summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRoy Li <rongqing.li@windriver.com>2015-04-28 08:24:59 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-04-30 23:04:17 +0100
commit24609d9b60f1c64b78c9989b0c6644f3c2895da0 (patch)
tree935c3ad921b8c017c0a70051d75b8ac0083614e5 /meta
parentc1ac5a800e82026b0735334e29169e628b7545ae (diff)
downloadpoky-24609d9b60f1c64b78c9989b0c6644f3c2895da0.tar.gz
subversion: remove 1.6.X recipes
Removing the 1.6.X recipes, since there is a new version 1.8.X recipes, and hope that all projects already upgraded their premirror caches to use new format (From OE-Core rev: 65c4dcbefbe118eb1b04335d7d6171236a1315c2) Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/subversion/subversion/disable-revision-install.patch36
-rw-r--r--meta/recipes-devtools/subversion/subversion/fix-install-depends.patch45
-rw-r--r--meta/recipes-devtools/subversion/subversion/libtool2.patch17
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch171
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1847-CVE-2013-1846.patch53
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch25
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4277.patch15
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch127
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch439
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch29
-rw-r--r--meta/recipes-devtools/subversion/subversion_1.6.15.bb48
11 files changed, 0 insertions, 1005 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/disable-revision-install.patch b/meta/recipes-devtools/subversion/subversion/disable-revision-install.patch
deleted file mode 100644
index 66450fab9f..0000000000
--- a/meta/recipes-devtools/subversion/subversion/disable-revision-install.patch
+++ /dev/null
@@ -1,36 +0,0 @@
1Upstream-Status: Inappropriate [embedded specific]
2
3Index: subversion-1.6.15/Makefile.in
4===================================================================
5--- subversion-1.6.15.orig/Makefile.in 2010-11-17 06:47:23.000000000 -0800
6+++ subversion-1.6.15/Makefile.in 2011-01-31 10:11:07.358779686 -0800
7@@ -305,7 +305,7 @@
8 clean: external-clean local-clean
9 distclean: external-distclean local-distclean
10 extraclean: external-extraclean local-extraclean
11-install: external-install local-install revision-install
12+install: external-install local-install #revision-install
13
14 @INCLUDE_OUTPUTS@
15
16@@ -363,13 +363,13 @@
17 local-install: @INSTALL_RULES@
18
19 ### HACK!! Find a better way to do this
20-revision-install:
21- test -d $(DESTDIR)$(includedir)/subversion-1 || \
22- $(MKDIR) $(DESTDIR)$(includedir)/subversion-1
23- (subversion/svnversion/svnversion $(top_srcdir) || \
24- svnversion $(top_srcdir) || \
25- echo "unknown"; \
26- ) > $(DESTDIR)$(includedir)/subversion-1/svn-revision.txt
27+#revision-install:
28+# test -d $(DESTDIR)$(includedir)/subversion-1 || \
29+# $(MKDIR) $(DESTDIR)$(includedir)/subversion-1
30+# (subversion/svnversion/svnversion $(top_srcdir) || \
31+# svnversion $(top_srcdir) || \
32+# echo "unknown"; \
33+# ) > $(DESTDIR)$(includedir)/subversion-1/svn-revision.txt
34
35 install-static: @INSTALL_STATIC_RULES@
36
diff --git a/meta/recipes-devtools/subversion/subversion/fix-install-depends.patch b/meta/recipes-devtools/subversion/subversion/fix-install-depends.patch
deleted file mode 100644
index 6f49ed4bf2..0000000000
--- a/meta/recipes-devtools/subversion/subversion/fix-install-depends.patch
+++ /dev/null
@@ -1,45 +0,0 @@
1install-neon-lib should depend on libsvn_delta's installation
2
3install-neon-lib needs libsvn_delta-1.la which will be regenerated
4during libsvn_delta-1.la's installation, if libsvn_delta-1.la is
5in regenerating and at the same time install-neon-lib links it, the
6error willl happen.
7
8Let install-neon-lib run after libsvn_delta-1.la is installed will fix
9the problem.
