1 files changed, 117 insertions, 0 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch b/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch
new file mode 100644
index 0000000000..5bebde2a86
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch
@@ -0,0 +1,117 @@
+Upstream-Status: Backport [ https://subversion.apache.org/security/CVE-2020-17525-advisory.txt ] 
+CVE: CVE-2020-17525
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+  Remote unauthenticated denial-of-service in Subversion mod_authz_svn.
+Summary:
+========
+  Subversion's mod_authz_svn module will crash if the server is using
+  in-repository authz rules with the AuthzSVNReposRelativeAccessFile
+  option and a client sends a request for a non-existing repository URL.
+  This can lead to disruption for users of the service.
+Known vulnerable:
+=================
+  mod_dav_svn+mod_authz_svn servers 1.9.0 through 1.10.6 (inclusive).
+  mod_dav_svn+mod_authz_svn servers 1.11.0 through 1.14.0 (inclusive).
+Known fixed:
+============
+  mod_dav_svn+mod_authz_svn servers 1.14.1
+  mod_dav_svn+mod_authz_svn servers 1.10.7
+Details:
+========
+  A null-pointer-dereference has been found in mod_authz_svn that results in
+  a remote unauthenticated Denial-of-Service in some server configurations.
+  The vulnerability can be triggered by an unauthenticated user if the
+  Apache HTTPD server is configured to use an in-repository authz file,
+  with configuration directives such as:
+    AuthzSVNAccessFile "^/authz"
+    AuthzSVNReposRelativeAccessFile "^/authz"
+  The problem originates when sending a GET request to a non-existent
+  repository. The mod_authz_svn module will attempt to find authz rules
+  at a path within the requested SVN repository. Upon constructing this
+  path, the function svn_repos_find_root_path will return a NULL pointer
+  since the requested repository does not exist on-disk.
+  A check for this legitimate NULL pointer condition is missing, which
+  results in a segmentation fault when the NULL pointer is used.
+  The in-repository authz feature was first introduced in Subversion 1.8:
+  https://subversion.apache.org/docs/release-notes/1.8.html#in-repo-authz
+  The missing NULL check was first introduced during refactoring of the
+  authz code during development work leading up to Subversion 1.9.
+  Subversion 1.8 servers are unaffected.
+Severity:
+=========
+  CVSSv3 Base Score: 7.5 (High)
+  CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+  Exploitation results in denial of service by crashing the HTTPD worker
+  handling the request. The impact of this differs depending on how the
+  Apache HTTPD server is configured, including the choice of MPM (Multi-
+  Processing-Module). If the worker shares its memory address space with
+  the main thread, as is the case with e.g. the Event MPM, the entire
+  HTTPD server process will terminate. If the pre-fork MPM is used, the
+  worker will terminate but the HTTPD server will stay up, and service
+  availability will depend on how frequently the attacker is able to
+  send malicious requests which target the vulnerability.
+Recommendations:
+================
+  We recommend all users to upgrade to a known fixed release of the
+  Subversion mod_dav_svn server.
+  Users who are unable to upgrade may apply the included patches.
+  As a workaround, the use of in-repository authz rules files with
+  the AuthzSVNReposRelativeAccessFile can be avoided by switching
+  to an alternative configuration which fetches an authz rules file
+  from the server's filesystem, rather than from an SVN repository.
+References:
+===========
+  CVE-2020-17525 (Subversion)
+Reported by:
+============
+  Thomas Åkesson, simonsoft.se
+Patches:
+========
+  Patch for Subversion 1.10, 1.14:
+[[[
+Index: subversion/libsvn_repos/config_file.c
+===================================================================
+--- a/subversion/libsvn_repos/config_file.c     (revision 1883994)
+++ b/subversion/libsvn_repos/config_file.c     (working copy)
+@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream,
+     {
+       /* Search for a repository in the full path. */
+       repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool);
+      if (repos_root_dirent == NULL)
+        return svn_error_trace(handle_missing_file(stream, checksum, access,
+                                                   url, must_exist,
+                                                   svn_node_none));
+ 
+       /* Attempt to open a repository at repos_root_dirent. */
+       SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL,
+]]]

diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch b/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch new file mode 100644 index 0000000000..5bebde2a86 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch
@@ -0,0 +1,117 @@
	1	Upstream-Status: Backport [ https://subversion.apache.org/security/CVE-2020-17525-advisory.txt ]
	2	CVE: CVE-2020-17525
	3	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	4
	5	Remote unauthenticated denial-of-service in Subversion mod_authz_svn.
	6
	7	Summary:
	8	========
	9
	10	Subversion's mod_authz_svn module will crash if the server is using
	11	in-repository authz rules with the AuthzSVNReposRelativeAccessFile
	12	option and a client sends a request for a non-existing repository URL.
