summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorWenzong Fan <wenzong.fan@windriver.com>2017-09-07 02:49:06 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-11 17:30:30 +0100
commit3f5906e086d904f48e1790c59cf01c0c94b31b64 (patch)
tree7492f28d8b921c4b2b7424ffe6b4bbdd299875d2 /meta
parentf2a8f94430c8d101cd4344d7099b3ada021d4af6 (diff)
downloadpoky-3f5906e086d904f48e1790c59cf01c0c94b31b64.tar.gz
subversion: fix CVE-2017-9800
A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server(to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. Backport patch from: http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691 Reference: http://subversion.apache.org/security/CVE-2017-9800-advisory.txt (From OE-Core rev: 6e1f8001a0f3c26cce9c692d25987a3c47ff2f74) Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch136
-rw-r--r--meta/recipes-devtools/subversion/subversion_1.9.6.bb1
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
new file mode 100644
index 0000000000..0599c2badb
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
@@ -0,0 +1,136 @@
1------------------------------------------------------------------------
2r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines
3
4Fix CVE-2017-9800.
5
6See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
7
8* subversion/libsvn_ra_svn/client.c
9 (svn_ctype.h): Include.
10 (find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
11 Expect the 'hostinfo' parameter to be URI-decoded.
12 (is_valid_hostinfo): New.
13 (ra_svn_open): Validate the hostname before using it.
14
15* subversion/libsvn_subr/config_file.c
16 (svn_config_ensure): Update the example configuration likewise.
17
18Patch by: philip
19Review by: danielsh
20 stsp
21 astieger (earlier version)
22
23Upstream-Status: Backport
24http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691
25
26CVE: CVE-2017-9800
27
28Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
29---
30Index: subversion/libsvn_subr/config_file.c
31===================================================================
32--- subversion/libsvn_subr/config_file.c (revision 1804690)
33+++ subversion/libsvn_subr/config_file.c (revision 1804691)
34@@ -1448,12 +1448,12 @@
35 "### passed to the tunnel agent as <user>@<hostname>.) If the" NL
36 "### built-in ssh scheme were not predefined, it could be defined" NL
37 "### as:" NL
38- "# ssh = $SVN_SSH ssh -q" NL
39+ "# ssh = $SVN_SSH ssh -q --" NL
40 "### If you wanted to define a new 'rsh' scheme, to be used with" NL
41 "### 'svn+rsh:' URLs, you could do so as follows:" NL
42- "# rsh = rsh" NL
43+ "# rsh = rsh --" NL
44 "### Or, if you wanted to specify a full path and arguments:" NL
45- "# rsh = /path/to/rsh -l myusername" NL
46+ "# rsh = /path/to/rsh -l myusername --" NL
47 "### On Windows, if you are specifying a full path to a command," NL
48 "### use a forward slash (/) or a paired backslash (\\\\) as the" NL
49 "### path separator. A single backslash will be treated as an" NL
50Index: subversion/libsvn_ra_svn/client.c
51===================================================================
52--- subversion/libsvn_ra_svn/client.c (revision 1804690)
53+++ subversion/libsvn_ra_svn/client.c (revision 1804691)
54@@ -46,6 +46,7 @@
55 #include "svn_props.h"
56 #include "svn_mergeinfo.h"
57 #include "svn_version.h"
58+#include "svn_ctype.h"
59
60 #include "svn_private_config.h"
61
62@@ -398,7 +399,7 @@
63 * versions have it too. If the user is using some other ssh
64 * implementation that doesn't accept it, they can override it
65 * in the [tunnels] section of the config. */
66- val = "$SVN_SSH ssh -q";
67+ val = "$SVN_SSH ssh -q --";
68 }
69
70 if (!val || !*val)
71@@ -443,7 +444,7 @@
72 for (n = 0; cmd_argv[n] != NULL; n++)
73 argv[n] = cmd_argv[n];
74
75- argv[n++] = svn_path_uri_decode(hostinfo, pool);
76+ argv[n++] = hostinfo;
77 argv[n++] = "svnserve";
78 argv[n++] = "-t";
79 argv[n] = NULL;
80@@ -811,7 +812,33 @@
81 }
82
83
84+/* A simple whitelist to ensure the following are valid:
85+ * user@server
86+ * [::1]:22
87+ * server-name
88+ * server_name
89+ * 127.0.0.1
90+ * with an extra restriction that a leading '-' is invalid.
91+ */
92+static svn_boolean_t
93+is_valid_hostinfo(const char *hostinfo)
94+{
95+ const char *p = hostinfo;
96
97+ if (p[0] == '-')
98+ return FALSE;
99+
100+ while (*p)
101+ {
102+ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
103+ return FALSE;
104+
105+ ++p;
106+ }
107+
108+ return TRUE;
109+}
110+
111 static svn_error_t *ra_svn_open(svn_ra_session_t *session,
112 const char **corrected_url,
113 const char *url,
114@@ -844,8 +871,18 @@
115 || (callbacks->check_tunnel_func && callbacks->open_tunnel_func
116 && !callbacks->check_tunnel_func(callbacks->tunnel_baton,
117 tunnel))))
118- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
119- result_pool));
120+ {
121+ const char *decoded_hostinfo;
122+
123+ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
124+
125+ if (!is_valid_hostinfo(decoded_hostinfo))
126+ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
127+ uri.hostinfo);
128+
129+ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
130+ config, result_pool));
131+ }
132 else
133 tunnel_argv = NULL;
134
135
136------------------------------------------------------------------------
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
index f49e26a5c8..532edeb080 100644
--- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
15 file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \ 15 file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
16 file://0001-Fix-libtool-name-in-configure.ac.patch \ 16 file://0001-Fix-libtool-name-in-configure.ac.patch \
17 file://serfmacro.patch \ 17 file://serfmacro.patch \
18 file://CVE-2017-9800.patch;striplevel=0 \
18 " 19 "
19 20
20SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b" 21SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"