10
11Upstream-Status: Pending
12
13Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
14---
15 build-outputs.mk | 2 +-
16 build.conf | 2 ++
17 2 files changed, 3 insertions(+), 1 deletion(-)
18
19diff --git a/build-outputs.mk b/build-outputs.mk
20--- a/build-outputs.mk
21+++ b/build-outputs.mk
22@@ -979,7 +979,7 @@ install-locale: subversion/po/de.mo subversion/po/es.mo subversion/po/fr.mo subv
23 $(MKDIR) $(DESTDIR)$(localedir)/zh_TW/LC_MESSAGES
24 cd subversion/po ; $(INSTALL_LOCALE) zh_TW.mo $(DESTDIR)$(localedir)/zh_TW/LC_MESSAGES/$(PACKAGE_NAME).mo
25
26-install-neon-lib: subversion/libsvn_ra_neon/libsvn_ra_neon-1.la
27+install-neon-lib: subversion/libsvn_ra_neon/libsvn_ra_neon-1.la $(SVN_FS_LIB_INSTALL_DEPS)
28 $(MKDIR) $(DESTDIR)$(neon_libdir)
29 cd subversion/libsvn_ra_neon ; $(INSTALL_NEON_LIB) libsvn_ra_neon-1.la $(DESTDIR)$(neon_libdir)/libsvn_ra_neon-1.la
30
31diff --git a/build.conf b/build.conf
32--- a/build.conf
33+++ b/build.conf
34@@ -272,6 +272,8 @@ type = ra-module
35 path = subversion/libsvn_ra_neon
36 install = neon-lib
37 libs = libsvn_delta libsvn_subr aprutil apriconv apr neon
38+# conditionally add more dependencies
39+add-install-deps = $(SVN_FS_LIB_INSTALL_DEPS)
40 msvc-static = yes
41
42 # Accessing repositories via DAV through serf
43--
441.7.10.4
45
diff --git a/meta/recipes-devtools/subversion/subversion/libtool2.patch b/meta/recipes-devtools/subversion/subversion/libtool2.patch
deleted file mode 100644
index 32f88b7987..0000000000
--- a/meta/recipes-devtools/subversion/subversion/libtool2.patch
+++ /dev/null
@@ -1,17 +0,0 @@
1Upstream-Status: Inappropriate [embedded specific]
2
3Index: subversion-1.5.5/configure.ac
4===================================================================
5--- subversion-1.5.5.orig/configure.ac 2008-08-26 18:27:56.000000000 +0100
6+++ subversion-1.5.5/configure.ac 2009-01-07 18:00:47.000000000 +0000
7@@ -153,8 +153,8 @@
8 LIBTOOL="$sh_libtool"
9 SVN_LIBTOOL="$sh_libtool"
10 else
11- sh_libtool="$abs_builddir/libtool"
12- SVN_LIBTOOL="\$(SHELL) $sh_libtool"
13+ sh_libtool="$abs_builddir/$host_alias-libtool"
14+ SVN_LIBTOOL="\$(SHELL) \$(abs_builddir)/$host_alias-libtool"
15 dnl libtoolize requires that the following line not be indented
16 ifdef([LT_INIT], [LT_INIT], [AC_PROG_LIBTOOL])
17 fi
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch
deleted file mode 100644
index 29aeea5017..0000000000
--- a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1845.patch
+++ /dev/null
@@ -1,171 +0,0 @@
1Upstream-Status: Backport
2
3Index: subversion/mod_dav_svn/dav_svn.h
4===================================================================
5--- a/subversion/mod_dav_svn/dav_svn.h (revision 1461956)
6+++ b/subversion/mod_dav_svn/dav_svn.h (working copy)
7@@ -254,6 +254,9 @@ struct dav_resource_private {
8 interface (ie: /path/to/item?p=PEGREV]? */
9 svn_boolean_t pegged;
10
11+ /* Cache any revprop change error */
12+ svn_error_t *revprop_error;
13+
14 /* Pool to allocate temporary data from */
15 apr_pool_t *pool;
16 };
17Index: subversion/mod_dav_svn/deadprops.c
18===================================================================
19--- a/subversion/mod_dav_svn/deadprops.c (revision 1461956)
20+++ b/subversion/mod_dav_svn/deadprops.c (working copy)
21@@ -49,8 +49,7 @@ struct dav_db {
22
23
24 struct dav_deadprop_rollback {
25- dav_prop_name name;
26- svn_string_t value;
27+ int dummy;
28 };
29
30
31@@ -134,6 +133,7 @@ save_value(dav_db *db, const dav_prop_name *name,
32 {
33 const char *propname;
34 svn_error_t *serr;
35+ apr_pool_t *subpool;
36
37 /* get the repos-local name */
38 get_repos_propname(db, name, &propname);
39@@ -151,10 +151,14 @@ save_value(dav_db *db, const dav_prop_name *name,
40 }
41
42 /* Working Baseline or Working (Version) Resource */
43+
44+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
45+ PROPPATCH with multiple values. */
46+ subpool = svn_pool_create(db->resource->pool);
47 if (db->resource->baselined)
48 if (db->resource->working)
49 serr = svn_repos_fs_change_txn_prop(db->resource->info->root.txn,
50- propname, value, db->resource->pool);
51+ propname, value, subpool);
52 else
53 {
54 /* ### VIOLATING deltaV: you can't proppatch a baseline, it's
55@@ -168,19 +172,29 @@ save_value(dav_db *db, const dav_prop_name *name,
56 propname, value, TRUE, TRUE,
57 db->authz_read_func,
58 db->authz_read_baton,
59- db->resource->pool);
60+ subpool);
61
62+ /* mod_dav doesn't handle the returned error very well, it
63+ generates its own generic error that will be returned to
64+ the client. Cache the detailed error here so that it can
65+ be returned a second time when the rollback mechanism
66+ triggers. */
67+ if (serr)
68+ db->resource->info->revprop_error = svn_error_dup(serr);
69+
70 /* Tell the logging subsystem about the revprop change. */
71 dav_svn__operational_log(db->resource->info,
72 svn_log__change_rev_prop(
73 db->resource->info->root.rev,
74 propname,
75- db->resource->pool));
76+ subpool));
77 }
78 else
79 serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
80 get_repos_path(db->resource->info),
81- propname, value, db->resource->pool);
82+ propname, value, subpool);
83+ svn_pool_destroy(subpool);
84+
85 if (serr != NULL)
86 return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
87 NULL,
88@@ -395,6 +409,7 @@ db_remove(dav_db *db, const dav_prop_name *name)
89 {
90 svn_error_t *serr;
91 const char *propname;
92+ apr_pool_t *subpool;
93
94 /* get the repos-local name */
95 get_repos_propname(db, name, &propname);
96@@ -403,6 +418,10 @@ db_remove(dav_db *db, const dav_prop_name *name)
97 if (propname == NULL)
98 return NULL;
99
100+ /* A subpool to cope with mod_dav making multiple calls, e.g. during
101+ PROPPATCH with multiple values. */
102+ subpool = svn_pool_create(db->resource->pool);
103+
104 /* Working Baseline or Working (Version) Resource */
105 if (db->resource->baselined)
106 if (db->resource->working)
107@@ -419,11 +438,12 @@ db_remove(dav_db *db, const dav_prop_name *name)
108 propname, NULL, TRUE, TRUE,
109 db->authz_read_func,
110 db->authz_read_baton,
111- db->resource->pool);
112+ subpool);
113 else
114 serr = svn_repos_fs_change_node_prop(db->resource->info->root.root,
115 get_repos_path(db->resource->info),
116- propname, NULL, db->resource->pool);
117+ propname, NULL, subpool);
118+ svn_pool_destroy(subpool);
119 if (serr != NULL)
120 return dav_svn__convert_err(serr, HTTP_INTERNAL_SERVER_ERROR,
121 "could not remove a property",
122@@ -598,19 +618,14 @@ db_get_rollback(dav_db *db,
123 const dav_prop_name *name,
124 dav_deadprop_rollback **prollback)
125 {
126- dav_error *err;
127- dav_deadprop_rollback *ddp;
128- svn_string_t *propval;
129+ /* This gets called by mod_dav in preparation for a revprop change.