	13
	14	This can lead to disruption for users of the service.
	15
	16	Known vulnerable:
	17	=================
	18
	19	mod_dav_svn+mod_authz_svn servers 1.9.0 through 1.10.6 (inclusive).
	20	mod_dav_svn+mod_authz_svn servers 1.11.0 through 1.14.0 (inclusive).
	21
	22	Known fixed:
	23	============
	24
	25	mod_dav_svn+mod_authz_svn servers 1.14.1
	26	mod_dav_svn+mod_authz_svn servers 1.10.7
	27
	28	Details:
	29	========
	30
	31	A null-pointer-dereference has been found in mod_authz_svn that results in
	32	a remote unauthenticated Denial-of-Service in some server configurations.
	33
	34	The vulnerability can be triggered by an unauthenticated user if the
	35	Apache HTTPD server is configured to use an in-repository authz file,
	36	with configuration directives such as:
	37
	38	AuthzSVNAccessFile "^/authz"
	39	AuthzSVNReposRelativeAccessFile "^/authz"
	40
	41	The problem originates when sending a GET request to a non-existent
	42	repository. The mod_authz_svn module will attempt to find authz rules
	43	at a path within the requested SVN repository. Upon constructing this
	44	path, the function svn_repos_find_root_path will return a NULL pointer
	45	since the requested repository does not exist on-disk.
	46	A check for this legitimate NULL pointer condition is missing, which
	47	results in a segmentation fault when the NULL pointer is used.
	48
	49	The in-repository authz feature was first introduced in Subversion 1.8:
	50	https://subversion.apache.org/docs/release-notes/1.8.html#in-repo-authz
	51
	52	The missing NULL check was first introduced during refactoring of the
	53	authz code during development work leading up to Subversion 1.9.
	54	Subversion 1.8 servers are unaffected.
	55
	56	Severity:
	57	=========
	58
	59	CVSSv3 Base Score: 7.5 (High)
	60
	61	CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
	62
	63	Exploitation results in denial of service by crashing the HTTPD worker
	64	handling the request. The impact of this differs depending on how the
	65	Apache HTTPD server is configured, including the choice of MPM (Multi-
	66	Processing-Module). If the worker shares its memory address space with
	67	the main thread, as is the case with e.g. the Event MPM, the entire
	68	HTTPD server process will terminate. If the pre-fork MPM is used, the
	69	worker will terminate but the HTTPD server will stay up, and service
	70	availability will depend on how frequently the attacker is able to
	71	send malicious requests which target the vulnerability.
	72
	73	Recommendations:
	74	================
	75
	76	We recommend all users to upgrade to a known fixed release of the
	77	Subversion mod_dav_svn server.
	78
	79	Users who are unable to upgrade may apply the included patches.
	80
	81	As a workaround, the use of in-repository authz rules files with
	82	the AuthzSVNReposRelativeAccessFile can be avoided by switching
	83	to an alternative configuration which fetches an authz rules file
	84	from the server's filesystem, rather than from an SVN repository.
	85
	86	References:
	87	===========
	88
	89	CVE-2020-17525 (Subversion)
	90
	91	Reported by:
	92	============
	93
	94	Thomas Åkesson, simonsoft.se
	95
	96	Patches:
	97	========
	98
	99	Patch for Subversion 1.10, 1.14:
	100
	101	[[[
	102	Index: subversion/libsvn_repos/config_file.c
	103	===================================================================
	104	--- a/subversion/libsvn_repos/config_file.c (revision 1883994)
	105	+++ b/subversion/libsvn_repos/config_file.c (working copy)
	106	@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream,
	107	{
	108	/* Search for a repository in the full path. */
	109	repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool);
	110	+ if (repos_root_dirent == NULL)
	111	+ return svn_error_trace(handle_missing_file(stream, checksum, access,
	112	+ url, must_exist,
	113	+ svn_node_none));
	114
	115	/* Attempt to open a repository at repos_root_dirent. */
	116	SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL,
	117	]]]