4 files changed, 2 insertions, 448 deletions
diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/disable_macos.patch b/meta/recipes-devtools/subversion/subversion-1.8.10/disable_macos.patch
index ec3be496f3..ec3be496f3 100644
--- a/meta/recipes-devtools/subversion/subversion-1.8.9/disable_macos.patch
+++ b/meta/recipes-devtools/subversion/subversion-1.8.10/disable_macos.patch
diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/libtool2.patch b/meta/recipes-devtools/subversion/subversion-1.8.10/libtool2.patch
index 5cd572bfc8..5cd572bfc8 100644
--- a/meta/recipes-devtools/subversion/subversion-1.8.9/libtool2.patch
+++ b/meta/recipes-devtools/subversion/subversion-1.8.10/libtool2.patch
diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch b/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch
deleted file mode 100644
index f259e5490a..0000000000
--- a/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch
+++ /dev/null
@@ -1,444 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
-Index: subversion/include/private/svn_cert.h
-===================================================================
--- subversion/include/private/svn_cert.h       (nonexistent)
-+++ subversion/include/private/svn_cert.h       (working copy)
-@@ -0,0 +1,68 @@
-+/**
-+ * @copyright
-+ * ====================================================================
-+ *    Licensed to the Apache Software Foundation (ASF) under one
-+ *    or more contributor license agreements.  See the NOTICE file
-+ *    distributed with this work for additional information
-+ *    regarding copyright ownership.  The ASF licenses this file
-+ *    to you under the Apache License, Version 2.0 (the
-+ *    "License"); you may not use this file except in compliance
-+ *    with the License.  You may obtain a copy of the License at
-+ *
-+ *      http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ *    Unless required by applicable law or agreed to in writing,
-+ *    software distributed under the License is distributed on an
-+ *    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-+ *    KIND, either express or implied.  See the License for the
-+ *    specific language governing permissions and limitations
-+ *    under the License.
-+ * ====================================================================
-+ * @endcopyright
-+ *
-+ * @file svn_cert.h
-+ * @brief Implementation of certificate validation functions
-+ */
-+
-+#ifndef SVN_CERT_H
-+#define SVN_CERT_H
-+
-+#include <apr.h>
-+
-+#include "svn_types.h"
-+#include "svn_string.h"
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif /* __cplusplus */
-+
-+
-+/* Return TRUE iff @a pattern matches @a hostname as defined
-+ * by the matching rules of RFC 6125.  In the context of RFC
-+ * 6125 the pattern is the domain name portion of the presented
-+ * identifier (which comes from the Common Name or a DNSName
-+ * portion of the subjectAltName of an X.509 certificate) and
-+ * the hostname is the source domain (i.e. the host portion
-+ * of the URI the user entered).
-+ *
-+ * @note With respect to wildcards we only support matching
-+ * wildcards in the left-most label and as the only character
-+ * in the left-most label (i.e. we support RFC 6125 s. 6.4.3
-+ * Rule 1 and 2 but not the optional Rule 3).  This may change
-+ * in the future.
-+ *
-+ * @note Subversion does not at current support internationalized
-+ * domain names.  Both values are presumed to be in NR-LDH label
-+ * or A-label form (see RFC 5890 for the definition).
-+ *
-+ * @since New in 1.9.