130+ mod_dav_svn doesn't need to make any changes during rollback, but
131+ we want the rollback mechanism to trigger. Making changes in
132+ response to post-revprop-change hook errors would be positively
133+ wrong. */
134
135- if ((err = get_value(db, name, &propval)) != NULL)
136- return err;
137+ *prollback = apr_palloc(db->p, sizeof(dav_deadprop_rollback));
138
139- ddp = apr_palloc(db->p, sizeof(*ddp));
140- ddp->name = *name;
141- ddp->value.data = propval ? propval->data : NULL;
142- ddp->value.len = propval ? propval->len : 0;
143-
144- *prollback = ddp;
145 return NULL;
146 }
147
148@@ -618,12 +633,20 @@ db_get_rollback(dav_db *db,
149 static dav_error *
150 db_apply_rollback(dav_db *db, dav_deadprop_rollback *rollback)
151 {
152- if (rollback->value.data == NULL)
153- {
154- return db_remove(db, &rollback->name);
155- }
156+ dav_error *derr;
157
158- return save_value(db, &rollback->name, &rollback->value);
159+ if (! db->resource->info->revprop_error)
160+ return NULL;
161+
162+ /* Returning the original revprop change error here will cause this
163+ detailed error to get returned to the client in preference to the
164+ more generic error created by mod_dav. */
165+ derr = dav_svn__convert_err(db->resource->info->revprop_error,
166+ HTTP_INTERNAL_SERVER_ERROR, NULL,
167+ db->resource->pool);
168+ db->resource->info->revprop_error = NULL;
169+
170+ return derr;
171 }
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1847-CVE-2013-1846.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1847-CVE-2013-1846.patch
deleted file mode 100644
index f49b9a43a6..0000000000
--- a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1847-CVE-2013-1846.patch
+++ /dev/null
@@ -1,53 +0,0 @@
1Upstream-Status: Backport
2
3Index: subversion/mod_dav_svn/lock.c
4===================================================================
5--- a/subversion/mod_dav_svn/lock.c (revision 1459696)
6+++ b/subversion/mod_dav_svn/lock.c (working copy)
7@@ -634,7 +634,20 @@ append_locks(dav_lockdb *lockdb,
8 svn_lock_t *slock;
9 svn_error_t *serr;
10 dav_error *derr;
11+ dav_svn_repos *repos = resource->info->repos;
12+
13+ /* We don't allow anonymous locks */
14+ if (! repos->username)
15+ return dav_new_error(resource->pool, HTTP_UNAUTHORIZED,
16+ DAV_ERR_LOCK_SAVE_LOCK,
17+ "Anonymous lock creation is not allowed.");
18
19+ /* Not a path in the repository so can't lock it. */
20+ if (! resource->info->repos_path)
21+ return dav_new_error(resource->pool, HTTP_BAD_REQUEST,
22+ DAV_ERR_LOCK_SAVE_LOCK,
23+ "Attempted to lock path not in repository.");
24+
25 /* If the resource's fs path is unreadable, we don't allow a lock to
26 be created on it. */
27 if (! dav_svn__allow_read_resource(resource, SVN_INVALID_REVNUM,
28@@ -657,7 +670,6 @@ append_locks(dav_lockdb *lockdb,
29 svn_fs_txn_t *txn;
30 svn_fs_root_t *txn_root;
31 const char *conflict_msg;
32- dav_svn_repos *repos = resource->info->repos;
33 apr_hash_t *revprop_table = apr_hash_make(resource->pool);
34 apr_hash_set(revprop_table, SVN_PROP_REVISION_AUTHOR,
35 APR_HASH_KEY_STRING, svn_string_create(repos->username,
36@@ -734,7 +746,7 @@ append_locks(dav_lockdb *lockdb,
37
38 /* Convert the dav_lock into an svn_lock_t. */
39 derr = dav_lock_to_svn_lock(&slock, lock, resource->info->repos_path,
40- info, resource->info->repos->is_svn_client,
41+ info, repos->is_svn_client,
42 resource->pool);
43 if (derr)
44 return derr;
45@@ -741,7 +753,7 @@ append_locks(dav_lockdb *lockdb,
46
47 /* Now use the svn_lock_t to actually perform the lock. */
48 serr = svn_repos_fs_lock(&slock,
49- resource->info->repos->repos,
50+ repos->repos,
51 slock->path,
52 slock->token,
53 slock->comment,
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch
deleted file mode 100644
index 734f9b02e4..0000000000
--- a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-1849.patch
+++ /dev/null
@@ -1,25 +0,0 @@
1Upstream-Status: Backport
2
3--- a/subversion/mod_dav_svn/liveprops.c
4+++ b/subversion/mod_dav_svn/liveprops.c
5@@ -410,7 +410,8 @@ insert_prop(const dav_resource *resource
6 svn_filesize_t len = 0;
7
8 /* our property, but not defined on collection resources */
9- if (resource->collection || resource->baselined)
10+ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY
11+ || resource->collection || resource->baselined)
12 return DAV_PROP_INSERT_NOTSUPP;
13
14 serr = svn_fs_file_length(&len, resource->info->root.root,
15@@ -434,7 +435,9 @@ insert_prop(const dav_resource *resource
16 svn_string_t *pval;
17 const char *mime_type = NULL;
18
19- if (resource->baselined && resource->type == DAV_RESOURCE_TYPE_VERSION)
