subversion: fix CVE-2017-9800

A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server(to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. Backport patch from: http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691 Reference: http://subversion.apache.org/security/CVE-2017-9800-advisory.txt (From OE-Core rev: 6e1f8001a0f3c26cce9c692d25987a3c47ff2f74) Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Wenzong Fan <wenzong.fan@windriver.com> 2017-09-07 02:49:06 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-09-11 17:30:30 +0100
commit: 3f5906e086d904f48e1790c59cf01c0c94b31b64 (patch)
tree: 7492f28d8b921c4b2b7424ffe6b4bbdd299875d2 /meta/recipes-devtools
parent: f2a8f94430c8d101cd4344d7099b3ada021d4af6 (diff)
download: poky-3f5906e086d904f48e1790c59cf01c0c94b31b64.tar.gz
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
new file mode 100644
index 0000000000..0599c2badb
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
@@ -0,0 +1,136 @@
+------------------------------------------------------------------------
+r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines
+Fix CVE-2017-9800.
+See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
+* subversion/libsvn_ra_svn/client.c
+  (svn_ctype.h): Include.
+  (find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
+    Expect the 'hostinfo' parameter to be URI-decoded.
+  (is_valid_hostinfo): New.
+  (ra_svn_open): Validate the hostname before using it.
+* subversion/libsvn_subr/config_file.c
+  (svn_config_ensure): Update the example configuration likewise.
+Patch by: philip
+Review by: danielsh
+           stsp
+           astieger (earlier version)
+Upstream-Status: Backport
+http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691
+CVE: CVE-2017-9800
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+Index: subversion/libsvn_subr/config_file.c
+===================================================================
+--- subversion/libsvn_subr/config_file.c        (revision 1804690)
+++ subversion/libsvn_subr/config_file.c        (revision 1804691)
+@@ -1448,12 +1448,12 @@
+         "### passed to the tunnel agent as <user>@<hostname>.)  If the"      NL
+         "### built-in ssh scheme were not predefined, it could be defined"   NL
+         "### as:"                                                            NL
+-        "# ssh = $SVN_SSH ssh -q"                                            NL
+        "# ssh = $SVN_SSH ssh -q --"                                         NL
+         "### If you wanted to define a new 'rsh' scheme, to be used with"    NL
+         "### 'svn+rsh:' URLs, you could do so as follows:"                   NL
+-        "# rsh = rsh"                                                        NL
+        "# rsh = rsh --"                                                     NL
+         "### Or, if you wanted to specify a full path and arguments:"        NL
+-        "# rsh = /path/to/rsh -l myusername"                                 NL
+        "# rsh = /path/to/rsh -l myusername --"                              NL
+         "### On Windows, if you are specifying a full path to a command,"    NL
+         "### use a forward slash (/) or a paired backslash (\\\\) as the"    NL
+         "### path separator.  A single backslash will be treated as an"      NL
+Index: subversion/libsvn_ra_svn/client.c
+===================================================================
+--- subversion/libsvn_ra_svn/client.c   (revision 1804690)
+++ subversion/libsvn_ra_svn/client.c   (revision 1804691)
+@@ -46,6 +46,7 @@
+ #include "svn_props.h"
+ #include "svn_mergeinfo.h"
+ #include "svn_version.h"
+#include "svn_ctype.h"
+ 
+ #include "svn_private_config.h"
+ 
+@@ -398,7 +399,7 @@
+        * versions have it too. If the user is using some other ssh
+        * implementation that doesn't accept it, they can override it
+        * in the [tunnels] section of the config. */
+-      val = "$SVN_SSH ssh -q";
+      val = "$SVN_SSH ssh -q --";
+     }
+ 
+   if (!val || !*val)
+@@ -443,7 +444,7 @@
+   for (n = 0; cmd_argv[n] != NULL; n++)
+     argv[n] = cmd_argv[n];
+ 
+-  argv[n++] = svn_path_uri_decode(hostinfo, pool);
+  argv[n++] = hostinfo;
+   argv[n++] = "svnserve";
+   argv[n++] = "-t";
+   argv[n] = NULL;
+@@ -811,7 +812,33 @@
+ }
+ 
+ 
+/* A simple whitelist to ensure the following are valid:
+ *   user@server
+ *   [::1]:22
+ *   server-name
+ *   server_name
+ *   127.0.0.1
+ * with an extra restriction that a leading '-' is invalid.
