summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch136
-rw-r--r--meta/recipes-devtools/subversion/subversion_1.9.7.bb (renamed from meta/recipes-devtools/subversion/subversion_1.9.6.bb)5
2 files changed, 2 insertions, 139 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
deleted file mode 100644
index 0599c2badb..0000000000
--- a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
+++ /dev/null
@@ -1,136 +0,0 @@
1------------------------------------------------------------------------
2r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines
3
4Fix CVE-2017-9800.
5
6See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
7
8* subversion/libsvn_ra_svn/client.c
9 (svn_ctype.h): Include.
10 (find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
11 Expect the 'hostinfo' parameter to be URI-decoded.
12 (is_valid_hostinfo): New.
13 (ra_svn_open): Validate the hostname before using it.
14
15* subversion/libsvn_subr/config_file.c
16 (svn_config_ensure): Update the example configuration likewise.
17
18Patch by: philip
19Review by: danielsh
20 stsp
21 astieger (earlier version)
22
23Upstream-Status: Backport
24http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
25
26CVE: CVE-2017-9800
27
28Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
29---
30Index: subversion/libsvn_subr/config_file.c
31===================================================================
32--- subversion/libsvn_subr/config_file.c (revision 1804690)
33+++ subversion/libsvn_subr/config_file.c (revision 1804691)
34@@ -1448,12 +1448,12 @@
35 "### passed to the tunnel agent as <user>@<hostname>.) If the" NL
36 "### built-in ssh scheme were not predefined, it could be defined" NL
37 "### as:" NL
38- "# ssh = $SVN_SSH ssh -q" NL
39+ "# ssh = $SVN_SSH ssh -q --" NL
40 "### If you wanted to define a new 'rsh' scheme, to be used with" NL
41 "### 'svn+rsh:' URLs, you could do so as follows:" NL
42- "# rsh = rsh" NL
43+ "# rsh = rsh --" NL
44 "### Or, if you wanted to specify a full path and arguments:" NL
45- "# rsh = /path/to/rsh -l myusername" NL
46+ "# rsh = /path/to/rsh -l myusername --" NL
47 "### On Windows, if you are specifying a full path to a command," NL
48 "### use a forward slash (/) or a paired backslash (\\\\) as the" NL
49 "### path separator. A single backslash will be treated as an" NL
50Index: subversion/libsvn_ra_svn/client.c
51===================================================================
52--- subversion/libsvn_ra_svn/client.c (revision 1804690)
53+++ subversion/libsvn_ra_svn/client.c (revision 1804691)
54@@ -46,6 +46,7 @@
55 #include "svn_props.h"
56 #include "svn_mergeinfo.h"
57 #include "svn_version.h"
58+#include "svn_ctype.h"
59
60 #include "svn_private_config.h"
61
62@@ -398,7 +399,7 @@
63 * versions have it too. If the user is using some other ssh
64 * implementation that doesn't accept it, they can override it
65 * in the [tunnels] section of the config. */
66- val = "$SVN_SSH ssh -q";
67+ val = "$SVN_SSH ssh -q --";
68 }
69
70 if (!val || !*val)
71@@ -443,7 +444,7 @@
72 for (n = 0; cmd_argv[n] != NULL; n++)
73 argv[n] = cmd_argv[n];
74
75- argv[n++] = svn_path_uri_decode(hostinfo, pool);
76+ argv[n++] = hostinfo;
77 argv[n++] = "svnserve";
78 argv[n++] = "-t";
79 argv[n] = NULL;
80@@ -811,7 +812,33 @@
81 }
82
83
84+/* A simple whitelist to ensure the following are valid:
85+ * user@server
86+ * [::1]:22
87+ * server-name
88+ * server_name
89+ * 127.0.0.1
90+ * with an extra restriction that a leading '-' is invalid.
91+ */
92+static svn_boolean_t
93+is_valid_hostinfo(const char *hostinfo)
94+{
95+ const char *p = hostinfo;
96
97+ if (p[0] == '-')
98+ return FALSE;
99+
100+ while (*p)
101+ {
102+ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
103+ return FALSE;
104+
105+ ++p;
106+ }
107+
108+ return TRUE;
109+}
110+
111 static svn_error_t *ra_svn_open(svn_ra_session_t *session,
112 const char **corrected_url,
113 const char *url,
114@@ -844,8 +871,18 @@
115 || (callbacks->check_tunnel_func && callbacks->open_tunnel_func
116 && !callbacks->check_tunnel_func(callbacks->tunnel_baton,
117 tunnel))))
118- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
119- result_pool));
120+ {
121+ const char *decoded_hostinfo;
122+
123+ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
124+
125+ if (!is_valid_hostinfo(decoded_hostinfo))
126+ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
127+ uri.hostinfo);
128+
129+ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
130+ config, result_pool));
131+ }
132 else
133 tunnel_argv = NULL;
134
135
136------------------------------------------------------------------------
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.7.bb
index 532edeb080..57735f7f86 100644
--- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.9.7.bb
@@ -15,11 +15,10 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
15 file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \ 15 file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
16 file://0001-Fix-libtool-name-in-configure.ac.patch \ 16 file://0001-Fix-libtool-name-in-configure.ac.patch \
17 file://serfmacro.patch \ 17 file://serfmacro.patch \
18 file://CVE-2017-9800.patch;striplevel=0 \
19 " 18 "
20 19
21SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b" 20SRC_URI[md5sum] = "05b0c677681073920f938c1f322e0be2"
22SRC_URI[sha256sum] = "dbcbc51fb634082f009121f2cb64350ce32146612787ffb0f7ced351aacaae19" 21SRC_URI[sha256sum] = "c3b118333ce12e501d509e66bb0a47bcc34d053990acab45559431ac3e491623"
23 22
24LIC_FILES_CHKSUM = "file://LICENSE;md5=af81ae49ba359e70626c05e9bf313709" 23LIC_FILES_CHKSUM = "file://LICENSE;md5=af81ae49ba359e70626c05e9bf313709"
25 24