20+ if (resource->type == DAV_RESOURCE_TYPE_ACTIVITY
21+ || (resource->baselined
22+ && resource->type == DAV_RESOURCE_TYPE_VERSION))
23 return DAV_PROP_INSERT_NOTSUPP;
24
25 if (resource->type == DAV_RESOURCE_TYPE_PRIVATE
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4277.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4277.patch
deleted file mode 100644
index 21b8ef0c3b..0000000000
--- a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4277.patch
+++ /dev/null
@@ -1,15 +0,0 @@
1Upstream-Status: Backport
2
3--- a/subversion/svnserve/main.c
4+++ b/subversion/svnserve/main.c
5@@ -403,8 +403,9 @@ static svn_error_t *write_pid_file(const
6 const char *contents = apr_psprintf(pool, "%" APR_PID_T_FMT "\n",
7 getpid());
8
9+ SVN_ERR(svn_io_remove_file(filename, pool));
10 SVN_ERR(svn_io_file_open(&file, filename,
11- APR_WRITE | APR_CREATE | APR_TRUNCATE,
12+ APR_WRITE | APR_CREATE | APR_EXCL,
13 APR_OS_DEFAULT, pool));
14 SVN_ERR(svn_io_file_write_full(file, contents, strlen(contents), NULL,
15 pool));
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch
deleted file mode 100644
index 7d73a6b2f3..0000000000
--- a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2013-4505.patch
+++ /dev/null
@@ -1,127 +0,0 @@
1Upstream-Status: Backport
2
3--- ./contrib/server-side/mod_dontdothat/mod_dontdothat.c.old 2014-04-15 10:18:54.692655905 +0800
4+++ ./contrib/server-side/mod_dontdothat/mod_dontdothat.c 2014-04-15 10:29:55.559603676 +0800
5@@ -25,12 +25,15 @@
6 #include <util_filter.h>
7 #include <ap_config.h>
8 #include <apr_strings.h>
9+#include <apr_uri.h>
10
11 #include <expat.h>
12
13 #include "mod_dav_svn.h"
14 #include "svn_string.h"
15 #include "svn_config.h"
16+#include "svn_path.h"
17+#include "private/svn_fspath.h"
18
19 module AP_MODULE_DECLARE_DATA dontdothat_module;
20
21@@ -156,26 +159,71 @@ matches(const char *wc, const char *p)
22 }
23 }
24
25+/* duplicate of dav_svn__log_err() from mod_dav_svn/util.c */
26+static void
27+log_dav_err(request_rec *r,
28+ dav_error *err,
29+ int level)
30+{
31+ dav_error *errscan;
32+
33+ /* Log the errors */
34+ /* ### should have a directive to log the first or all */
35+ for (errscan = err; errscan != NULL; errscan = errscan->prev) {
36+ apr_status_t status;
37+
38+ if (errscan->desc == NULL)
39+ continue;
40+
41+#if AP_MODULE_MAGIC_AT_LEAST(20091119,0)
42+ status = errscan->aprerr;
43+#else
44+ status = errscan->save_errno;
45+#endif
46+
47+ ap_log_rerror(APLOG_MARK, level, status, r,
48+ "%s [%d, #%d]",
49+ errscan->desc, errscan->status, errscan->error_id);
50+ }
51+}
52+
53 static svn_boolean_t
54 is_this_legal(dontdothat_filter_ctx *ctx, const char *uri)
55 {
56 const char *relative_path;
57 const char *cleaned_uri;
58 const char *repos_name;
59+ const char *uri_path;
60 int trailing_slash;
61 dav_error *derr;
62
63- /* Ok, so we need to skip past the scheme, host, etc. */
64- uri = ap_strstr_c(uri, "://");
65- if (uri)
66- uri = ap_strchr_c(uri + 3, '/');
67+ /* uri can be an absolute uri or just a path, we only want the path to match
68+ * against */
69+ if (uri && svn_path_is_url(uri))
70+ {
71+ apr_uri_t parsed_uri;
72+ apr_status_t rv = apr_uri_parse(ctx->r->pool, uri, &parsed_uri);
73+ if (APR_SUCCESS != rv)
74+ {
75+ /* Error parsing the URI, log and reject request. */
76+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, ctx->r,
77+ "mod_dontdothat: blocked request after failing "
78+ "to parse uri: '%s'", uri);
79+ return FALSE;
80+ }
81+ uri_path = parsed_uri.path;
82+ }
83+ else
84+ {
85+ uri_path = uri;
86+ }
87
88- if (uri)
89+ if (uri_path)
90 {
91 const char *repos_path;
92
93 derr = dav_svn_split_uri(ctx->r,
94- uri,
95+ uri_path,
96 ctx->cfg->base_path,
97 &cleaned_uri,
98 &trailing_slash,
99@@ -189,7 +237,7 @@ is_this_legal(dontdothat_filter_ctx *ctx
100 if (! repos_path)
101 repos_path = "";
102
103- repos_path = apr_psprintf(ctx->r->pool, "/%s", repos_path);
104+ repos_path = svn_fspath__canonicalize(repos_path, ctx->r->pool);
105
106 /* First check the special cases that are always legal... */
107 for (idx = 0; idx < ctx->allow_recursive_ops->nelts; ++idx)
108@@ -223,6 +271,19 @@ is_this_legal(dontdothat_filter_ctx *ctx
109 }
110 }
111 }
112+ else
113+ {
114+ log_dav_err(ctx->r, derr, APLOG_ERR);
115+ return FALSE;
116+ }
117+
118+ }
119+ else
120+ {
121+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r,
122+ "mod_dontdothat: empty uri passed to is_this_legal(), "
123+ "module bug?");
124+ return FALSE;
125 }
126
127 return TRUE;
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch
deleted file mode 100644
index 03d5b9710f..0000000000
--- a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch
