dirname/basename/split"), | ||
437 | SVN_TEST_PASS2(test_fspath_get_longest_ancestor, | ||
438 | "test svn_fspath__get_longest_ancestor"), | ||
439 | + SVN_TEST_PASS2(test_cert_match_dns_identity, | ||
440 | + "test svn_cert__match_dns_identity"), | ||
441 | + SVN_TEST_XFAIL2(test_rule3, | ||
442 | + "test match with RFC 6125 s. 6.4.3 Rule 3"), | ||
443 | SVN_TEST_NULL | ||
444 | }; | ||
diff --git a/meta/recipes-devtools/subversion/subversion/disable-revision-install.patch b/meta/recipes-devtools/subversion/subversion/disable-revision-install.patch new file mode 100644 index 0000000000..66450fab9f --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/disable-revision-install.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | Upstream-Status: Inappropriate [embedded specific] | ||
2 | |||
3 | Index: subversion-1.6.15/Makefile.in | ||
4 | =================================================================== | ||
5 | --- subversion-1.6.15.orig/Makefile.in 2010-11-17 06:47:23.000000000 -0800 | ||
6 | +++ subversion-1.6.15/Makefile.in 2011-01-31 10:11:07.358779686 -0800 | ||
7 | @@ -305,7 +305,7 @@ | ||
8 | clean: external-clean local-clean | ||
9 | distclean: external-distclean local-distclean | ||
10 | extraclean: external-extraclean local-extraclean | ||
11 | -install: external-install local-install revision-install | ||
12 | +install: external-install local-install #revision-install | ||
13 | |||
14 | @INCLUDE_OUTPUTS@ | ||
15 | |||
16 | @@ -363,13 +363,13 @@ | ||
17 | local-install: @INSTALL_RULES@ | ||
18 | |||
19 | ### HACK!! Find a better way to do this | ||
20 | -revision-install: | ||
21 | - test -d $(DESTDIR)$(includedir)/subversion-1 || \ | ||
22 | - $(MKDIR) $(DESTDIR)$(includedir)/subversion-1 | ||
23 | - (subversion/svnversion/svnversion $(top_srcdir) || \ | ||
24 | - svnversion $(top_srcdir) || \ | ||
25 | - echo "unknown"; \ | ||
26 | - ) > $(DESTDIR)$(includedir)/subversion-1/svn-revision.txt | ||
27 | +#revision-install: | ||
28 | +# test -d $(DESTDIR)$(includedir)/subversion-1 || \ | ||
29 | +# $(MKDIR) $(DESTDIR)$(includedir)/subversion-1 | ||
30 | +# (subversion/svnversion/svnversion $(top_srcdir) || \ | ||
31 | +# svnversion $(top_srcdir) || \ | ||
32 | +# echo "unknown"; \ | ||
33 | +# ) > $(DESTDIR)$(includedir)/subversion-1/svn-revision.txt | ||
34 | |||
35 | install-static: @INSTALL_STATIC_RULES@ | ||
36 | |||
diff --git a/meta/recipes-devtools/subversion/subversion/fix-install-depends.patch b/meta/recipes-devtools/subversion/subversion/fix-install-depends.patch new file mode 100644 index 0000000000..6f49ed4bf2 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/fix-install-depends.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | install-neon-lib should depend on libsvn_delta's installation | ||
2 | |||
3 | install-neon-lib needs libsvn_delta-1.la which will be regenerated | ||
4 | during libsvn_delta-1.la's installation, if libsvn_delta-1.la is | ||
5 | in regenerating and at the same time install-neon-lib links it, the | ||
6 | error willl happen. | ||
7 | |||
8 | Let install-neon-lib run after libsvn_delta-1.la is installed will fix | ||
9 | the problem. | ||
10 | |||
11 | Upstream-Status: Pending | ||
12 | |||
13 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> | ||
14 | --- | ||
15 | build-outputs.mk | 2 +- | ||
16 | build.conf | 2 ++ | ||
17 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/build-outputs.mk b/build-outputs.mk | ||
20 | --- a/build-outputs.mk | ||
21 | +++ b/build-outputs.mk | ||
22 | @@ -979,7 +979,7 @@ install-locale: subversion/po/de.mo subversion/po/es.mo subversion/po/fr.mo subv | ||
23 | $(MKDIR) $(DESTDIR)$(localedir)/zh_TW/LC_MESSAGES | ||
24 | cd subversion/po ; $(INSTALL_LOCALE) zh_TW.mo $(DESTDIR)$(localedir)/zh_TW/LC_MESSAGES/$(PACKAGE_NAME).mo | ||
25 | |||
26 | -install-neon-lib: subversion/libsvn_ra_neon/libsvn_ra_neon-1.la | ||
27 | +install-neon-lib: subversion/libsvn_ra_neon/libsvn_ra_neon-1.la $(SVN_FS_LIB_INSTALL_DEPS) | ||
28 | $(MKDIR) $(DESTDIR)$(neon_libdir) | ||
29 | cd subversion/libsvn_ra_neon ; $(INSTALL_NEON_LIB) libsvn_ra_neon-1.la $(DESTDIR)$(neon_libdir)/libsvn_ra_neon-1.la | ||
30 | |||
31 | diff --git a/build.conf b/build.conf | ||
32 | --- a/build.conf | ||
33 | +++ b/build.conf | ||
34 | @@ -272,6 +272,8 @@ type = ra-module | ||
35 | path = subversion/libsvn_ra_neon | ||
36 | install = neon-lib | ||
37 | libs = libsvn_delta libsvn_subr aprutil apriconv apr neon | ||
38 | +# conditionally add more dependencies | ||
39 | +add-install-deps = $(SVN_FS_LIB_INSTALL_DEPS) | ||
40 | msvc-static = yes | ||
41 | |||
42 | # Accessing repositories via DAV through serf | ||
43 | -- | ||
44 | 1.7.10.4 | ||
45 | |||
diff --git a/meta/recipes-devtools/subversion/subversion/libtool2.patch b/meta/recipes-devtools/subversion/subversion/libtool2.patch new file mode 100644 index 0000000000..32f88b7987 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/libtool2.patch | |||
@@ -0,0 +1,17 @@ | |||
1 | Upstream-Status: Inappropriate [embedded specific] | ||
2 | |||
3 | Index: subversion-1.5.5/configure.ac | ||
4 | =================================================================== | ||
5 | --- subversion-1.5.5.orig/configure.ac 2008-08-26 18:27:56.000000000 +0100 | ||
6 | +++ subversion-1.5.5/configure.ac 2009-01-07 18:00:47.000000000 +0000 | ||
7 | @@ -153,8 +153,8 @@ | ||
8 | LIBTOOL="$sh_libtool" | ||
9 | SVN_LIBTOOL="$sh_libtool" | ||
10 | else | ||
11 | - sh_libtool="$abs_builddir/libtool" | ||
12 | - SVN_LIBTOOL="\$(SHELL) $sh_libtool" | ||
13 | + sh_libtool="$abs_builddir/$host_alias-libtool" | ||
14 | + SVN_LIBTOOL="\$(SHELL) \$(abs_builddir)/$host_alias-libtool" | ||
15 | dnl libtoolize requires that the following line not be indented | ||
16 | ifdef([LT_INIT], [LT_INIT], [AC_PROG_LIBTOOL]) | ||
17 | fi | ||
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch new file mode 100644 index 0000000000..29aeea5017 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch | |||
@@ -0,0 +1,171 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Index: subversion/mod_dav_svn/dav_svn.h | ||