-+ */
-+svn_boolean_t
-+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname);
-+
-+
-+#ifdef __cplusplus
-+}
-+#endif /* __cplusplus */
-+
-+#endif /* SVN_CERT_H */
-Index: subversion/libsvn_ra_serf/util.c
-===================================================================
--- subversion/libsvn_ra_serf/util.c    (revision 1615128)
-+++ subversion/libsvn_ra_serf/util.c    (working copy)
-@@ -28,7 +28,6 @@
- #define APR_WANT_STRFUNC
- #include <apr.h>
- #include <apr_want.h>
-#include <apr_fnmatch.h>
- 
- #include <serf.h>
- #include <serf_bucket_types.h>
-@@ -49,6 +48,7 @@
- #include "private/svn_fspath.h"
- #include "private/svn_subr_private.h"
- #include "private/svn_auth_private.h"
-+#include "private/svn_cert.h"
- 
- #include "ra_serf.h"
- 
-@@ -274,7 +274,6 @@ ssl_server_cert(void *baton, int failures,
-   apr_hash_t *subject = NULL;
-   apr_hash_t *serf_cert = NULL;
-   void *creds;
-  int found_matching_hostname = 0;
- 
-   svn_failures = (ssl_convert_serf_failures(failures)
-       | conn->server_cert_failures);
-@@ -286,26 +285,37 @@ ssl_server_cert(void *baton, int failures,
-       ### This should really be handled by serf, which should pass an error
-           for this case, but that has backwards compatibility issues. */
-       apr_array_header_t *san;
-+      svn_boolean_t found_san_entry = FALSE;
-+      svn_boolean_t found_matching_hostname = FALSE;
-+      svn_string_t *actual_hostname =
-+          svn_string_create(conn->session->session_url.hostname, scratch_pool);
- 
-       serf_cert = serf_ssl_cert_certificate(cert, scratch_pool);
- 
-       san = svn_hash_gets(serf_cert, "subjectAltName");
-       /* Try to find matching server name via subjectAltName first... */
-      if (san) {
-+      if (san)
-+        {
-           int i;
-          for (i = 0; i < san->nelts; i++) {
-+          found_san_entry = san->nelts > 0;
-+          for (i = 0; i < san->nelts; i++)
-+            {
-               const char *s = APR_ARRAY_IDX(san, i, const char*);
-              if (apr_fnmatch(s, conn->session->session_url.hostname,
-                  APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS)
-              {
-                  found_matching_hostname = 1;
-+              svn_string_t *cert_hostname = svn_string_create(s, scratch_pool);
-+
-+              if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
-+                {
-+                  found_matching_hostname = TRUE;
-                   break;
-              }
-          }
-      }
-+                }
-+            }
-+        }
- 
-      /* Match server certificate CN with the hostname of the server */
-      if (!found_matching_hostname)
-+      /* Match server certificate CN with the hostname of the server iff
-+       * we didn't find any subjectAltName fields and try to match them.
-+       * Per RFC 2818 they are authoritative if present and CommonName
-+       * should be ignored. */
-+      if (!found_matching_hostname && !found_san_entry)
-         {
-           const char *hostname = NULL;
- 
-@@ -314,13 +324,20 @@ ssl_server_cert(void *baton, int failures,
-           if (subject)
-             hostname = svn_hash_gets(subject, "CN");
- 
-          if (!hostname
-              || apr_fnmatch(hostname, conn->session->session_url.hostname,
-                             APR_FNM_PERIOD | APR_FNM_CASE_BLIND) != APR_SUCCESS)
-          {
-              svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
-          }
-      }
-+          if (hostname)
-+            {
-+              svn_string_t *cert_hostname = svn_string_create(hostname,
-+                                                              scratch_pool);
-+
-+              if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
-+                {
-+                  found_matching_hostname = TRUE;
-+                }
-+            }
-+        }
-+
-+      if (!found_matching_hostname)
-+        svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
-     }
- 
-   if (!svn_failures)
-Index: subversion/libsvn_subr/dirent_uri.c
-===================================================================
--- subversion/libsvn_subr/dirent_uri.c (revision 1615128)
-+++ subversion/libsvn_subr/dirent_uri.c (working copy)
-@@ -38,6 +38,7 @@
- 
- #include "dirent_uri.h"
- #include "private/svn_fspath.h"
-+#include "private/svn_cert.h"
- 
- /* The canonical empty path.  Can this be changed?  Well, change the empty
-    test below and the path library will work, not so sure about the fs/wc
-@@ -2597,3 +2598,81 @@ svn_urlpath__canonicalize(const char *uri,
-     }
-   return uri;
- }
-+
-+
-+/* -------------- The cert API (see private/svn_cert.h) ------------- */
-+
-+svn_boolean_t
-+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname)
-+{
-+  apr_size_t pattern_pos = 0, hostname_pos = 0;
-+
-+  /* support leading wildcards that composed of the only character in the
-+   * left-most label. */
-+  if (pattern->len >= 2 &&
-+      pattern->data[pattern_pos] == '*' &&
-+      pattern->data[pattern_pos + 1] == '.')
-+    {
-+      while (hostname_pos < hostname->len &&
-+             hostname->data[hostname_pos] != '.')
-+        {
-+          hostname_pos++;
-+        }
-+      /* Assume that the wildcard must match something.  Rule 2 says
-+       * that *.example.com should not match example.com.  If the wildcard
-+       * ends up not matching anything then it matches .example.com which
-+       * seems to be essentially the same as just example.com */
-+      if (hostname_pos == 0)
-+        return FALSE;
-+
-+      pattern_pos++;
-+    }
-+
-+  while (pattern_pos < pattern->len && hostname_pos < hostname->len)
-+    {
-+      char pattern_c = pattern->data[pattern_pos];
-+      char hostname_c = hostname->data[hostname_pos];
-+
-+      /* fold case as described in RFC 4343.