+++ /dev/null
@@ -1,439 +0,0 @@
1Upstream-Status: Backport
2
3Signed-off-by: Yue Tao <yue.tao@windriver.com>
4
5diff --git a/subversion/libsvn_ra_serf/util.c.old b/subversion/libsvn_ra_serf/util.c
6index b6c0141..8b09770 100644
7--- a/subversion/libsvn_ra_serf/util.c.old
8+++ b/subversion/libsvn_ra_serf/util.c
9@@ -21,7 +21,6 @@
10 #define APR_WANT_STRFUNC
11 #include <apr.h>
12 #include <apr_want.h>
13-#include <apr_fnmatch.h>
14
15 #include <serf.h>
16 #include <serf_bucket_types.h>
17@@ -30,6 +29,7 @@
18 #include "svn_private_config.h"
19 #include "svn_xml.h"
20 #include "private/svn_dep_compat.h"
21+#include "private/svn_cert.h"
22
23 #include "ra_serf.h"
24
25@@ -113,7 +113,12 @@ ssl_server_cert(void *baton, int failures,
26 apr_uint32_t svn_failures;
27 svn_error_t *err;
28 apr_hash_t *issuer, *subject, *serf_cert;
29+ apr_array_header_t *san;
30 void *creds;
31+ svn_boolean_t found_matching_hostname = FALSE;
32+ svn_boolean_t found_san_entry = FALSE;
33+ svn_string_t *actual_hostname =
34+ svn_string_create(conn->hostname, scratch_pool);
35
36 /* Implicitly approve any non-server certs. */
37 if (serf_ssl_cert_depth(cert) > 0)
38@@ -129,6 +134,7 @@ ssl_server_cert(void *baton, int failures,
39 serf_cert = serf_ssl_cert_certificate(cert, subpool);
40
41 cert_info.hostname = apr_hash_get(subject, "CN", APR_HASH_KEY_STRING);
42+ san = apr_hash_get(serf_cert, "subjectAltName", APR_HASH_KEY_STRING);
43 cert_info.fingerprint = apr_hash_get(serf_cert, "sha1", APR_HASH_KEY_STRING);
44 if (! cert_info.fingerprint)
45 cert_info.fingerprint = apr_pstrdup(subpool, "<unknown>");
46@@ -145,16 +145,43 @@ ssl_server_cert(void *baton, int failures,
47
48 svn_failures = ssl_convert_serf_failures(failures);
49
50- /* Match server certificate CN with the hostname of the server */
51- if (cert_info.hostname)
52+ /* Try to find matching server name via subjectAltName first... */
53+ if (san)
54 {
55- if (apr_fnmatch(cert_info.hostname, conn->hostinfo,
56- APR_FNM_PERIOD) == APR_FNM_NOMATCH)
57+ int i;
58+ found_san_entry = san->nelts > 0;
59+ for (i = 0; i < san->nelts; i++)
60 {
61- svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
62+ char *s = APR_ARRAY_IDX(san, i, char*);
63+ svn_string_t *cert_hostname = svn_string_create(s, scratch_pool);
64+
65+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
66+ {
67+ found_matching_hostname = TRUE;
68+ cert_info.hostname = s;
69+ break;
70+ }
71 }
72 }
73
74+ /* Match server certificate CN with the hostname of the server iff
75+ * we didn't find any subjectAltName fields and try to match them.
76+ * Per RFC 2818 they are authoritative if present and CommonName
77+ * should be ignored. */
78+ if (!found_matching_hostname && !found_san_entry && cert_info.hostname)
79+ {
80+ svn_string_t *cert_hostname = svn_string_create(cert_info.hostname,
81+ scratch_pool);
82+
83+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
84+ {
85+ found_matching_hostname = TRUE;
86+ }
87+ }
88+
89+ if (!found_matching_hostname)
90+ svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
91+
92 svn_auth_set_parameter(conn->session->wc_callbacks->auth_baton,
93 SVN_AUTH_PARAM_SSL_SERVER_FAILURES,
94 &svn_failures);
95@@ -261,6 +293,10 @@ svn_ra_serf__conn_setup(apr_socket_t *sock,
96 if (!conn->ssl_context)
97 {
98 conn->ssl_context = serf_bucket_ssl_encrypt_context_get(rb);
99+
100+#if SERF_VERSION_AT_LEAST(1,0,0)
101+ serf_ssl_set_hostname(conn->ssl_context, conn->hostinfo);
102+#endif
103
104 serf_ssl_client_cert_provider_set(conn->ssl_context,
105 svn_ra_serf__handle_client_cert,
106diff --git a/subversion/libsvn_subr/dirent_uri.c.old b/subversion/libsvn_subr/dirent_uri.c
107index eef99ba..a5f9e7e 100644
108--- a/subversion/libsvn_subr/dirent_uri.c.old
109+++ b/subversion/libsvn_subr/dirent_uri.c
110@@ -30,6 +30,7 @@
111 #include "svn_path.h"
112
113 #include "private_uri.h"
114+#include "private/svn_cert.h"
115
116 /* The canonical empty path. Can this be changed? Well, change the empty
117 test below and the path library will work, not so sure about the fs/wc
118@@ -1194,3 +1195,81 @@ svn_uri_is_canonical(const char *uri, apr_pool_t *pool)
119
120 return TRUE;
121 }
122+
123+
124+/* -------------- The cert API (see private/svn_cert.h) ------------- */
125+
126+svn_boolean_t
127+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname)
128+{
129+ apr_size_t pattern_pos = 0, hostname_pos = 0;
130+
131+ /* support leading wildcards that composed of the only character in the
132+ * left-most label. */
133+ if (pattern->len >= 2 &&
134+ pattern->data[pattern_pos] == '*' &&
135+ pattern->data[pattern_pos + 1] == '.')