4 | =================================================================== | ||
5 | --- a/subversion/mod_dav_svn/dav_svn.h (revision 1461956) | ||
6 | +++ b/subversion/mod_dav_svn/dav_svn.h (working copy) | ||
7 | @@ -254,6 +254,9 @@ struct dav_resource_private { | ||
8 | interface (ie: /path/to/item?p=PEGREV]? */ | ||
9 | svn_boolean_t pegged; | ||
10 | |||
11 | + /* Cache any revprop change error */ | ||
12 | + svn_error_t *revprop_error; | ||
13 | + | ||
14 | /* Pool to allocate temporary data from */ | ||
15 | apr_pool_t *pool; | ||
16 | }; | ||
17 | Index: subversion/mod_dav_svn/deadprops.c | ||
18 | =================================================================== | ||
19 | --- a/subversion/mod_dav_svn/deadprops.c (revision 1461956) | ||
20 | +++ b/subversion/mod_dav_svn/deadprops.c (working copy) | ||
21 | @@ -49,8 +49,7 @@ struct dav_db { | ||
22 | |||
23 | |||
24 | struct dav_deadprop_rollback { | ||
25 | - dav_prop_name name; | ||
26 | - svn_string_t value; | ||
27 | + int dummy; | ||
28 | }; | ||
29 | |||
30 | |||
31 | @@ -134,6 +133,7 @@ save_value(dav_db *db, const dav_prop_name *name, | ||
32 | { | ||
33 | const char *propname; | ||
34 | svn_error_t *serr; | ||
35 | + apr_pool_t *subpool; | ||
36 | |||
37 | /* get the repos-local name */ | ||
38 | get_repos_propname(db, name, &propname); | ||
39 | @@ -151,10 +151,14 @@ save_value(dav_db *db, const dav_prop_name *name, | ||
40 | } | ||
41 | |||
42 | /* Working Baseline or Working (Version) Resource */ | ||
43 | + | ||
44 | + /* A subpool to cope with mod_dav making multiple calls, e.g. during | ||
45 | + PROPPATCH with multiple values. */ | ||
46 | + subpool = svn_pool_create(db->resource->pool); | ||
47 | if (db->resource->baselined) | ||
48 | if (db->resource->working) | ||
49 | serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn, | ||
50 | - propname, value, db->resource->pool); | ||
51 | + propname, value, subpool); | ||
52 | else | ||
53 | { | ||
54 | /* ### VIOLATING deltaV: you can't proppatch a baseline, it's | ||
55 | @@ -168,19 +172,29 @@ save_value(dav_db *db, const dav_prop_name *name, | ||
56 | propname, value, TRUE, TRUE, | ||
57 | db->authz_read_func, | ||
58 | db->authz_read_baton, | ||
59 | - db->resource->pool); | ||
60 | + subpool); | ||
61 | |||
62 | + /* mod_dav doesn't handle the returned error very well, it | ||
63 | + generates its own generic error that will be returned to | ||
64 | + the client. Cache the detailed error here so that it can | ||
65 | + be returned a second time when the rollback mechanism | ||
66 | + triggers. */ | ||
67 | + if (serr) | ||
68 | + db->resource->info->revprop_error = svn_error_dup(serr); | ||
69 | + | ||
70 | /* Tell the logging subsystem about the revprop change. */ | ||
71 | dav_svn__operational_log(db->resource->info, | ||
72 | svn_log__change_rev_prop( | ||
73 | db->resource->info->root.rev, | ||
74 | propname, | ||
75 | - db->resource->pool)); | ||
76 | + subpool)); | ||
77 | } | ||
78 | else | ||
79 | serr = svn_repos_fs_change_node_prop(db->resource->info->root.root, | ||
80 | get_repos_path(db->resource->info), | ||
81 | - propname, value, db->resource->pool); | ||
82 | + propname, value, subpool); | ||
83 | + svn_pool_destroy(subpool); | ||
84 | + | ||
85 | if (serr != NULL) | ||
86 | return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR, | ||
87 | NULL, | ||
88 | @@ -395,6 +409,7 @@ db_remove(dav_db *db, const dav_prop_name *name) | ||
89 | { | ||
90 | svn_error_t *serr; | ||
91 | const char *propname; | ||
92 | + apr_pool_t *subpool; | ||
93 | |||
94 | /* get the repos-local name */ | ||
95 | get_repos_propname(db, name, &propname); | ||
96 | @@ -403,6 +418,10 @@ db_remove(dav_db *db, const dav_prop_name *name) | ||
97 | if (propname == NULL) | ||
98 | return NULL; | ||
99 | |||
100 | + /* A subpool to cope with mod_dav making multiple calls, e.g. during | ||
101 | + PROPPATCH with multiple values. */ | ||
102 | + subpool = svn_pool_create(db->resource->pool); | ||
103 | + | ||
104 | /* Working Baseline or Working (Version) Resource */ | ||
105 | if (db->resource->baselined) | ||
106 | if (db->resource->working) | ||
107 | @@ -419,11 +438,12 @@ db_remove(dav_db *db, const dav_prop_name *name) | ||
108 | propname, NULL, TRUE, TRUE, | ||
109 | db->authz_read_func, | ||
110 | db->authz_read_baton, | ||
111 | - db->resource->pool); | ||
112 | + subpool); | ||
113 | else | ||
114 | serr = svn_repos_fs_change_node_prop(db->resource->info->root.root, | ||
115 | get_repos_path(db->resource->info), | ||
116 | - propname, NULL, db->resource->pool); | ||
117 | + propname, NULL, subpool); | ||
118 | + svn_pool_destroy(subpool); | ||
119 | if (serr != NULL) | ||
120 | return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR, | ||
121 | "could not remove a property", | ||
122 | @@ -598,19 +618,14 @@ db_get_rollback(dav_db *db, | ||
123 | const dav_prop_name *name, | ||
124 | dav_deadprop_rollback **prollback) | ||
125 | { | ||
126 | - dav_error *err; | ||
127 | - dav_deadprop_rollback *ddp; | ||
128 | - svn_string_t *propval; | ||
129 | + /* This gets called by mod_dav in preparation for a revprop change. | ||
130 | + mod_dav_svn doesn't need to make any changes during rollback, but | ||
131 | + we want the rollback mechanism to trigger. Making changes in | ||
132 | + response to post-revprop-change hook errors would be positively | ||
133 | + wrong. */ | ||
134 | |||
135 | - if ((err = get_value(db, name, &propval)) != NULL) | ||
136 | - return err; | ||
137 | + *prollback = apr_palloc(db->p, sizeof(dav_deadprop_rollback)); | ||
138 | |||
139 | - ddp = apr_palloc(db->p, sizeof(*ddp)); | ||
140 | - ddp->name = *name; | ||
141 | - ddp->value.data = propval ? propval->data : NULL; | ||
142 | - ddp->value.len = propval ? propval->len : 0; | ||
143 | - | ||
144 | - *prollback = ddp; | ||
145 | return NULL; | ||
146 | } | ||
147 | |||
148 | @@ -618,12 +633,20 @@ db_get_rollback(dav_db *db, | ||
149 | static dav_error * | ||
150 | db_apply_rollback(dav_db *db, dav_deadprop_rollback *rollback) | ||
