3 files changed, 31 insertions, 0 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
new file mode 100644
index 0000000000..23e738e985
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c
+index ff50270..c511d04 100644
+--- a/subversion/libsvn_subr/config_auth.c.old
+++ b/subversion/libsvn_subr/config_auth.c
+@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
+   if (kind == svn_node_file)
+     {
+       svn_stream_t *stream;
+      svn_string_t *stored_realm;
+ 
+       SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
+                 _("Unable to open auth file for reading"));
+@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
+                 apr_psprintf(pool, _("Error parsing '%s'"),
+                              svn_path_local_style(auth_path, pool)));
+ 
+      stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
+                                  APR_HASH_KEY_STRING);
+
+      if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
+        *hash = NULL; /* Hash collision, or somebody tampering with storage */
+
+       SVN_ERR(svn_stream_close(stream));
+     }
+ 
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
index 6680ab6d34..b135bb7a3f 100644
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
           file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
           file://subversion-CVE-2013-4277.patch \
           file://subversion-CVE-2014-3522.patch \
+           file://subversion-CVE-2014-3528.patch \
 "
 SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
index e1ab945896..1ef59a0c00 100644
--- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
@@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://libtool2.patch \
           file://disable_macos.patch \
           file://subversion-CVE-2014-3522.patch;striplevel=0 \
+           file://subversion-CVE-2014-3528.patch \
 "
 SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
 SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"

diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch new file mode 100644 index 0000000000..23e738e985 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
@@ -0,0 +1,29 @@
		1	Upstream-Status: Backport
		2
		3	Signed-off-by: Yue Tao <yue.tao@windriver.com>
		4
		5	diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c
		6	index ff50270..c511d04 100644
		7	--- a/subversion/libsvn_subr/config_auth.c.old
		8	+++ b/subversion/libsvn_subr/config_auth.c
		9	@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
		10	if (kind == svn_node_file)
		11	{
		12	svn_stream_t *stream;
		13	+ svn_string_t *stored_realm;
		14
		15	SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
		16	_("Unable to open auth file for reading"));
		17	@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
		18	apr_psprintf(pool, _("Error parsing '%s'"),
		19	svn_path_local_style(auth_path, pool)));
		20
		21	+ stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
		22	+ APR_HASH_KEY_STRING);
		23	+
		24	+ if (!stored_realm \|\| strcmp(stored_realm->data, realmstring) != 0)
		25	+ hash = NULL; / Hash collision, or somebody tampering with storage */
		26	+
		27	SVN_ERR(svn_stream_close(stream));
		28	}
		29


diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb index 6680ab6d34..b135bb7a3f 100644 --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
19	file://subversion-CVE-2013-1847-CVE-2013-1846.patch \	19	file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
20	file://subversion-CVE-2013-4277.patch \	20	file://subversion-CVE-2013-4277.patch \
21	file://subversion-CVE-2014-3522.patch \	21	file://subversion-CVE-2014-3522.patch \
		22	file://subversion-CVE-2014-3528.patch \
22	"	23	"
23		24
24	SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"	25	SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"


diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.9.bb index e1ab945896..1ef59a0c00 100644 --- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb +++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
@@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
13	file://libtool2.patch \	13	file://libtool2.patch \
14	file://disable_macos.patch \	14	file://disable_macos.patch \
15	file://subversion-CVE-2014-3522.patch;striplevel=0 \	15	file://subversion-CVE-2014-3522.patch;striplevel=0 \
		16	file://subversion-CVE-2014-3528.patch \
16	"	17	"
17	SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"	18	SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
18	SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"	19	SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"