136+ {
137+ while (hostname_pos < hostname->len &&
138+ hostname->data[hostname_pos] != '.')
139+ {
140+ hostname_pos++;
141+ }
142+ /* Assume that the wildcard must match something. Rule 2 says
143+ * that *.example.com should not match example.com. If the wildcard
144+ * ends up not matching anything then it matches .example.com which
145+ * seems to be essentially the same as just example.com */
146+ if (hostname_pos == 0)
147+ return FALSE;
148+
149+ pattern_pos++;
150+ }
151+
152+ while (pattern_pos < pattern->len && hostname_pos < hostname->len)
153+ {
154+ char pattern_c = pattern->data[pattern_pos];
155+ char hostname_c = hostname->data[hostname_pos];
156+
157+ /* fold case as described in RFC 4343.
158+ * Note: We actually convert to lowercase, since our URI
159+ * canonicalization code converts to lowercase and generally
160+ * most certs are issued with lowercase DNS names, meaning
161+ * this avoids the fold operation in most cases. The RFC
162+ * suggests the opposite transformation, but doesn't require
163+ * any specific implementation in any case. It is critical
164+ * that this folding be locale independent so you can't use
165+ * tolower(). */
166+ pattern_c = canonicalize_to_lower(pattern_c);
167+ hostname_c = canonicalize_to_lower(hostname_c);
168+
169+ if (pattern_c != hostname_c)
170+ {
171+ /* doesn't match */
172+ return FALSE;
173+ }
174+ else
175+ {
176+ /* characters match so skip both */
177+ pattern_pos++;
178+ hostname_pos++;
179+ }
180+ }
181+
182+ /* ignore a trailing period on the hostname since this has no effect on the
183+ * security of the matching. See the following for the long explanation as
184+ * to why:
185+ * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28
186+ */
187+ if (pattern_pos == pattern->len &&
188+ hostname_pos == hostname->len - 1 &&
189+ hostname->data[hostname_pos] == '.')
190+ hostname_pos++;
191+
192+ if (pattern_pos != pattern->len || hostname_pos != hostname->len)
193+ {
194+ /* end didn't match */
195+ return FALSE;
196+ }
197+
198+ return TRUE;
199+}
200diff --git a/subversion/tests/libsvn_subr/dirent_uri-test.c.old b/subversion/tests/libsvn_subr/dirent_uri-test.c
201index d71d9c1..370b64a 100644
202--- a/subversion/tests/libsvn_subr/dirent_uri-test.c.old
203+++ b/subversion/tests/libsvn_subr/dirent_uri-test.c
204@@ -31,6 +31,7 @@
205
206 #include "svn_pools.h"
207 #include "svn_dirent_uri.h"
208+#include "private/svn_cert.h"
209
210 #include "../svn_test.h"
211 #include "../../libsvn_subr/private_uri.h"
212@@ -1671,6 +1672,145 @@ test_uri_internal_style(const char **msg,
213 return SVN_NO_ERROR;
214 }
215
216+struct cert_match_dns_test {
217+ const char *pattern;
218+ const char *hostname;
219+ svn_boolean_t expected;
220+};
221+
222+static svn_error_t *
223+run_cert_match_dns_tests(struct cert_match_dns_test *tests, apr_pool_t *pool)
224+{
225+ struct cert_match_dns_test *ct;
226+ apr_pool_t *iterpool = svn_pool_create(pool);
227+
228+ for (ct = tests; ct->pattern; ct++)
229+ {
230+ svn_boolean_t result;
231+ svn_string_t *pattern, *hostname;
232+
233+ svn_pool_clear(iterpool);
234+
235+ pattern = svn_string_create(ct->pattern, iterpool);
236+ hostname = svn_string_create(ct->hostname, iterpool);
237+
238+ result = svn_cert__match_dns_identity(pattern, hostname);
239+ if (result != ct->expected)
240+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
241+ "Expected %s but got %s for pattern '%s' on "
242+ "hostname '%s'",
243+ ct->expected ? "match" : "no match",
244+ result ? "match" : "no match",
245+ pattern->data, hostname->data);
246+
247+ }
248+
249+ svn_pool_destroy(iterpool);
250+
251+ return SVN_NO_ERROR;
252+}
253+
254+static struct cert_match_dns_test cert_match_dns_tests[] = {
255+ { "foo.example.com", "foo.example.com", TRUE }, /* exact match */
256+ { "foo.example.com", "FOO.EXAMPLE.COM", TRUE }, /* case differences */
257+ { "FOO.EXAMPLE.COM", "foo.example.com", TRUE },
258+ { "*.example.com", "FoO.ExAmPlE.CoM", TRUE },
259+ { "*.ExAmPlE.CoM", "foo.example.com", TRUE },
260+ { "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz", TRUE },
261+ { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", TRUE },
262+ { "foo.example.com", "bar.example.com", FALSE }, /* difference at start */
263+ { "foo.example.com", "foo.example.net", FALSE }, /* difference at end */
264+ { "foo.example.com", "foo.example.commercial", FALSE }, /* hostname longer */
265+ { "foo.example.commercial", "foo.example.com", FALSE }, /* pattern longer */
266+ { "foo.example.comcom", "foo.example.com", FALSE }, /* repeated suffix */
267+ { "foo.example.com", "foo.example.comcom", FALSE },
268+ { "foo.example.com.com", "foo.example.com", FALSE },
269+ { "foo.example.com", "foo.example.com.com", FALSE },
270+ { "foofoo.example.com", "foo.example.com", FALSE }, /* repeated prefix */
271+ { "foo.example.com", "foofoo.example.com", FALSE },
272+ { "foo.foo.example.com", "foo.example.com", FALSE },
273+ { "foo.example.com", "foo.foo.example.com", FALSE },
274+ { "foo.*.example.com", "foo.bar.example.com", FALSE }, /* RFC 6125 s. 6.4.3