151 | { | ||
152 | - if (rollback->value.data == NULL) | ||
153 | - { | ||
154 | - return db_remove(db, &rollback->name); | ||
155 | - } | ||
156 | + dav_error *derr; | ||
157 | |||
158 | - return save_value(db, &rollback->name, &rollback->value); | ||
159 | + if (! db->resource->info->revprop_error) | ||
160 | + return NULL; | ||
161 | + | ||
162 | + /* Returning the original revprop change error here will cause this | ||
163 | + detailed error to get returned to the client in preference to the | ||
164 | + more generic error created by mod_dav. */ | ||
165 | + derr = dav_svn__convert_err(db->resource->info->revprop_error, | ||
166 | + HTTP_INTERNAL_SERVER_ERROR, NULL, | ||
167 | + db->resource->pool); | ||
168 | + db->resource->info->revprop_error = NULL; | ||
169 | + | ||
170 | + return derr; | ||
171 | } | ||
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1847-CVE-2013-1846.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1847-CVE-2013-1846.patch new file mode 100644 index 0000000000..f49b9a43a6 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1847-CVE-2013-1846.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Index: subversion/mod_dav_svn/lock.c | ||
4 | =================================================================== | ||
5 | --- a/subversion/mod_dav_svn/lock.c (revision 1459696) | ||
6 | +++ b/subversion/mod_dav_svn/lock.c (working copy) | ||
7 | @@ -634,7 +634,20 @@ append_locks(dav_lockdb *lockdb, | ||
8 | svn_lock_t *slock; | ||
9 | svn_error_t *serr; | ||
10 | dav_error *derr; | ||
11 | + dav_svn_repos *repos = resource->info->repos; | ||
12 | + | ||
13 | + /* We don't allow anonymous locks */ | ||
14 | + if (! repos->username) | ||
15 | + return dav_new_error(resource->pool, HTTP_UNAUTHORIZED, | ||
16 | + DAV_ERR_LOCK_SAVE_LOCK, | ||
17 | + "Anonymous lock creation is not allowed."); | ||
18 | |||
19 | + /* Not a path in the repository so can't lock it. */ | ||
20 | + if (! resource->info->repos_path) | ||
21 | + return dav_new_error(resource->pool, HTTP_BAD_REQUEST, | ||
22 | + DAV_ERR_LOCK_SAVE_LOCK, | ||
23 | + "Attempted to lock path not in repository."); | ||
24 | + | ||
25 | /* If the resource's fs path is unreadable, we don't allow a lock to | ||
26 | be created on it. */ | ||
27 | if (! dav_svn__allow_read_resource(resource, SVN_INVALID_REVNUM, | ||
28 | @@ -657,7 +670,6 @@ append_locks(dav_lockdb *lockdb, | ||
29 | svn_fs_txn_t *txn; | ||
30 | svn_fs_root_t *txn_root; | ||
31 | const char *conflict_msg; | ||
32 | - dav_svn_repos *repos = resource->info->repos; | ||
33 | apr_hash_t *revprop_table = apr_hash_make(resource->pool); | ||
34 | apr_hash_set(revprop_table, SVN_PROP_REVISION_AUTHOR, | ||
35 | APR_HASH_KEY_STRING, svn_string_create(repos->username, | ||
36 | @@ -734,7 +746,7 @@ append_locks(dav_lockdb *lockdb, | ||
37 | |||
38 | /* Convert the dav_lock into an svn_lock_t. */ | ||
39 | derr = dav_lock_to_svn_lock(&slock, lock, resource->info->repos_path, | ||
40 | - info, resource->info->repos->is_svn_client, | ||
41 | + info, repos->is_svn_client, | ||
42 | resource->pool); | ||
43 | if (derr) | ||
44 | return derr; | ||
45 | @@ -741,7 +753,7 @@ append_locks(dav_lockdb *lockdb, | ||
46 | |||
47 | /* Now use the svn_lock_t to actually perform the lock. */ | ||
48 | serr = svn_repos_fs_lock(&slock, | ||
49 | - resource->info->repos->repos, | ||
50 | + repos->repos, | ||
51 | slock->path, | ||
52 | slock->token, | ||
53 | slock->comment, | ||
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch new file mode 100644 index 0000000000..734f9b02e4 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch | |||
@@ -0,0 +1,25 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | --- a/subversion/mod_dav_svn/liveprops.c | ||
4 | +++ b/subversion/mod_dav_svn/liveprops.c | ||
5 | @@ -410,7 +410,8 @@ insert_prop(const dav_resource *resource | ||
6 | svn_filesize_t len = 0; | ||
7 | |||
8 | /* our property, but not defined on collection resources */ | ||
9 | - if (resource->collection || resource->baselined) | ||
10 | + if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY | ||
11 | + || resource->collection || resource->baselined) | ||
12 | return DAV_PROP_INSERT_NOTSUPP; | ||
13 | |||
14 | serr = svn_fs_file_length(&len, resource->info->root.root, | ||
15 | @@ -434,7 +435,9 @@ insert_prop(const dav_resource *resource | ||
16 | svn_string_t *pval; | ||
17 | const char *mime_type = NULL; | ||
18 | |||
19 | - if (resource->baselined && resource->type == DAV_RESOURCE_TYPE_VERSION) | ||
20 | + if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY | ||
21 | + || (resource->baselined | ||
22 | + && resource->type == DAV_RESOURCE_TYPE_VERSION)) | ||
23 | return DAV_PROP_INSERT_NOTSUPP; | ||
24 | |||
25 | if (resource->type == DAV_RESOURCE_TYPE_PRIVATE | ||
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4277.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4277.patch new file mode 100644 index 0000000000..21b8ef0c3b --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4277.patch | |||
@@ -0,0 +1,15 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | --- a/subversion/svnserve/main.c | ||
4 | +++ b/subversion/svnserve/main.c | ||
5 | @@ -403,8 +403,9 @@ static svn_error_t *write_pid_file(const | ||
6 | const char *contents = apr_psprintf(pool, "%" APR_PID_T_FMT "\n", | ||
7 | getpid()); | ||
8 | |||
9 | + SVN_ERR(svn_io_remove_file(filename, pool)); | ||
10 | SVN_ERR(svn_io_file_open(&file, filename, | ||
11 | - APR_WRITE | APR_CREATE | APR_TRUNCATE, | ||
12 | + APR_WRITE | APR_CREATE | APR_EXCL, | ||
13 | APR_OS_DEFAULT, pool)); | ||
14 | SVN_ERR(svn_io_file_write_full(file, contents, strlen(contents), NULL, | ||
15 | pool)); | ||
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch new file mode 100644 index 0000000000..7d73a6b2f3 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch | |||
@@ -0,0 +1,127 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | --- ./contrib/server-side/mod_dontdothat/mod_dontdothat.c.old 2014-04-15 10:18:54.692655905 +0800 | ||
