diff options
author | Wenzong Fan <wenzong.fan@windriver.com> | 2017-09-07 02:49:06 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-09-11 17:30:30 +0100 |
commit | 3f5906e086d904f48e1790c59cf01c0c94b31b64 (patch) | |
tree | 7492f28d8b921c4b2b7424ffe6b4bbdd299875d2 /meta | |
parent | f2a8f94430c8d101cd4344d7099b3ada021d4af6 (diff) | |
download | poky-3f5906e086d904f48e1790c59cf01c0c94b31b64.tar.gz |
subversion: fix CVE-2017-9800
A maliciously constructed svn+ssh:// URL would cause Subversion clients
before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3
to run an arbitrary shell command. Such a URL could be generated by a
malicious server, by a malicious user committing to a honest server(to
attack another user of that server's repositories), or by a proxy
server.
The vulnerability affects all clients, including those that use
file://, http://, and plain (untunneled) svn://.
Backport patch from:
http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
Reference:
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
(From OE-Core rev: 6e1f8001a0f3c26cce9c692d25987a3c47ff2f74)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch | 136 | ||||
-rw-r--r-- | meta/recipes-devtools/subversion/subversion_1.9.6.bb | 1 |
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch new file mode 100644 index 0000000000..0599c2badb --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch | |||
@@ -0,0 +1,136 @@ | |||
1 | ------------------------------------------------------------------------ | ||
2 | r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines | ||
3 | |||
4 | Fix CVE-2017-9800. | ||
5 | |||
6 | See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt | ||
7 | |||
8 | * subversion/libsvn_ra_svn/client.c | ||
9 | (svn_ctype.h): Include. | ||
10 | (find_tunnel_agent): Pass a "--" end-of-options guard to ssh. | ||
11 | Expect the 'hostinfo' parameter to be URI-decoded. | ||
12 | (is_valid_hostinfo): New. | ||
13 | (ra_svn_open): Validate the hostname before using it. | ||
14 | |||
15 | * subversion/libsvn_subr/config_file.c | ||
16 | (svn_config_ensure): Update the example configuration likewise. | ||
17 | |||
18 | Patch by: philip | ||
19 | Review by: danielsh | ||
20 | stsp | ||
21 | astieger (earlier version) | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691 | ||
25 | |||
26 | CVE: CVE-2017-9800 | ||
27 | |||
28 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
29 | --- | ||
30 | Index: subversion/libsvn_subr/config_file.c | ||
31 | =================================================================== | ||
32 | --- subversion/libsvn_subr/config_file.c (revision 1804690) | ||
33 | +++ subversion/libsvn_subr/config_file.c (revision 1804691) | ||
34 | @@ -1448,12 +1448,12 @@ | ||
35 | "### passed to the tunnel agent as <user>@<hostname>.) If the" NL | ||
36 | "### built-in ssh scheme were not predefined, it could be defined" NL | ||
37 | "### as:" NL | ||
38 | - "# ssh = $SVN_SSH ssh -q" NL | ||
39 | + "# ssh = $SVN_SSH ssh -q --" NL | ||
40 | "### If you wanted to define a new 'rsh' scheme, to be used with" NL | ||
41 | "### 'svn+rsh:' URLs, you could do so as follows:" NL | ||
42 | - "# rsh = rsh" NL | ||
43 | + "# rsh = rsh --" NL | ||
44 | "### Or, if you wanted to specify a full path and arguments:" NL | ||
45 | - "# rsh = /path/to/rsh -l myusername" NL | ||
46 | + "# rsh = /path/to/rsh -l myusername --" NL | ||
47 | "### On Windows, if you are specifying a full path to a command," NL | ||
48 | "### use a forward slash (/) or a paired backslash (\\\\) as the" NL | ||
49 | "### path separator. A single backslash will be treated as an" NL | ||
50 | Index: subversion/libsvn_ra_svn/client.c | ||