275+ Rule 1 */
276+ { "*.example.com", "foo.example.com", TRUE }, /* RFC 6125 s. 6.4.3 Rule 2 */
277+ { "*.example.com", "bar.foo.example.com", FALSE }, /* Rule 2 */
278+ { "*.example.com", "example.com", FALSE }, /* Rule 2 */
279+ { "*.example.com", ".example.com", FALSE }, /* RFC doesn't say what to do
280+ here and a leading period on
281+ a hostname doesn't make sense
282+ so we'll just reject this. */
283+ { "*", "foo.example.com", FALSE }, /* wildcard must be left-most label,
284+ implies that there must be more than
285+ one label. */
286+ { "*", "example.com", FALSE },
287+ { "*", "com", FALSE },
288+ { "*.example.com", "foo.example.net", FALSE }, /* difference in literal text
289+ with a wildcard. */
290+ { "*.com", "example.com", TRUE }, /* See Errata ID 3090 for RFC 6125,
291+ probably shouldn't allow this but
292+ we do for now. */
293+ { "*.", "example.com", FALSE }, /* test some dubious 2 character wildcard
294+ patterns */
295+ { "*.", "example.", TRUE }, /* This one feels questionable */
296+ { "*.", "example", FALSE },
297+ { "*.", ".", FALSE },
298+ { "a", "a", TRUE }, /* check that single letter exact matches work */
299+ { "a", "b", FALSE }, /* and single letter not matches shouldn't */
300+ { "*.*.com", "foo.example.com", FALSE }, /* unsupported wildcards */
301+ { "*.*.com", "example.com", FALSE },
302+ { "**.example.com", "foo.example.com", FALSE },
303+ { "**.example.com", "example.com", FALSE },
304+ { "f*.example.com", "foo.example.com", FALSE },
305+ { "f*.example.com", "bar.example.com", FALSE },
306+ { "*o.example.com", "foo.example.com", FALSE },
307+ { "*o.example.com", "bar.example.com", FALSE },
308+ { "f*o.example.com", "foo.example.com", FALSE },
309+ { "f*o.example.com", "bar.example.com", FALSE },
310+ { "foo.e*.com", "foo.example.com", FALSE },
311+ { "foo.*e.com", "foo.example.com", FALSE },
312+ { "foo.e*e.com", "foo.example.com", FALSE },
313+ { "foo.example.com", "foo.example.com.", TRUE }, /* trailing dot */
314+ { "*.example.com", "foo.example.com.", TRUE },
315+ { "foo", "foo.", TRUE },
316+ { "foo.example.com.", "foo.example.com", FALSE },
317+ { "*.example.com.", "foo.example.com", FALSE },
318+ { "foo.", "foo", FALSE },
319+ { "foo.example.com", "foo.example.com..", FALSE },
320+ { "*.example.com", "foo.example.com..", FALSE },
321+ { "foo", "foo..", FALSE },
322+ { "foo.example.com..", "foo.example.com", FALSE },
323+ { "*.example.com..", "foo.example.com", FALSE },
324+ { "foo..", "foo", FALSE },
325+ { NULL }
326+};
327+
328+static svn_error_t *
329+test_cert_match_dns_identity(apr_pool_t *pool)
330+{
331+ return run_cert_match_dns_tests(cert_match_dns_tests, pool);
332+}
333+
334+/* This test table implements results that should happen if we supported
335+ * RFC 6125 s. 6.4.3 Rule 3. We don't so it's expected to fail for now. */
336+static struct cert_match_dns_test rule3_tests[] = {
337+ { "baz*.example.net", "baz1.example.net", TRUE },
338+ { "*baz.example.net", "foobaz.example.net", TRUE },
339+ { "b*z.example.net", "buuz.example.net", TRUE },
340+ { "b*z.example.net", "bz.example.net", FALSE }, /* presume wildcard can't
341+ match nothing */
342+ { "baz*.example.net", "baz.example.net", FALSE },
343+ { "*baz.example.net", "baz.example.net", FALSE },
344+ { "b*z.example.net", "buuzuuz.example.net", TRUE }, /* presume wildcard
345+ should be greedy */
346+ { NULL }
347+};
348+
349+static svn_error_t *
350+test_rule3(apr_pool_t *pool)
351+{
352+ return run_cert_match_dns_tests(rule3_tests, pool);
353+}
354+
355
356 /* The test table. */
357
358@@ -1699,5 +1839,7 @@ struct svn_test_descriptor_t test_funcs[] =
359 SVN_TEST_PASS(test_uri_local_style),
360 SVN_TEST_PASS(test_dirent_internal_style),
361 SVN_TEST_PASS(test_uri_internal_style),
362+ SVN_TEST_PASS(test_cert_match_dns_identity),
363+ SVN_TEST_XFAIL(test_rule3),
364 SVN_TEST_NULL
365 };
366diff --git a/subversion/include/private/svn_cert.h b/subversion/include/private/svn_cert.h
367new file mode 100644
368index 0000000..32e32a0
369--- /dev/null
370+++ b/subversion/include/private/svn_cert.h
371@@ -0,0 +1,68 @@
372+/**
373+ * @copyright
374+ * ====================================================================
375+ * Licensed to the Apache Software Foundation (ASF) under one
376+ * or more contributor license agreements. See the NOTICE file
377+ * distributed with this work for additional information
378+ * regarding copyright ownership. The ASF licenses this file
379+ * to you under the Apache License, Version 2.0 (the
380+ * "License"); you may not use this file except in compliance
381+ * with the License. You may obtain a copy of the License at
382+ *
383+ * http://www.apache.org/licenses/LICENSE-2.0
384+ *
385+ * Unless required by applicable law or agreed to in writing,
386+ * software distributed under the License is distributed on an
387+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
388+ * KIND, either express or implied. See the License for the
389+ * specific language governing permissions and limitations
390+ * under the License.