4 | +++ ./contrib/server-side/mod_dontdothat/mod_dontdothat.c 2014-04-15 10:29:55.559603676 +0800 | ||
5 | @@ -25,12 +25,15 @@ | ||
6 | #include <util_filter.h> | ||
7 | #include <ap_config.h> | ||
8 | #include <apr_strings.h> | ||
9 | +#include <apr_uri.h> | ||
10 | |||
11 | #include <expat.h> | ||
12 | |||
13 | #include "mod_dav_svn.h" | ||
14 | #include "svn_string.h" | ||
15 | #include "svn_config.h" | ||
16 | +#include "svn_path.h" | ||
17 | +#include "private/svn_fspath.h" | ||
18 | |||
19 | module AP_MODULE_DECLARE_DATA dontdothat_module; | ||
20 | |||
21 | @@ -156,26 +159,71 @@ matches(const char *wc, const char *p) | ||
22 | } | ||
23 | } | ||
24 | |||
25 | +/* duplicate of dav_svn__log_err() from mod_dav_svn/util.c */ | ||
26 | +static void | ||
27 | +log_dav_err(request_rec *r, | ||
28 | + dav_error *err, | ||
29 | + int level) | ||
30 | +{ | ||
31 | + dav_error *errscan; | ||
32 | + | ||
33 | + /* Log the errors */ | ||
34 | + /* ### should have a directive to log the first or all */ | ||
35 | + for (errscan = err; errscan != NULL; errscan = errscan->prev) { | ||
36 | + apr_status_t status; | ||
37 | + | ||
38 | + if (errscan->desc == NULL) | ||
39 | + continue; | ||
40 | + | ||
41 | +#if AP_MODULE_MAGIC_AT_LEAST(20091119,0) | ||
42 | + status = errscan->aprerr; | ||
43 | +#else | ||
44 | + status = errscan->save_errno; | ||
45 | +#endif | ||
46 | + | ||
47 | + ap_log_rerror(APLOG_MARK, level, status, r, | ||
48 | + "%s [%d, #%d]", | ||
49 | + errscan->desc, errscan->status, errscan->error_id); | ||
50 | + } | ||
51 | +} | ||
52 | + | ||
53 | static svn_boolean_t | ||
54 | is_this_legal(dontdothat_filter_ctx *ctx, const char *uri) | ||
55 | { | ||
56 | const char *relative_path; | ||
57 | const char *cleaned_uri; | ||
58 | const char *repos_name; | ||
59 | + const char *uri_path; | ||
60 | int trailing_slash; | ||
61 | dav_error *derr; | ||
62 | |||
63 | - /* Ok, so we need to skip past the scheme, host, etc. */ | ||
64 | - uri = ap_strstr_c(uri, "://"); | ||
65 | - if (uri) | ||
66 | - uri = ap_strchr_c(uri + 3, '/'); | ||
67 | + /* uri can be an absolute uri or just a path, we only want the path to match | ||
68 | + * against */ | ||
69 | + if (uri && svn_path_is_url(uri)) | ||
70 | + { | ||
71 | + apr_uri_t parsed_uri; | ||
72 | + apr_status_t rv = apr_uri_parse(ctx->r->pool, uri, &parsed_uri); | ||
73 | + if (APR_SUCCESS != rv) | ||
74 | + { | ||
75 | + /* Error parsing the URI, log and reject request. */ | ||
76 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, ctx->r, | ||
77 | + "mod_dontdothat: blocked request after failing " | ||
78 | + "to parse uri: '%s'", uri); | ||
79 | + return FALSE; | ||
80 | + } | ||
81 | + uri_path = parsed_uri.path; | ||
82 | + } | ||
83 | + else | ||
84 | + { | ||
85 | + uri_path = uri; | ||
86 | + } | ||
87 | |||
88 | - if (uri) | ||
89 | + if (uri_path) | ||
90 | { | ||
91 | const char *repos_path; | ||
92 | |||
93 | derr = dav_svn_split_uri(ctx->r, | ||
94 | - uri, | ||
95 | + uri_path, | ||
96 | ctx->cfg->base_path, | ||
97 | &cleaned_uri, | ||
98 | &trailing_slash, | ||
99 | @@ -189,7 +237,7 @@ is_this_legal(dontdothat_filter_ctx *ctx | ||
100 | if (! repos_path) | ||
101 | repos_path = ""; | ||
102 | |||
103 | - repos_path = apr_psprintf(ctx->r->pool, "/%s", repos_path); | ||
104 | + repos_path = svn_fspath__canonicalize(repos_path, ctx->r->pool); | ||
105 | |||
106 | /* First check the special cases that are always legal... */ | ||
107 | for (idx = 0; idx < ctx->allow_recursive_ops->nelts; ++idx) | ||
108 | @@ -223,6 +271,19 @@ is_this_legal(dontdothat_filter_ctx *ctx | ||
109 | } | ||
110 | } | ||
111 | } | ||
112 | + else | ||
113 | + { | ||
114 | + log_dav_err(ctx->r, derr, APLOG_ERR); | ||
115 | + return FALSE; | ||
116 | + } | ||
117 | + | ||
118 | + } | ||
119 | + else | ||
120 | + { | ||
121 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, | ||
122 | + "mod_dontdothat: empty uri passed to is_this_legal(), " | ||
123 | + "module bug?"); | ||
124 | + return FALSE; | ||
125 | } | ||
126 | |||
127 | return TRUE; | ||
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch new file mode 100644 index 0000000000..03d5b9710f --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch | |||
@@ -0,0 +1,439 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
4 | |||
5 | diff --git a/subversion/libsvn_ra_serf/util.c.old b/subversion/libsvn_ra_serf/util.c | ||
6 | index b6c0141..8b09770 100644 | ||
7 | --- a/subversion/libsvn_ra_serf/util.c.old | ||
8 | +++ b/subversion/libsvn_ra_serf/util.c | ||
9 | @@ -21,7 +21,6 @@ | ||
10 | #define APR_WANT_STRFUNC | ||
11 | #include <apr.h> | ||
12 | #include <apr_want.h> | ||
13 | -#include <apr_fnmatch.h> | ||
14 | |||
15 | #include <serf.h> | ||
16 | #include <serf_bucket_types.h> | ||
17 | @@ -30,6 +29,7 @@ | ||
18 | #include "svn_private_config.h" | ||
19 | #include "svn_xml.h" | ||
20 | #include "private/svn_dep_compat.h" | ||
21 | +#include "private/svn_cert.h" | ||
22 | |||
23 | #include "ra_serf.h" | ||
24 | |||
25 | @@ -113,7 +113,12 @@ ssl_server_cert(void *baton, int failures, | ||
26 | apr_uint32_t svn_failures; | ||
27 | svn_error_t *err; | ||
28 | apr_hash_t *issuer, *subject, *serf_cert; | ||
29 | + apr_array_header_t *san; | ||
30 | void *creds; | ||
31 | + svn_boolean_t found_matching_hostname = FALSE; | ||
32 | + svn_boolean_t found_san_entry = FALSE; | ||
33 | + svn_string_t *actual_hostname = | ||
34 | + svn_string_create(conn->hostname, scratch_pool); | ||
35 | |||
36 | /* Implicitly approve any non-server certs. */ | ||
37 | if (serf_ssl_cert_depth(cert) > 0) | ||
38 | @@ -129,6 +134,7 @@ ssl_server_cert(void *baton, int failures, | ||
39 | serf_cert = serf_ssl_cert_certificate(cert, subpool); | ||
40 | |||
41 | cert_info.hostname = apr_hash_get(subject, "CN", APR_HASH_KEY_STRING); | ||
42 | + san = apr_hash_get(serf_cert, "subjectAltName", APR_HASH_KEY_STRING); | ||
43 | cert_info.fingerprint = apr_hash_get(serf_cert, "sha1", APR_HASH_KEY_STRING); | ||
44 | if (! cert_info.fingerprint) | ||
