diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-04-15 10:49:03 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-29 13:43:28 +0100 |
commit | 896511d56483aa2e14f6623076ed4f5b3e5ef35b (patch) | |
tree | b563909dadaf4d731e50c848b4b7dae998bd7c69 /meta/recipes-devtools | |
parent | 01c613e4bc93655054ca1a58c86b164001ce9f34 (diff) | |
download | poky-896511d56483aa2e14f6623076ed4f5b3e5ef35b.tar.gz |
subversion: fix for Security Advisory CVE-2013-4505
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0
through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass
intended access restrictions and possibly cause a denial of service
(resource consumption) via a relative URL in a REPORT request.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4505
(From OE-Core rev: 02314673619f44e5838ddb65bbe22f9342ee6167)
(From OE-Core rev: d245459306939aef078a89e671ec093e3d6321cd)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
4 files changed, 259 insertions, 1 deletions
diff --git a/meta/recipes-devtools/subversion/subversion-1.7.10/subversion-CVE-2013-4505.patch b/meta/recipes-devtools/subversion/subversion-1.7.10/subversion-CVE-2013-4505.patch new file mode 100644 index 0000000000..a54d6944ed --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion-1.7.10/subversion-CVE-2013-4505.patch | |||
@@ -0,0 +1,130 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Index: tools/server-side/mod_dontdothat/mod_dontdothat.c | ||
4 | =================================================================== | ||
5 | --- a/tools/server-side/mod_dontdothat/mod_dontdothat.c (revision 1239695) | ||
6 | +++ b/tools/server-side/mod_dontdothat/mod_dontdothat.c (revision 1542078) | ||
7 | @@ -30,12 +30,15 @@ | ||
8 | #include <util_filter.h> | ||
9 | #include <ap_config.h> | ||
10 | #include <apr_strings.h> | ||
11 | +#include <apr_uri.h> | ||
12 | |||
13 | #include <expat.h> | ||
14 | |||
15 | #include "mod_dav_svn.h" | ||
16 | #include "svn_string.h" | ||
17 | #include "svn_config.h" | ||
18 | +#include "svn_path.h" | ||
19 | +#include "private/svn_fspath.h" | ||
20 | |||
21 | module AP_MODULE_DECLARE_DATA dontdothat_module; | ||
22 | |||
23 | @@ -161,26 +164,71 @@ | ||
24 | } | ||
25 | } | ||
26 | |||
27 | +/* duplicate of dav_svn__log_err() from mod_dav_svn/util.c */ | ||
28 | +static void | ||
29 | +log_dav_err(request_rec *r, | ||
30 | + dav_error *err, | ||
31 | + int level) | ||
32 | +{ | ||
33 | + dav_error *errscan; | ||
34 | + | ||
35 | + /* Log the errors */ | ||
36 | + /* ### should have a directive to log the first or all */ | ||
37 | + for (errscan = err; errscan != NULL; errscan = errscan->prev) { | ||
38 | + apr_status_t status; | ||
39 | + | ||
40 | + if (errscan->desc == NULL) | ||
41 | + continue; | ||
42 | + | ||
43 | +#if AP_MODULE_MAGIC_AT_LEAST(20091119,0) | ||
44 | + status = errscan->aprerr; | ||
45 | +#else | ||
46 | + status = errscan->save_errno; | ||
47 | +#endif | ||
48 | + | ||
49 | + ap_log_rerror(APLOG_MARK, level, status, r, | ||
50 | + "%s [%d, #%d]", | ||
51 | + errscan->desc, errscan->status, errscan->error_id); | ||
52 | + } | ||
53 | +} | ||
54 | + | ||
55 | static svn_boolean_t | ||
56 | is_this_legal(dontdothat_filter_ctx *ctx, const char *uri) | ||
57 | { | ||
58 | const char *relative_path; | ||
59 | const char *cleaned_uri; | ||
60 | const char *repos_name; | ||
61 | + const char *uri_path; | ||
62 | int trailing_slash; | ||
63 | dav_error *derr; | ||
64 | |||
65 | - /* Ok, so we need to skip past the scheme, host, etc. */ | ||
66 | - uri = ap_strstr_c(uri, "://"); | ||
67 | - if (uri) | ||
68 | - uri = ap_strchr_c(uri + 3, '/'); | ||
69 | + /* uri can be an absolute uri or just a path, we only want the path to match | ||
70 | + * against */ | ||
71 | + if (uri && svn_path_is_url(uri)) | ||
72 | + { | ||
73 | + apr_uri_t parsed_uri; | ||
74 | + apr_status_t rv = apr_uri_parse(ctx->r->pool, uri, &parsed_uri); | ||
