2 files changed, 2 insertions, 139 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
deleted file mode 100644
index 0599c2badb..0000000000
--- a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
+++ /dev/null
@@ -1,136 +0,0 @@
------------------------------------------------------------------------
-r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines
-Fix CVE-2017-9800.
-See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
-* subversion/libsvn_ra_svn/client.c
-  (svn_ctype.h): Include.
-  (find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
-    Expect the 'hostinfo' parameter to be URI-decoded.
-  (is_valid_hostinfo): New.
-  (ra_svn_open): Validate the hostname before using it.
-* subversion/libsvn_subr/config_file.c
-  (svn_config_ensure): Update the example configuration likewise.
-Patch by: philip
-Review by: danielsh
-           stsp
-           astieger (earlier version)
-Upstream-Status: Backport
-http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691
-CVE: CVE-2017-9800
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
-Index: subversion/libsvn_subr/config_file.c
-===================================================================
--- subversion/libsvn_subr/config_file.c        (revision 1804690)
-+++ subversion/libsvn_subr/config_file.c        (revision 1804691)
-@@ -1448,12 +1448,12 @@
-         "### passed to the tunnel agent as <user>@<hostname>.)  If the"      NL
-         "### built-in ssh scheme were not predefined, it could be defined"   NL
-         "### as:"                                                            NL
-        "# ssh = $SVN_SSH ssh -q"                                            NL
-+        "# ssh = $SVN_SSH ssh -q --"                                         NL
-         "### If you wanted to define a new 'rsh' scheme, to be used with"    NL
-         "### 'svn+rsh:' URLs, you could do so as follows:"                   NL
-        "# rsh = rsh"                                                        NL
-+        "# rsh = rsh --"                                                     NL
-         "### Or, if you wanted to specify a full path and arguments:"        NL
-        "# rsh = /path/to/rsh -l myusername"                                 NL
-+        "# rsh = /path/to/rsh -l myusername --"                              NL
-         "### On Windows, if you are specifying a full path to a command,"    NL
-         "### use a forward slash (/) or a paired backslash (\\\\) as the"    NL
-         "### path separator.  A single backslash will be treated as an"      NL
-Index: subversion/libsvn_ra_svn/client.c
-===================================================================
--- subversion/libsvn_ra_svn/client.c   (revision 1804690)
-+++ subversion/libsvn_ra_svn/client.c   (revision 1804691)
-@@ -46,6 +46,7 @@
- #include "svn_props.h"
- #include "svn_mergeinfo.h"
- #include "svn_version.h"
-+#include "svn_ctype.h"
- 
- #include "svn_private_config.h"
- 
-@@ -398,7 +399,7 @@
-        * versions have it too. If the user is using some other ssh
-        * implementation that doesn't accept it, they can override it
-        * in the [tunnels] section of the config. */
-      val = "$SVN_SSH ssh -q";
-+      val = "$SVN_SSH ssh -q --";
-     }
- 
-   if (!val || !*val)
-@@ -443,7 +444,7 @@
-   for (n = 0; cmd_argv[n] != NULL; n++)
-     argv[n] = cmd_argv[n];
- 
-  argv[n++] = svn_path_uri_decode(hostinfo, pool);
-+  argv[n++] = hostinfo;
-   argv[n++] = "svnserve";
-   argv[n++] = "-t";
-   argv[n] = NULL;
-@@ -811,7 +812,33 @@
- }
- 
- 
-+/* A simple whitelist to ensure the following are valid:
-+ *   user@server
-+ *   [::1]:22
-+ *   server-name
-+ *   server_name
-+ *   127.0.0.1
-+ * with an extra restriction that a leading '-' is invalid.