45 | cert_info.fingerprint = apr_pstrdup(subpool, "<unknown>"); | ||
46 | @@ -145,16 +145,43 @@ ssl_server_cert(void *baton, int failures, | ||
47 | |||
48 | svn_failures = ssl_convert_serf_failures(failures); | ||
49 | |||
50 | - /* Match server certificate CN with the hostname of the server */ | ||
51 | - if (cert_info.hostname) | ||
52 | + /* Try to find matching server name via subjectAltName first... */ | ||
53 | + if (san) | ||
54 | { | ||
55 | - if (apr_fnmatch(cert_info.hostname, conn->hostinfo, | ||
56 | - APR_FNM_PERIOD) == APR_FNM_NOMATCH) | ||
57 | + int i; | ||
58 | + found_san_entry = san->nelts > 0; | ||
59 | + for (i = 0; i < san->nelts; i++) | ||
60 | { | ||
61 | - svn_failures |= SVN_AUTH_SSL_CNMISMATCH; | ||
62 | + char *s = APR_ARRAY_IDX(san, i, char*); | ||
63 | + svn_string_t *cert_hostname = svn_string_create(s, scratch_pool); | ||
64 | + | ||
65 | + if (svn_cert__match_dns_identity(cert_hostname, actual_hostname)) | ||
66 | + { | ||
67 | + found_matching_hostname = TRUE; | ||
68 | + cert_info.hostname = s; | ||
69 | + break; | ||
70 | + } | ||
71 | } | ||
72 | } | ||
73 | |||
74 | + /* Match server certificate CN with the hostname of the server iff | ||
75 | + * we didn't find any subjectAltName fields and try to match them. | ||
76 | + * Per RFC 2818 they are authoritative if present and CommonName | ||
77 | + * should be ignored. */ | ||
78 | + if (!found_matching_hostname && !found_san_entry && cert_info.hostname) | ||
79 | + { | ||
80 | + svn_string_t *cert_hostname = svn_string_create(cert_info.hostname, | ||
81 | + scratch_pool); | ||
82 | + | ||
83 | + if (svn_cert__match_dns_identity(cert_hostname, actual_hostname)) | ||
84 | + { | ||
85 | + found_matching_hostname = TRUE; | ||
86 | + } | ||
87 | + } | ||
88 | + | ||
89 | + if (!found_matching_hostname) | ||
90 | + svn_failures |= SVN_AUTH_SSL_CNMISMATCH; | ||
91 | + | ||
92 | svn_auth_set_parameter(conn->session->wc_callbacks->auth_baton, | ||
93 | SVN_AUTH_PARAM_SSL_SERVER_FAILURES, | ||
94 | &svn_failures); | ||
95 | @@ -261,6 +293,10 @@ svn_ra_serf__conn_setup(apr_socket_t *sock, | ||
96 | if (!conn->ssl_context) | ||
97 | { | ||
98 | conn->ssl_context = serf_bucket_ssl_encrypt_context_get(rb); | ||
99 | + | ||
100 | +#if SERF_VERSION_AT_LEAST(1,0,0) | ||
101 | + serf_ssl_set_hostname(conn->ssl_context, conn->hostinfo); | ||
102 | +#endif | ||
103 | |||
104 | serf_ssl_client_cert_provider_set(conn->ssl_context, | ||
105 | svn_ra_serf__handle_client_cert, | ||
106 | diff --git a/subversion/libsvn_subr/dirent_uri.c.old b/subversion/libsvn_subr/dirent_uri.c | ||
107 | index eef99ba..a5f9e7e 100644 | ||
108 | --- a/subversion/libsvn_subr/dirent_uri.c.old | ||
109 | +++ b/subversion/libsvn_subr/dirent_uri.c | ||
110 | @@ -30,6 +30,7 @@ | ||
111 | #include "svn_path.h" | ||
112 | |||
113 | #include "private_uri.h" | ||
114 | +#include "private/svn_cert.h" | ||
115 | |||
116 | /* The canonical empty path. Can this be changed? Well, change the empty | ||
117 | test below and the path library will work, not so sure about the fs/wc | ||
118 | @@ -1194,3 +1195,81 @@ svn_uri_is_canonical(const char *uri, apr_pool_t *pool) | ||
119 | |||
120 | return TRUE; | ||
121 | } | ||
122 | + | ||
123 | + | ||
124 | +/* -------------- The cert API (see private/svn_cert.h) ------------- */ | ||
125 | + | ||
126 | +svn_boolean_t | ||
127 | +svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname) | ||
128 | +{ | ||
129 | + apr_size_t pattern_pos = 0, hostname_pos = 0; | ||
130 | + | ||
131 | + /* support leading wildcards that composed of the only character in the | ||
132 | + * left-most label. */ | ||
133 | + if (pattern->len >= 2 && | ||
134 | + pattern->data[pattern_pos] == '*' && | ||
135 | + pattern->data[pattern_pos + 1] == '.') | ||
136 | + { | ||
137 | + while (hostname_pos < hostname->len && | ||
138 | + hostname->data[hostname_pos] != '.') | ||
139 | + { | ||
140 | + hostname_pos++; | ||
141 | + } | ||
142 | + /* Assume that the wildcard must match something. Rule 2 says | ||
143 | + * that *.example.com should not match example.com. If the wildcard | ||
144 | + * ends up not matching anything then it matches .example.com which | ||
145 | + * seems to be essentially the same as just example.com */ | ||
146 | + if (hostname_pos == 0) | ||
147 | + return FALSE; | ||
148 | + | ||
149 | + pattern_pos++; | ||
150 | + } | ||
151 | + | ||
152 | + while (pattern_pos < pattern->len && hostname_pos < hostname->len) | ||
153 | + { | ||
154 | + char pattern_c = pattern->data[pattern_pos]; | ||
155 | + char hostname_c = hostname->data[hostname_pos]; | ||
156 | + | ||
157 | + /* fold case as described in RFC 4343. | ||
158 | + * Note: We actually convert to lowercase, since our URI | ||
159 | + * canonicalization code converts to lowercase and generally | ||
160 | + * most certs are issued with lowercase DNS names, meaning | ||
161 | + * this avoids the fold operation in most cases. The RFC | ||
162 | + * suggests the opposite transformation, but doesn't require | ||
163 | + * any specific implementation in any case. It is critical | ||
164 | + * that this folding be locale independent so you can't use | ||
165 | + * tolower(). */ | ||
166 | + pattern_c = canonicalize_to_lower(pattern_c); | ||
167 | + hostname_c = canonicalize_to_lower(hostname_c); | ||
168 | + | ||
169 | + if (pattern_c != hostname_c) | ||
170 | + { | ||
171 | + /* doesn't match */ | ||
172 | + return FALSE; | ||
173 | + } | ||
174 | + else | ||
175 | + { | ||
176 | + /* characters match so skip both */ | ||
177 | + pattern_pos++; | ||
178 | + hostname_pos++; | ||
179 | + } | ||
180 | + } | ||
181 | + | ||
182 | + /* ignore a trailing period on the hostname since this has no effect on the | ||
183 | + * security of the matching. See the following for the long explanation as | ||
184 | + * to why: | ||
185 | + * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28 | ||
186 | + */ | ||
187 | + if (pattern_pos == pattern->len && | ||
188 | + hostname_pos == hostname->len - 1 && | ||
189 | + hostname->data[hostname_pos] == '.') | ||