75 | + if (APR_SUCCESS != rv) | ||
76 | + { | ||
77 | + /* Error parsing the URI, log and reject request. */ | ||
78 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, ctx->r, | ||
79 | + "mod_dontdothat: blocked request after failing " | ||
80 | + "to parse uri: '%s'", uri); | ||
81 | + return FALSE; | ||
82 | + } | ||
83 | + uri_path = parsed_uri.path; | ||
84 | + } | ||
85 | + else | ||
86 | + { | ||
87 | + uri_path = uri; | ||
88 | + } | ||
89 | |||
90 | - if (uri) | ||
91 | + if (uri_path) | ||
92 | { | ||
93 | const char *repos_path; | ||
94 | |||
95 | derr = dav_svn_split_uri(ctx->r, | ||
96 | - uri, | ||
97 | + uri_path, | ||
98 | ctx->cfg->base_path, | ||
99 | &cleaned_uri, | ||
100 | &trailing_slash, | ||
101 | @@ -194,7 +242,7 @@ | ||
102 | if (! repos_path) | ||
103 | repos_path = ""; | ||
104 | |||
105 | - repos_path = apr_psprintf(ctx->r->pool, "/%s", repos_path); | ||
106 | + repos_path = svn_fspath__canonicalize(repos_path, ctx->r->pool); | ||
107 | |||
108 | /* First check the special cases that are always legal... */ | ||
109 | for (idx = 0; idx < ctx->allow_recursive_ops->nelts; ++idx) | ||
110 | @@ -228,7 +276,20 @@ | ||
111 | } | ||
112 | } | ||
113 | } | ||
114 | + else | ||
115 | + { | ||
116 | + log_dav_err(ctx->r, derr, APLOG_ERR); | ||
117 | + return FALSE; | ||
118 | + } | ||
119 | + | ||
120 | } | ||
121 | + else | ||
122 | + { | ||
123 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, | ||
124 | + "mod_dontdothat: empty uri passed to is_this_legal(), " | ||
125 | + "module bug?"); | ||
126 | + return FALSE; | ||
127 | + } | ||
128 | |||
129 | return TRUE; | ||
130 | } | ||
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch new file mode 100644 index 0000000000..7d73a6b2f3 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch | |||
@@ -0,0 +1,127 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | --- ./contrib/server-side/mod_dontdothat/mod_dontdothat.c.old 2014-04-15 10:18:54.692655905 +0800 | ||
4 | +++ ./contrib/server-side/mod_dontdothat/mod_dontdothat.c 2014-04-15 10:29:55.559603676 +0800 | ||
5 | @@ -25,12 +25,15 @@ | ||
6 | #include <util_filter.h> | ||
7 | #include <ap_config.h> | ||
8 | #include <apr_strings.h> | ||
9 | +#include <apr_uri.h> | ||
10 | |||
11 | #include <expat.h> | ||
12 | |||
13 | #include "mod_dav_svn.h" | ||
14 | #include "svn_string.h" | ||
15 | #include "svn_config.h" | ||
16 | +#include "svn_path.h" | ||
17 | +#include "private/svn_fspath.h" | ||
18 | |||
19 | module AP_MODULE_DECLARE_DATA dontdothat_module; | ||
20 | |||
21 | @@ -156,26 +159,71 @@ matches(const char *wc, const char *p) | ||
22 | } | ||
23 | } | ||
24 | |||
25 | +/* duplicate of dav_svn__log_err() from mod_dav_svn/util.c */ | ||
26 | +static void | ||
27 | +log_dav_err(request_rec *r, | ||
28 | + dav_error *err, | ||
29 | + int level) | ||
30 | +{ | ||
31 | + dav_error *errscan; | ||
32 | + | ||
33 | + /* Log the errors */ | ||
34 | + /* ### should have a directive to log the first or all */ | ||
35 | + for (errscan = err; errscan != NULL; errscan = errscan->prev) { | ||
36 | + apr_status_t status; | ||
37 | + | ||
38 | + if (errscan->desc == NULL) | ||
39 | + continue; | ||
40 | + | ||
41 | +#if AP_MODULE_MAGIC_AT_LEAST(20091119,0) | ||
42 | + status = errscan->aprerr; | ||
43 | +#else | ||
44 | + status = errscan->save_errno; | ||
45 | +#endif | ||
46 | + | ||
47 | + ap_log_rerror(APLOG_MARK, level, status, r, | ||
48 | + "%s [%d, #%d]", | ||
49 | + errscan->desc, errscan->status, errscan->error_id); | ||
50 | + } | ||
51 | +} | ||
52 | + | ||
53 | static svn_boolean_t | ||
54 | is_this_legal(dontdothat_filter_ctx *ctx, const char *uri) | ||
55 | { | ||
56 | const char *relative_path; | ||
57 | const char *cleaned_uri; | ||
58 | const char *repos_name; | ||
59 | + const char *uri_path; | ||
60 | int trailing_slash; | ||
61 | dav_error *derr; | ||
62 | |||
63 | - /* Ok, so we need to skip past the scheme, host, etc. */ | ||