+ */
+static svn_boolean_t
+is_valid_hostinfo(const char *hostinfo)
+{
+  const char *p = hostinfo;
+ 
+  if (p[0] == '-')
+    return FALSE;
+
+  while (*p)
+    {
+      if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
+        return FALSE;
+
+      ++p;
+    }
+
+  return TRUE;
+}
+
+ static svn_error_t *ra_svn_open(svn_ra_session_t *session,
+                                 const char **corrected_url,
+                                 const char *url,
+@@ -844,8 +871,18 @@
+           || (callbacks->check_tunnel_func && callbacks->open_tunnel_func
+               && !callbacks->check_tunnel_func(callbacks->tunnel_baton,
+                                                tunnel))))
+-    SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
+-                              result_pool));
+    {
+      const char *decoded_hostinfo;
+
+      decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
+
+      if (!is_valid_hostinfo(decoded_hostinfo))
+        return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
+                                 uri.hostinfo);
+
+      SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
+                                config, result_pool));
+    }
+   else
+     tunnel_argv = NULL;
+ 
+------------------------------------------------------------------------
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
index f49e26a5c8..532edeb080 100644
--- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
           file://0001-Fix-libtool-name-in-configure.ac.patch \
           file://serfmacro.patch \
+           file://CVE-2017-9800.patch;striplevel=0 \
           "
 SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"
author	Wenzong Fan <wenzong.fan@windriver.com>	2017-09-07 02:49:06 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-09-11 17:30:30 +0100
commit	3f5906e086d904f48e1790c59cf01c0c94b31b64 (patch)
tree	7492f28d8b921c4b2b7424ffe6b4bbdd299875d2 /meta/recipes-devtools
parent	f2a8f94430c8d101cd4344d7099b3ada021d4af6 (diff)
download	poky-3f5906e086d904f48e1790c59cf01c0c94b31b64.tar.gz

diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch new file mode 100644 index 0000000000..0599c2badb --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
@@ -0,0 +1,136 @@
		1	------------------------------------------------------------------------
		2	r1804691 \| danielsh \| 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) \| 18 lines
		3
		4	Fix CVE-2017-9800.
		5
		6	See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
		7
		8	* subversion/libsvn_ra_svn/client.c
		9	(svn_ctype.h): Include.
		10	(find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
		11	Expect the 'hostinfo' parameter to be URI-decoded.
		12	(is_valid_hostinfo): New.
		13	(ra_svn_open): Validate the hostname before using it.
		14
		15	* subversion/libsvn_subr/config_file.c
		16	(svn_config_ensure): Update the example configuration likewise.