190 | + hostname_pos++; | ||
191 | + | ||
192 | + if (pattern_pos != pattern->len || hostname_pos != hostname->len) | ||
193 | + { | ||
194 | + /* end didn't match */ | ||
195 | + return FALSE; | ||
196 | + } | ||
197 | + | ||
198 | + return TRUE; | ||
199 | +} | ||
200 | diff --git a/subversion/tests/libsvn_subr/dirent_uri-test.c.old b/subversion/tests/libsvn_subr/dirent_uri-test.c | ||
201 | index d71d9c1..370b64a 100644 | ||
202 | --- a/subversion/tests/libsvn_subr/dirent_uri-test.c.old | ||
203 | +++ b/subversion/tests/libsvn_subr/dirent_uri-test.c | ||
204 | @@ -31,6 +31,7 @@ | ||
205 | |||
206 | #include "svn_pools.h" | ||
207 | #include "svn_dirent_uri.h" | ||
208 | +#include "private/svn_cert.h" | ||
209 | |||
210 | #include "../svn_test.h" | ||
211 | #include "../../libsvn_subr/private_uri.h" | ||
212 | @@ -1671,6 +1672,145 @@ test_uri_internal_style(const char **msg, | ||
213 | return SVN_NO_ERROR; | ||
214 | } | ||
215 | |||
216 | +struct cert_match_dns_test { | ||
217 | + const char *pattern; | ||
218 | + const char *hostname; | ||
219 | + svn_boolean_t expected; | ||
220 | +}; | ||
221 | + | ||
222 | +static svn_error_t * | ||
223 | +run_cert_match_dns_tests(struct cert_match_dns_test *tests, apr_pool_t *pool) | ||
224 | +{ | ||
225 | + struct cert_match_dns_test *ct; | ||
226 | + apr_pool_t *iterpool = svn_pool_create(pool); | ||
227 | + | ||
228 | + for (ct = tests; ct->pattern; ct++) | ||
229 | + { | ||
230 | + svn_boolean_t result; | ||
231 | + svn_string_t *pattern, *hostname; | ||
232 | + | ||
233 | + svn_pool_clear(iterpool); | ||
234 | + | ||
235 | + pattern = svn_string_create(ct->pattern, iterpool); | ||
236 | + hostname = svn_string_create(ct->hostname, iterpool); | ||
237 | + | ||
238 | + result = svn_cert__match_dns_identity(pattern, hostname); | ||
239 | + if (result != ct->expected) | ||
240 | + return svn_error_createf(SVN_ERR_TEST_FAILED, NULL, | ||
241 | + "Expected %s but got %s for pattern '%s' on " | ||
242 | + "hostname '%s'", | ||
243 | + ct->expected ? "match" : "no match", | ||
244 | + result ? "match" : "no match", | ||
245 | + pattern->data, hostname->data); | ||
246 | + | ||
247 | + } | ||
248 | + | ||
249 | + svn_pool_destroy(iterpool); | ||
250 | + | ||
251 | + return SVN_NO_ERROR; | ||
252 | +} | ||
253 | + | ||
254 | +static struct cert_match_dns_test cert_match_dns_tests[] = { | ||
255 | + { "foo.example.com", "foo.example.com", TRUE }, /* exact match */ | ||
256 | + { "foo.example.com", "FOO.EXAMPLE.COM", TRUE }, /* case differences */ | ||
257 | + { "FOO.EXAMPLE.COM", "foo.example.com", TRUE }, | ||
258 | + { "*.example.com", "FoO.ExAmPlE.CoM", TRUE }, | ||
259 | + { "*.ExAmPlE.CoM", "foo.example.com", TRUE }, | ||
260 | + { "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz", TRUE }, | ||
261 | + { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", TRUE }, | ||
262 | + { "foo.example.com", "bar.example.com", FALSE }, /* difference at start */ | ||
263 | + { "foo.example.com", "foo.example.net", FALSE }, /* difference at end */ | ||
264 | + { "foo.example.com", "foo.example.commercial", FALSE }, /* hostname longer */ | ||
265 | + { "foo.example.commercial", "foo.example.com", FALSE }, /* pattern longer */ | ||
266 | + { "foo.example.comcom", "foo.example.com", FALSE }, /* repeated suffix */ | ||
267 | + { "foo.example.com", "foo.example.comcom", FALSE }, | ||
268 | + { "foo.example.com.com", "foo.example.com", FALSE }, | ||
269 | + { "foo.example.com", "foo.example.com.com", FALSE }, | ||
270 | + { "foofoo.example.com", "foo.example.com", FALSE }, /* repeated prefix */ | ||
271 | + { "foo.example.com", "foofoo.example.com", FALSE }, | ||
272 | + { "foo.foo.example.com", "foo.example.com", FALSE }, | ||
273 | + { "foo.example.com", "foo.foo.example.com", FALSE }, | ||
274 | + { "foo.*.example.com", "foo.bar.example.com", FALSE }, /* RFC 6125 s. 6.4.3 | ||
275 | + Rule 1 */ | ||
276 | + { "*.example.com", "foo.example.com", TRUE }, /* RFC 6125 s. 6.4.3 Rule 2 */ | ||
277 | + { "*.example.com", "bar.foo.example.com", FALSE }, /* Rule 2 */ | ||
278 | + { "*.example.com", "example.com", FALSE }, /* Rule 2 */ | ||
279 | + { "*.example.com", ".example.com", FALSE }, /* RFC doesn't say what to do | ||
280 | + here and a leading period on | ||
281 | + a hostname doesn't make sense | ||
282 | + so we'll just reject this. */ | ||
283 | + { "*", "foo.example.com", FALSE }, /* wildcard must be left-most label, | ||
284 | + implies that there must be more than | ||
285 | + one label. */ | ||
286 | + { "*", "example.com", FALSE }, | ||
287 | + { "*", "com", FALSE }, | ||
288 | + { "*.example.com", "foo.example.net", FALSE }, /* difference in literal text | ||
289 | + with a wildcard. */ | ||
290 | + { "*.com", "example.com", TRUE }, /* See Errata ID 3090 for RFC 6125, | ||
291 | + probably shouldn't allow this but | ||
292 | + we do for now. */ | ||
293 | + { "*.", "example.com", FALSE }, /* test some dubious 2 character wildcard | ||
294 | + patterns */ | ||
295 | + { "*.", "example.", TRUE }, /* This one feels questionable */ | ||
296 | + { "*.", "example", FALSE }, | ||
297 | + { "*.", ".", FALSE }, | ||
298 | + { "a", "a", TRUE }, /* check that single letter exact matches work */ | ||
299 | + { "a", "b", FALSE }, /* and single letter not matches shouldn't */ | ||
300 | + { "*.*.com", "foo.example.com", FALSE }, /* unsupported wildcards */ | ||
301 | + { "*.*.com", "example.com", FALSE }, | ||
302 | + { "**.example.com", "foo.example.com", FALSE }, | ||
303 | + { "**.example.com", "example.com", FALSE }, | ||
304 | + { "f*.example.com", "foo.example.com", FALSE }, | ||
305 | + { "f*.example.com", "bar.example.com", FALSE }, | ||
306 | + { "*o.example.com", "foo.example.com", FALSE }, | ||
307 | + { "*o.example.com", "bar.example.com", FALSE }, | ||
308 | + { "f*o.example.com", "foo.example.com", FALSE }, | ||
309 | + { "f*o.example.com", "bar.example.com", FALSE }, | ||
310 | + { "foo.e*.com", "foo.example.com", FALSE }, | ||
311 | + { "foo.*e.com", "foo.example.com", FALSE }, | ||