391+ * ====================================================================
392+ * @endcopyright
393+ *
394+ * @file svn_cert.h
395+ * @brief Implementation of certificate validation functions
396+ */
397+
398+#ifndef SVN_CERT_H
399+#define SVN_CERT_H
400+
401+#include <apr.h>
402+
403+#include "svn_types.h"
404+#include "svn_string.h"
405+
406+#ifdef __cplusplus
407+extern "C" {
408+#endif /* __cplusplus */
409+
410+
411+/* Return TRUE iff @a pattern matches @a hostname as defined
412+ * by the matching rules of RFC 6125. In the context of RFC
413+ * 6125 the pattern is the domain name portion of the presented
414+ * identifier (which comes from the Common Name or a DNSName
415+ * portion of the subjectAltName of an X.509 certificate) and
416+ * the hostname is the source domain (i.e. the host portion
417+ * of the URI the user entered).
418+ *
419+ * @note With respect to wildcards we only support matching
420+ * wildcards in the left-most label and as the only character
421+ * in the left-most label (i.e. we support RFC 6125 ยง 6.4.3
422+ * Rule 1 and 2 but not the optional Rule 3). This may change
423+ * in the future.
424+ *
425+ * @note Subversion does not at current support internationalized
426+ * domain names. Both values are presumed to be in NR-LDH label
427+ * or A-label form (see RFC 5890 for the definition).
428+ *
429+ * @since New in 1.9.
430+ */
431+svn_boolean_t
432+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname);
433+
434+
435+#ifdef __cplusplus
436+}
437+#endif /* __cplusplus */
438+
439+#endif /* SVN_CERT_H */
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
deleted file mode 100644
index 23e738e985..0000000000
--- a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1Upstream-Status: Backport
2
3Signed-off-by: Yue Tao <yue.tao@windriver.com>
4
5diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c
6index ff50270..c511d04 100644
7--- a/subversion/libsvn_subr/config_auth.c.old
8+++ b/subversion/libsvn_subr/config_auth.c
9@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
10 if (kind == svn_node_file)
11 {
12 svn_stream_t *stream;
13+ svn_string_t *stored_realm;
14
15 SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
16 _("Unable to open auth file for reading"));
17@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
18 apr_psprintf(pool, _("Error parsing '%s'"),
19 svn_path_local_style(auth_path, pool)));
20
21+ stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
22+ APR_HASH_KEY_STRING);
23+
24+ if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
25+ *hash = NULL; /* Hash collision, or somebody tampering with storage */
26+
27 SVN_ERR(svn_stream_close(stream));
28 }
29
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
deleted file mode 100644
index 28163e5644..0000000000
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ /dev/null
@@ -1,48 +0,0 @@
1SUMMARY = "Subversion (svn) version control system client"
2SECTION = "console/network"
3DEPENDS = "apr-util neon sqlite3"
4RDEPENDS_${PN} = "neon"
5LICENSE = "Apache-2"
6HOMEPAGE = "http://subversion.tigris.org"
7
8BBCLASSEXTEND = "native"
9
10PR = "r3"
11
12SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
13 file://disable-revision-install.patch \
14 file://libtool2.patch \
15 file://fix-install-depends.patch \
16 file://subversion-CVE-2013-1849.patch \
17 file://subversion-CVE-2013-4505.patch \
18 file://subversion-CVE-2013-1845.patch \
19 file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
20 file://subversion-CVE-2013-4277.patch \
21 file://subversion-CVE-2014-3522.patch \
22 file://subversion-CVE-2014-3528.patch \
23"
24
25SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
26SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45"
27
28LIC_FILES_CHKSUM = "file://COPYING;md5=2a69fef414e2cb907b4544298569300b"
29
30PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl"
31
32EXTRA_OECONF = " \
33 --without-berkeley-db --without-apxs \
34 --without-swig --with-apr=${STAGING_BINDIR_CROSS} \
35 --with-apr-util=${STAGING_BINDIR_CROSS} \
36 ac_cv_path_RUBY=none"
37
38inherit autotools
39
40export LDFLAGS += " -L${STAGING_LIBDIR} "
41
42acpaths = "-I build/ -I build/ac-macros/"
43
44do_configure_prepend () {
45 rm -f ${S}/libtool
46 rm -f ${S}/build/libtool.m4
47 sed -i -e 's:with_sasl="/usr/local":with_sasl="${STAGING_DIR}":' ${S}/build/ac-macros/sasl.m4
48}