		17
		18	Patch by: philip
		19	Review by: danielsh
		20	stsp
		21	astieger (earlier version)
		22
		23	Upstream-Status: Backport
		24	http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
		25
		26	CVE: CVE-2017-9800
		27
		28	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
		29	---
		30	Index: subversion/libsvn_subr/config_file.c
		31	===================================================================
		32	--- subversion/libsvn_subr/config_file.c (revision 1804690)
		33	+++ subversion/libsvn_subr/config_file.c (revision 1804691)
		34	@@ -1448,12 +1448,12 @@
		35	"### passed to the tunnel agent as <user>@<hostname>.) If the" NL
		36	"### built-in ssh scheme were not predefined, it could be defined" NL
		37	"### as:" NL
		38	- "# ssh = $SVN_SSH ssh -q" NL
		39	+ "# ssh = $SVN_SSH ssh -q --" NL
		40	"### If you wanted to define a new 'rsh' scheme, to be used with" NL
		41	"### 'svn+rsh:' URLs, you could do so as follows:" NL
		42	- "# rsh = rsh" NL
		43	+ "# rsh = rsh --" NL
		44	"### Or, if you wanted to specify a full path and arguments:" NL
		45	- "# rsh = /path/to/rsh -l myusername" NL
		46	+ "# rsh = /path/to/rsh -l myusername --" NL
		47	"### On Windows, if you are specifying a full path to a command," NL
		48	"### use a forward slash (/) or a paired backslash (\\\\) as the" NL
		49	"### path separator. A single backslash will be treated as an" NL
		50	Index: subversion/libsvn_ra_svn/client.c
		51	===================================================================
		52	--- subversion/libsvn_ra_svn/client.c (revision 1804690)
		53	+++ subversion/libsvn_ra_svn/client.c (revision 1804691)
		54	@@ -46,6 +46,7 @@
		55	#include "svn_props.h"
		56	#include "svn_mergeinfo.h"
		57	#include "svn_version.h"
		58	+#include "svn_ctype.h"
		59
		60	#include "svn_private_config.h"
		61
		62	@@ -398,7 +399,7 @@
		63	* versions have it too. If the user is using some other ssh
		64	* implementation that doesn't accept it, they can override it
		65	* in the [tunnels] section of the config. */
		66	- val = "$SVN_SSH ssh -q";
		67	+ val = "$SVN_SSH ssh -q --";
		68	}
		69
		70	if (!val \|\| !*val)
		71	@@ -443,7 +444,7 @@
		72	for (n = 0; cmd_argv[n] != NULL; n++)
		73	argv[n] = cmd_argv[n];
		74
		75	- argv[n++] = svn_path_uri_decode(hostinfo, pool);
		76	+ argv[n++] = hostinfo;
		77	argv[n++] = "svnserve";
		78	argv[n++] = "-t";
		79	argv[n] = NULL;
		80	@@ -811,7 +812,33 @@
		81	}
		82
		83
		84	+/* A simple whitelist to ensure the following are valid:
		85	+ * user@server
		86	+ * [::1]:22
		87	+ * server-name
		88	+ * server_name
		89	+ * 127.0.0.1
		90	+ * with an extra restriction that a leading '-' is invalid.
		91	+ */
		92	+static svn_boolean_t
		93	+is_valid_hostinfo(const char *hostinfo)
		94	+{
		95	+ const char *p = hostinfo;
		96
		97	+ if (p[0] == '-')
		98	+ return FALSE;
		99	+
		100	+ while (*p)
		101	+ {
		102	+ if (!svn_ctype_isalnum(p) && !strchr(":.-_[]@", p))
		103	+ return FALSE;
		104	+
		105	+ ++p;
		106	+ }
		107	+
		108	+ return TRUE;
		109	+}
		110	+
		111	static svn_error_t ra_svn_open(svn_ra_session_t session,
		112	const char **corrected_url,
		113	const char *url,
		114	@@ -844,8 +871,18 @@
		115	\|\| (callbacks->check_tunnel_func && callbacks->open_tunnel_func
		116	&& !callbacks->check_tunnel_func(callbacks->tunnel_baton,
		117	tunnel))))
		118	- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
		119	- result_pool));
		120	+ {
		121	+ const char *decoded_hostinfo;
		122	+
		123	+ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
		124	+
		125	+ if (!is_valid_hostinfo(decoded_hostinfo))
		126	+ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
		127	+ uri.hostinfo);
		128	+
		129	+ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
		130	+ config, result_pool));
		131	+ }
		132	else
		133	tunnel_argv = NULL;
		134
		135
		136	------------------------------------------------------------------------


diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.6.bb index f49e26a5c8..532edeb080 100644 --- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb +++ b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
15	file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \	15	file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
16	file://0001-Fix-libtool-name-in-configure.ac.patch \	16	file://0001-Fix-libtool-name-in-configure.ac.patch \
17	file://serfmacro.patch \	17	file://serfmacro.patch \
		18	file://CVE-2017-9800.patch;striplevel=0 \
18	"	19	"
19		20
20	SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"	21	SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"