312 | + { "foo.e*e.com", "foo.example.com", FALSE }, | ||
313 | + { "foo.example.com", "foo.example.com.", TRUE }, /* trailing dot */ | ||
314 | + { "*.example.com", "foo.example.com.", TRUE }, | ||
315 | + { "foo", "foo.", TRUE }, | ||
316 | + { "foo.example.com.", "foo.example.com", FALSE }, | ||
317 | + { "*.example.com.", "foo.example.com", FALSE }, | ||
318 | + { "foo.", "foo", FALSE }, | ||
319 | + { "foo.example.com", "foo.example.com..", FALSE }, | ||
320 | + { "*.example.com", "foo.example.com..", FALSE }, | ||
321 | + { "foo", "foo..", FALSE }, | ||
322 | + { "foo.example.com..", "foo.example.com", FALSE }, | ||
323 | + { "*.example.com..", "foo.example.com", FALSE }, | ||
324 | + { "foo..", "foo", FALSE }, | ||
325 | + { NULL } | ||
326 | +}; | ||
327 | + | ||
328 | +static svn_error_t * | ||
329 | +test_cert_match_dns_identity(apr_pool_t *pool) | ||
330 | +{ | ||
331 | + return run_cert_match_dns_tests(cert_match_dns_tests, pool); | ||
332 | +} | ||
333 | + | ||
334 | +/* This test table implements results that should happen if we supported | ||
335 | + * RFC 6125 s. 6.4.3 Rule 3. We don't so it's expected to fail for now. */ | ||
336 | +static struct cert_match_dns_test rule3_tests[] = { | ||
337 | + { "baz*.example.net", "baz1.example.net", TRUE }, | ||
338 | + { "*baz.example.net", "foobaz.example.net", TRUE }, | ||
339 | + { "b*z.example.net", "buuz.example.net", TRUE }, | ||
340 | + { "b*z.example.net", "bz.example.net", FALSE }, /* presume wildcard can't | ||
341 | + match nothing */ | ||
342 | + { "baz*.example.net", "baz.example.net", FALSE }, | ||
343 | + { "*baz.example.net", "baz.example.net", FALSE }, | ||
344 | + { "b*z.example.net", "buuzuuz.example.net", TRUE }, /* presume wildcard | ||
345 | + should be greedy */ | ||
346 | + { NULL } | ||
347 | +}; | ||
348 | + | ||
349 | +static svn_error_t * | ||
350 | +test_rule3(apr_pool_t *pool) | ||
351 | +{ | ||
352 | + return run_cert_match_dns_tests(rule3_tests, pool); | ||
353 | +} | ||
354 | + | ||
355 | |||
356 | /* The test table. */ | ||
357 | |||
358 | @@ -1699,5 +1839,7 @@ struct svn_test_descriptor_t test_funcs[] = | ||
359 | SVN_TEST_PASS(test_uri_local_style), | ||
360 | SVN_TEST_PASS(test_dirent_internal_style), | ||
361 | SVN_TEST_PASS(test_uri_internal_style), | ||
362 | + SVN_TEST_PASS(test_cert_match_dns_identity), | ||
363 | + SVN_TEST_XFAIL(test_rule3), | ||
364 | SVN_TEST_NULL | ||
365 | }; | ||
366 | diff --git a/subversion/include/private/svn_cert.h b/subversion/include/private/svn_cert.h | ||
367 | new file mode 100644 | ||
368 | index 0000000..32e32a0 | ||
369 | --- /dev/null | ||
370 | +++ b/subversion/include/private/svn_cert.h | ||
371 | @@ -0,0 +1,68 @@ | ||
372 | +/** | ||
373 | + * @copyright | ||
374 | + * ==================================================================== | ||
375 | + * Licensed to the Apache Software Foundation (ASF) under one | ||
376 | + * or more contributor license agreements. See the NOTICE file | ||
377 | + * distributed with this work for additional information | ||
378 | + * regarding copyright ownership. The ASF licenses this file | ||
379 | + * to you under the Apache License, Version 2.0 (the | ||
380 | + * "License"); you may not use this file except in compliance | ||
381 | + * with the License. You may obtain a copy of the License at | ||
382 | + * | ||
383 | + * http://www.apache.org/licenses/LICENSE-2.0 | ||
384 | + * | ||
385 | + * Unless required by applicable law or agreed to in writing, | ||
386 | + * software distributed under the License is distributed on an | ||
387 | + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
388 | + * KIND, either express or implied. See the License for the | ||
389 | + * specific language governing permissions and limitations | ||
390 | + * under the License. | ||
391 | + * ==================================================================== | ||
392 | + * @endcopyright | ||
393 | + * | ||
394 | + * @file svn_cert.h | ||
395 | + * @brief Implementation of certificate validation functions | ||
396 | + */ | ||
397 | + | ||
398 | +#ifndef SVN_CERT_H | ||
399 | +#define SVN_CERT_H | ||
400 | + | ||
401 | +#include <apr.h> | ||
402 | + | ||
403 | +#include "svn_types.h" | ||
404 | +#include "svn_string.h" | ||
405 | + | ||
406 | +#ifdef __cplusplus | ||
407 | +extern "C" { | ||
408 | +#endif /* __cplusplus */ | ||
409 | + | ||
410 | + | ||
411 | +/* Return TRUE iff @a pattern matches @a hostname as defined | ||
412 | + * by the matching rules of RFC 6125. In the context of RFC | ||
413 | + * 6125 the pattern is the domain name portion of the presented | ||
414 | + * identifier (which comes from the Common Name or a DNSName | ||
415 | + * portion of the subjectAltName of an X.509 certificate) and | ||
416 | + * the hostname is the source domain (i.e. the host portion | ||
417 | + * of the URI the user entered). | ||
418 | + * | ||
419 | + * @note With respect to wildcards we only support matching | ||
420 | + * wildcards in the left-most label and as the only character | ||
421 | + * in the left-most label (i.e. we support RFC 6125 ยง 6.4.3 | ||
422 | + * Rule 1 and 2 but not the optional Rule 3). This may change | ||
423 | + * in the future. | ||
424 | + * | ||
425 | + * @note Subversion does not at current support internationalized | ||
426 | + * domain names. Both values are presumed to be in NR-LDH label | ||
427 | + * or A-label form (see RFC 5890 for the definition). | ||
428 | + * | ||
429 | + * @since New in 1.9. | ||
430 | + */ | ||
431 | +svn_boolean_t | ||
432 | +svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname); | ||
433 | + | ||
434 | + | ||
435 | +#ifdef __cplusplus | ||
436 | +} | ||
437 | +#endif /* __cplusplus */ | ||
438 | + | ||
439 | +#endif /* SVN_CERT_H */ | ||
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch new file mode 100644 index 0000000000..23e738e985 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
4 | |||
5 | diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c | ||
6 | index ff50270..c511d04 100644 | ||