64 | - uri = ap_strstr_c(uri, "://"); | ||
65 | - if (uri) | ||
66 | - uri = ap_strchr_c(uri + 3, '/'); | ||
67 | + /* uri can be an absolute uri or just a path, we only want the path to match | ||
68 | + * against */ | ||
69 | + if (uri && svn_path_is_url(uri)) | ||
70 | + { | ||
71 | + apr_uri_t parsed_uri; | ||
72 | + apr_status_t rv = apr_uri_parse(ctx->r->pool, uri, &parsed_uri); | ||
73 | + if (APR_SUCCESS != rv) | ||
74 | + { | ||
75 | + /* Error parsing the URI, log and reject request. */ | ||
76 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, ctx->r, | ||
77 | + "mod_dontdothat: blocked request after failing " | ||
78 | + "to parse uri: '%s'", uri); | ||
79 | + return FALSE; | ||
80 | + } | ||
81 | + uri_path = parsed_uri.path; | ||
82 | + } | ||
83 | + else | ||
84 | + { | ||
85 | + uri_path = uri; | ||
86 | + } | ||
87 | |||
88 | - if (uri) | ||
89 | + if (uri_path) | ||
90 | { | ||
91 | const char *repos_path; | ||
92 | |||
93 | derr = dav_svn_split_uri(ctx->r, | ||
94 | - uri, | ||
95 | + uri_path, | ||
96 | ctx->cfg->base_path, | ||
97 | &cleaned_uri, | ||
98 | &trailing_slash, | ||
99 | @@ -189,7 +237,7 @@ is_this_legal(dontdothat_filter_ctx *ctx | ||
100 | if (! repos_path) | ||
101 | repos_path = ""; | ||
102 | |||
103 | - repos_path = apr_psprintf(ctx->r->pool, "/%s", repos_path); | ||
104 | + repos_path = svn_fspath__canonicalize(repos_path, ctx->r->pool); | ||
105 | |||
106 | /* First check the special cases that are always legal... */ | ||
107 | for (idx = 0; idx < ctx->allow_recursive_ops->nelts; ++idx) | ||
108 | @@ -223,6 +271,19 @@ is_this_legal(dontdothat_filter_ctx *ctx | ||
109 | } | ||
110 | } | ||
111 | } | ||
112 | + else | ||
113 | + { | ||
114 | + log_dav_err(ctx->r, derr, APLOG_ERR); | ||
115 | + return FALSE; | ||
116 | + } | ||
117 | + | ||
118 | + } | ||
119 | + else | ||
120 | + { | ||
121 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, | ||
122 | + "mod_dontdothat: empty uri passed to is_this_legal(), " | ||
123 | + "module bug?"); | ||
124 | + return FALSE; | ||
125 | } | ||
126 | |||
127 | return TRUE; | ||
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb index 74cd149750..cb362765ab 100644 --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb | |||
@@ -14,7 +14,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \ | |||
14 | file://libtool2.patch \ | 14 | file://libtool2.patch \ |
15 | file://fix-install-depends.patch \ | 15 | file://fix-install-depends.patch \ |
16 | file://subversion-CVE-2013-1849.patch \ | 16 | file://subversion-CVE-2013-1849.patch \ |
17 | " | 17 | file://subversion-CVE-2013-4505.patch" |
18 | 18 | ||
19 | SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" | 19 | SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" |
20 | SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45" | 20 | SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45" |
diff --git a/meta/recipes-devtools/subversion/subversion_1.7.10.bb b/meta/recipes-devtools/subversion/subversion_1.7.10.bb index acef3bd62d..011d51b613 100644 --- a/meta/recipes-devtools/subversion/subversion_1.7.10.bb +++ b/meta/recipes-devtools/subversion/subversion_1.7.10.bb | |||
@@ -14,6 +14,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ | |||
14 | file://fix-install-depends.patch \ | 14 | file://fix-install-depends.patch \ |
15 | file://allow-updated-neon.patch \ | 15 | file://allow-updated-neon.patch \ |
16 | file://neon.m4-fix-includes-and-cflags.patch \ | 16 | file://neon.m4-fix-includes-and-cflags.patch \ |
17 | file://subversion-CVE-2013-4505.patch \ | ||
17 | " | 18 | " |
18 | SRC_URI[md5sum] = "4088a77e14232876c9b4ff1541e6e200" | 19 | SRC_URI[md5sum] = "4088a77e14232876c9b4ff1541e6e200" |
19 | SRC_URI[sha256sum] = "c1df222bec83d014d17785e2ceba6bc80962f64b280967de0285836d8d77a8e7" | 20 | SRC_URI[sha256sum] = "c1df222bec83d014d17785e2ceba6bc80962f64b280967de0285836d8d77a8e7" |