-+ */
-+static svn_boolean_t
-+is_valid_hostinfo(const char *hostinfo)
-+{
-+  const char *p = hostinfo;
- 
-+  if (p[0] == '-')
-+    return FALSE;
-+
-+  while (*p)
-+    {
-+      if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
-+        return FALSE;
-+
-+      ++p;
-+    }
-+
-+  return TRUE;
-+}
-+
- static svn_error_t *ra_svn_open(svn_ra_session_t *session,
-                                 const char **corrected_url,
-                                 const char *url,
-@@ -844,8 +871,18 @@
-           || (callbacks->check_tunnel_func && callbacks->open_tunnel_func
-               && !callbacks->check_tunnel_func(callbacks->tunnel_baton,
-                                                tunnel))))
-    SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
-                              result_pool));
-+    {
-+      const char *decoded_hostinfo;
-+
-+      decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
-+
-+      if (!is_valid_hostinfo(decoded_hostinfo))
-+        return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
-+                                 uri.hostinfo);
-+
-+      SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
-+                                config, result_pool));
-+    }
-   else
-     tunnel_argv = NULL;
- 
------------------------------------------------------------------------
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.7.bb
index 532edeb080..57735f7f86 100644
--- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.9.7.bb
@@ -15,11 +15,10 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
           file://0001-Fix-libtool-name-in-configure.ac.patch \
           file://serfmacro.patch \
-           file://CVE-2017-9800.patch;striplevel=0 \
           "
-SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"
+SRC_URI[md5sum] = "05b0c677681073920f938c1f322e0be2"
-SRC_URI[sha256sum] = "dbcbc51fb634082f009121f2cb64350ce32146612787ffb0f7ced351aacaae19"
+SRC_URI[sha256sum] = "c3b118333ce12e501d509e66bb0a47bcc34d053990acab45559431ac3e491623"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=af81ae49ba359e70626c05e9bf313709"

diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch deleted file mode 100644 index 0599c2badb..0000000000 --- a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch +++ /dev/null
@@ -1,136 +0,0 @@
1	------------------------------------------------------------------------
2	r1804691 \| danielsh \| 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) \| 18 lines
3
4	Fix CVE-2017-9800.
5
6	See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
7
8	* subversion/libsvn_ra_svn/client.c
9	(svn_ctype.h): Include.
10	(find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
11	Expect the 'hostinfo' parameter to be URI-decoded.
12	(is_valid_hostinfo): New.
13	(ra_svn_open): Validate the hostname before using it.
14
15	* subversion/libsvn_subr/config_file.c
16	(svn_config_ensure): Update the example configuration likewise.
17
18	Patch by: philip
19	Review by: danielsh
20	stsp
21	astieger (earlier version)
22
23	Upstream-Status: Backport
24	http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
25
26	CVE: CVE-2017-9800
27
28	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
29	---
30	Index: subversion/libsvn_subr/config_file.c
31	===================================================================
32	--- subversion/libsvn_subr/config_file.c (revision 1804690)
33	+++ subversion/libsvn_subr/config_file.c (revision 1804691)
34	@@ -1448,12 +1448,12 @@
35	"### passed to the tunnel agent as <user>@<hostname>.) If the" NL
36	"### built-in ssh scheme were not predefined, it could be defined" NL
37	"### as:" NL
38	- "# ssh = $SVN_SSH ssh -q" NL
39	+ "# ssh = $SVN_SSH ssh -q --" NL
40	"### If you wanted to define a new 'rsh' scheme, to be used with" NL
41	"### 'svn+rsh:' URLs, you could do so as follows:" NL