51 | =================================================================== | ||
52 | --- subversion/libsvn_ra_svn/client.c (revision 1804690) | ||
53 | +++ subversion/libsvn_ra_svn/client.c (revision 1804691) | ||
54 | @@ -46,6 +46,7 @@ | ||
55 | #include "svn_props.h" | ||
56 | #include "svn_mergeinfo.h" | ||
57 | #include "svn_version.h" | ||
58 | +#include "svn_ctype.h" | ||
59 | |||
60 | #include "svn_private_config.h" | ||
61 | |||
62 | @@ -398,7 +399,7 @@ | ||
63 | * versions have it too. If the user is using some other ssh | ||
64 | * implementation that doesn't accept it, they can override it | ||
65 | * in the [tunnels] section of the config. */ | ||
66 | - val = "$SVN_SSH ssh -q"; | ||
67 | + val = "$SVN_SSH ssh -q --"; | ||
68 | } | ||
69 | |||
70 | if (!val || !*val) | ||
71 | @@ -443,7 +444,7 @@ | ||
72 | for (n = 0; cmd_argv[n] != NULL; n++) | ||
73 | argv[n] = cmd_argv[n]; | ||
74 | |||
75 | - argv[n++] = svn_path_uri_decode(hostinfo, pool); | ||
76 | + argv[n++] = hostinfo; | ||
77 | argv[n++] = "svnserve"; | ||
78 | argv[n++] = "-t"; | ||
79 | argv[n] = NULL; | ||
80 | @@ -811,7 +812,33 @@ | ||
81 | } | ||
82 | |||
83 | |||
84 | +/* A simple whitelist to ensure the following are valid: | ||
85 | + * user@server | ||
86 | + * [::1]:22 | ||
87 | + * server-name | ||
88 | + * server_name | ||
89 | + * 127.0.0.1 | ||
90 | + * with an extra restriction that a leading '-' is invalid. | ||
91 | + */ | ||
92 | +static svn_boolean_t | ||
93 | +is_valid_hostinfo(const char *hostinfo) | ||
94 | +{ | ||
95 | + const char *p = hostinfo; | ||
96 | |||
97 | + if (p[0] == '-') | ||
98 | + return FALSE; | ||
99 | + | ||
100 | + while (*p) | ||
101 | + { | ||
102 | + if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p)) | ||
103 | + return FALSE; | ||
104 | + | ||
105 | + ++p; | ||
106 | + } | ||
107 | + | ||
108 | + return TRUE; | ||
109 | +} | ||
110 | + | ||
111 | static svn_error_t *ra_svn_open(svn_ra_session_t *session, | ||
112 | const char **corrected_url, | ||
113 | const char *url, | ||
114 | @@ -844,8 +871,18 @@ | ||
115 | || (callbacks->check_tunnel_func && callbacks->open_tunnel_func | ||
116 | && !callbacks->check_tunnel_func(callbacks->tunnel_baton, | ||
117 | tunnel)))) | ||
118 | - SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config, | ||
119 | - result_pool)); | ||
120 | + { | ||
121 | + const char *decoded_hostinfo; | ||
122 | + | ||
123 | + decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool); | ||
124 | + | ||
125 | + if (!is_valid_hostinfo(decoded_hostinfo)) | ||
126 | + return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"), | ||
127 | + uri.hostinfo); | ||
128 | + | ||
129 | + SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv, | ||
130 | + config, result_pool)); | ||
131 | + } | ||
132 | else | ||
133 | tunnel_argv = NULL; | ||
134 | |||
135 | |||
136 | ------------------------------------------------------------------------ | ||
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.6.bb index f49e26a5c8..532edeb080 100644 --- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb +++ b/meta/recipes-devtools/subversion/subversion_1.9.6.bb | |||
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ | |||
15 | file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \ | 15 | file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \ |
16 | file://0001-Fix-libtool-name-in-configure.ac.patch \ | 16 | file://0001-Fix-libtool-name-in-configure.ac.patch \ |
17 | file://serfmacro.patch \ | 17 | file://serfmacro.patch \ |
18 | file://CVE-2017-9800.patch;striplevel=0 \ | ||
18 | " | 19 | " |
19 | 20 | ||
20 | SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b" | 21 | SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b" |