7 | --- a/subversion/libsvn_subr/config_auth.c.old | ||
8 | +++ b/subversion/libsvn_subr/config_auth.c | ||
9 | @@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash, | ||
10 | if (kind == svn_node_file) | ||
11 | { | ||
12 | svn_stream_t *stream; | ||
13 | + svn_string_t *stored_realm; | ||
14 | |||
15 | SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool), | ||
16 | _("Unable to open auth file for reading")); | ||
17 | @@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash, | ||
18 | apr_psprintf(pool, _("Error parsing '%s'"), | ||
19 | svn_path_local_style(auth_path, pool))); | ||
20 | |||
21 | + stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY, | ||
22 | + APR_HASH_KEY_STRING); | ||
23 | + | ||
24 | + if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0) | ||
25 | + *hash = NULL; /* Hash collision, or somebody tampering with storage */ | ||
26 | + | ||
27 | SVN_ERR(svn_stream_close(stream)); | ||
28 | } | ||
29 | |||
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb new file mode 100644 index 0000000000..b135bb7a3f --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb | |||
@@ -0,0 +1,48 @@ | |||
1 | SUMMARY = "Subversion (svn) version control system client" | ||
2 | SECTION = "console/network" | ||
3 | DEPENDS = "apr-util neon sqlite3" | ||
4 | RDEPENDS_${PN} = "neon" | ||
5 | LICENSE = "Apache-2" | ||
6 | HOMEPAGE = "http://subversion.tigris.org" | ||
7 | |||
8 | BBCLASSEXTEND = "native" | ||
9 | |||
10 | PR = "r3" | ||
11 | |||
12 | SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \ | ||
13 | file://disable-revision-install.patch \ | ||
14 | file://libtool2.patch \ | ||
15 | file://fix-install-depends.patch \ | ||
16 | file://subversion-CVE-2013-1849.patch \ | ||
17 | file://subversion-CVE-2013-4505.patch \ | ||
18 | file://subversion-CVE-2013-1845.patch \ | ||
19 | file://subversion-CVE-2013-1847-CVE-2013-1846.patch \ | ||
20 | file://subversion-CVE-2013-4277.patch \ | ||
21 | file://subversion-CVE-2014-3522.patch \ | ||
22 | file://subversion-CVE-2014-3528.patch \ | ||
23 | " | ||
24 | |||
25 | SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" | ||
26 | SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45" | ||
27 | |||
28 | LIC_FILES_CHKSUM = "file://COPYING;md5=2a69fef414e2cb907b4544298569300b" | ||
29 | |||
30 | PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl" | ||
31 | |||
32 | EXTRA_OECONF = " \ | ||
33 | --without-berkeley-db --without-apxs --without-apache \ | ||
34 | --without-swig --with-apr=${STAGING_BINDIR_CROSS} \ | ||
35 | --with-apr-util=${STAGING_BINDIR_CROSS} \ | ||
36 | ac_cv_path_RUBY=none" | ||
37 | |||
38 | inherit autotools | ||
39 | |||
40 | export LDFLAGS += " -L${STAGING_LIBDIR} " | ||
41 | |||
42 | acpaths = "-I build/ -I build/ac-macros/" | ||
43 | |||
44 | do_configure_prepend () { | ||
45 | rm -f ${S}/libtool | ||
46 | rm -f ${S}/build/libtool.m4 | ||
47 | sed -i -e 's:with_sasl="/usr/local":with_sasl="${STAGING_DIR}":' ${S}/build/ac-macros/sasl.m4 | ||
48 | } | ||
diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.9.bb new file mode 100644 index 0000000000..1ef59a0c00 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb | |||
@@ -0,0 +1,51 @@ | |||
1 | SUMMARY = "Subversion (svn) version control system client" | ||
2 | SECTION = "console/network" | ||
3 | DEPENDS = "apr-util serf sqlite3 file" | ||
4 | RDEPENDS_${PN} = "serf" | ||
5 | LICENSE = "Apache-2" | ||
6 | HOMEPAGE = "http://subversion.tigris.org" | ||
7 | |||
8 | BBCLASSEXTEND = "native" | ||
9 | |||
10 | inherit gettext | ||
11 | |||
12 | SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ | ||
13 | file://libtool2.patch \ | ||
14 | file://disable_macos.patch \ | ||
15 | file://subversion-CVE-2014-3522.patch;striplevel=0 \ | ||
16 | file://subversion-CVE-2014-3528.patch \ | ||
17 | " | ||
18 | SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db" | ||
19 | SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33" | ||
20 | |||
21 | LIC_FILES_CHKSUM = "file://LICENSE;md5=1c2f0119e478700b5428e26386cff923" | ||
22 | |||
23 | PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl" | ||
24 | PACKAGECONFIG[gnome-keyring] = "--with-gnome-keyring,--without-gnome-keyring,glib-2.0 gnome-keyring" | ||
25 | |||
26 | EXTRA_OECONF = " \ | ||
27 | --without-berkeley-db --without-apxs \ | ||
28 | --without-swig --with-apr=${STAGING_BINDIR_CROSS} \ | ||
29 | --with-apr-util=${STAGING_BINDIR_CROSS} \ | ||
30 | --disable-keychain \ | ||
31 | ac_cv_path_RUBY=none" | ||
32 | |||
33 | inherit autotools | ||
34 | |||
35 | export LDFLAGS += " -L${STAGING_LIBDIR} " | ||
36 | |||
37 | acpaths = "-I build/ -I build/ac-macros/" | ||
38 | |||
39 | do_configure_prepend () { | ||
40 | rm -f ${S}/libtool | ||
41 | rm -f ${S}/build/libtool.m4 ${S}/build/ltmain.sh ${S}/build/ltoptions.m4 ${S}/build/ltsugar.m4 ${S}/build/ltversion.m4 ${S}/build/lt~obsolete.m4 | ||
42 | rm -f ${S}/aclocal.m4 | ||
43 | sed -i -e 's:with_sasl="/usr/local":with_sasl="${STAGING_DIR}":' ${S}/build/ac-macros/sasl.m4 | ||
44 | } | ||
45 | |||
46 | #| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_ra_local/libsvn_ra_local-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_repos/libsvn_repos-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| /usr/bin/ld: cannot find -lsvn_delta-1| collect2: ld returned 1 exit status| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_ra_svn/libsvn_ra_svn-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_ra_serf/libsvn_ra_serf-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib' | ||
47 | #| x86_64-linux-libtool: install: error: relink `libsvn_ra_serf-1.la' with the above command before installing it | ||
48 | #| x86_64-linux-libtool: install: warning: `../../subversion/libsvn_repos/libsvn_repos-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib' | ||
49 | #| /home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/subversion-1.8.9/build-outputs.mk:1090: recipe for target 'install-serf-lib' failed | ||
50 | #| make: *** [install-serf-lib] Error 1 | ||
51 | PARALLEL_MAKEINST = "" | ||