42	- "# rsh = rsh" NL
43	+ "# rsh = rsh --" NL
44	"### Or, if you wanted to specify a full path and arguments:" NL
45	- "# rsh = /path/to/rsh -l myusername" NL
46	+ "# rsh = /path/to/rsh -l myusername --" NL
47	"### On Windows, if you are specifying a full path to a command," NL
48	"### use a forward slash (/) or a paired backslash (\\\\) as the" NL
49	"### path separator. A single backslash will be treated as an" NL
50	Index: subversion/libsvn_ra_svn/client.c
51	===================================================================
52	--- subversion/libsvn_ra_svn/client.c (revision 1804690)
53	+++ subversion/libsvn_ra_svn/client.c (revision 1804691)
54	@@ -46,6 +46,7 @@
55	#include "svn_props.h"
56	#include "svn_mergeinfo.h"
57	#include "svn_version.h"
58	+#include "svn_ctype.h"
59
60	#include "svn_private_config.h"
61
62	@@ -398,7 +399,7 @@
63	* versions have it too. If the user is using some other ssh
64	* implementation that doesn't accept it, they can override it
65	* in the [tunnels] section of the config. */
66	- val = "$SVN_SSH ssh -q";
67	+ val = "$SVN_SSH ssh -q --";
68	}
69
70	if (!val \|\| !*val)
71	@@ -443,7 +444,7 @@
72	for (n = 0; cmd_argv[n] != NULL; n++)
73	argv[n] = cmd_argv[n];
74
75	- argv[n++] = svn_path_uri_decode(hostinfo, pool);
76	+ argv[n++] = hostinfo;
77	argv[n++] = "svnserve";
78	argv[n++] = "-t";
79	argv[n] = NULL;
80	@@ -811,7 +812,33 @@
81	}
82
83
84	+/* A simple whitelist to ensure the following are valid:
85	+ * user@server
86	+ * [::1]:22
87	+ * server-name
88	+ * server_name
89	+ * 127.0.0.1
90	+ * with an extra restriction that a leading '-' is invalid.
91	+ */
92	+static svn_boolean_t
93	+is_valid_hostinfo(const char *hostinfo)
94	+{
95	+ const char *p = hostinfo;
96
97	+ if (p[0] == '-')
98	+ return FALSE;
99	+
100	+ while (*p)
101	+ {
102	+ if (!svn_ctype_isalnum(p) && !strchr(":.-_[]@", p))
103	+ return FALSE;
104	+
105	+ ++p;
106	+ }
107	+
108	+ return TRUE;
109	+}
110	+
111	static svn_error_t ra_svn_open(svn_ra_session_t session,
112	const char **corrected_url,
113	const char *url,
114	@@ -844,8 +871,18 @@
115	\|\| (callbacks->check_tunnel_func && callbacks->open_tunnel_func
116	&& !callbacks->check_tunnel_func(callbacks->tunnel_baton,
117	tunnel))))
118	- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
119	- result_pool));
120	+ {
121	+ const char *decoded_hostinfo;
122	+
123	+ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
124	+
125	+ if (!is_valid_hostinfo(decoded_hostinfo))
126	+ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
127	+ uri.hostinfo);
128	+
129	+ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
130	+ config, result_pool));
131	+ }
132	else
133	tunnel_argv = NULL;
134
135
136	------------------------------------------------------------------------


diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.7.bb index 532edeb080..57735f7f86 100644 --- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb +++ b/meta/recipes-devtools/subversion/subversion_1.9.7.bb
@@ -15,11 +15,10 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
15	file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \	15	file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
16	file://0001-Fix-libtool-name-in-configure.ac.patch \	16	file://0001-Fix-libtool-name-in-configure.ac.patch \
17	file://serfmacro.patch \	17	file://serfmacro.patch \
18	file://CVE-2017-9800.patch;striplevel=0 \
19	"	18	"
20		19
21	SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"	20	SRC_URI[md5sum] = "05b0c677681073920f938c1f322e0be2"
22	SRC_URI[sha256sum] = "dbcbc51fb634082f009121f2cb64350ce32146612787ffb0f7ced351aacaae19"	21	SRC_URI[sha256sum] = "c3b118333ce12e501d509e66bb0a47bcc34d053990acab45559431ac3e491623"
23		22
24	LIC_FILES_CHKSUM = "file://LICENSE;md5=af81ae49ba359e70626c05e9bf313709"	23	LIC_FILES_CHKSUM = "file://LICENSE;md5=af81ae49ba359e70626c05e9bf313709"
25		24