-+       * Note: We actually convert to lowercase, since our URI
-+       * canonicalization code converts to lowercase and generally
-+       * most certs are issued with lowercase DNS names, meaning
-+       * this avoids the fold operation in most cases.  The RFC
-+       * suggests the opposite transformation, but doesn't require
-+       * any specific implementation in any case.  It is critical
-+       * that this folding be locale independent so you can't use
-+       * tolower(). */
-+      pattern_c = canonicalize_to_lower(pattern_c);
-+      hostname_c = canonicalize_to_lower(hostname_c);
-+
-+      if (pattern_c != hostname_c)
-+        {
-+          /* doesn't match */
-+          return FALSE;
-+        }
-+      else
-+        {
-+          /* characters match so skip both */
-+          pattern_pos++;
-+          hostname_pos++;
-+        }
-+    }
-+
-+  /* ignore a trailing period on the hostname since this has no effect on the
-+   * security of the matching.  See the following for the long explanation as
-+   * to why:
-+   * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28
-+   */
-+  if (pattern_pos == pattern->len &&
-+      hostname_pos == hostname->len - 1 &&
-+      hostname->data[hostname_pos] == '.')
-+    hostname_pos++;
-+
-+  if (pattern_pos != pattern->len || hostname_pos != hostname->len)
-+    {
-+      /* end didn't match */
-+      return FALSE;
-+    }
-+
-+  return TRUE;
-+}
-Index: subversion/tests/libsvn_subr/dirent_uri-test.c
-===================================================================
--- subversion/tests/libsvn_subr/dirent_uri-test.c      (revision 1615128)
-+++ subversion/tests/libsvn_subr/dirent_uri-test.c      (working copy)
-@@ -37,6 +37,7 @@
- #include "svn_pools.h"
- #include "svn_dirent_uri.h"
- #include "private/svn_fspath.h"
-+#include "private/svn_cert.h"
- 
- #include "../svn_test.h"
- 
-@@ -2714,6 +2715,145 @@ test_fspath_get_longest_ancestor(apr_pool_t *pool)
-   return SVN_NO_ERROR;
- }
- 
-+struct cert_match_dns_test {
-+  const char *pattern;
-+  const char *hostname;
-+  svn_boolean_t expected;
-+};
-+
-+static svn_error_t *
-+run_cert_match_dns_tests(struct cert_match_dns_test *tests, apr_pool_t *pool)
-+{
-+  struct cert_match_dns_test *ct;
-+  apr_pool_t *iterpool = svn_pool_create(pool);
-+
-+  for (ct = tests; ct->pattern; ct++)
-+    {
-+      svn_boolean_t result;
-+      svn_string_t *pattern, *hostname;
-+
-+      svn_pool_clear(iterpool);
-+
-+      pattern = svn_string_create(ct->pattern, iterpool);
-+      hostname = svn_string_create(ct->hostname, iterpool);
-+
-+      result = svn_cert__match_dns_identity(pattern, hostname);
-+      if (result != ct->expected)
-+        return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
-+                                 "Expected %s but got %s for pattern '%s' on "
-+                                 "hostname '%s'",
-+                                 ct->expected ? "match" : "no match",
-+                                 result ? "match" : "no match",
-+                                 pattern->data, hostname->data);
-+
-+    }
-+
-+  svn_pool_destroy(iterpool);
-+
-+  return SVN_NO_ERROR;
-+}
-+
-+static struct cert_match_dns_test cert_match_dns_tests[] = {
-+  { "foo.example.com", "foo.example.com", TRUE }, /* exact match */
-+  { "foo.example.com", "FOO.EXAMPLE.COM", TRUE }, /* case differences */
-+  { "FOO.EXAMPLE.COM", "foo.example.com", TRUE },
-+  { "*.example.com", "FoO.ExAmPlE.CoM", TRUE },
-+  { "*.ExAmPlE.CoM", "foo.example.com", TRUE },
-+  { "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz", TRUE },
-+  { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", TRUE },
-+  { "foo.example.com", "bar.example.com", FALSE }, /* difference at start */
-+  { "foo.example.com", "foo.example.net", FALSE }, /* difference at end */
-+  { "foo.example.com", "foo.example.commercial", FALSE }, /* hostname longer */
-+  { "foo.example.commercial", "foo.example.com", FALSE }, /* pattern longer */
-+  { "foo.example.comcom", "foo.example.com", FALSE }, /* repeated suffix */
-+  { "foo.example.com", "foo.example.comcom", FALSE },
-+  { "foo.example.com.com", "foo.example.com", FALSE },
-+  { "foo.example.com", "foo.example.com.com", FALSE },
-+  { "foofoo.example.com", "foo.example.com", FALSE }, /* repeated prefix */
-+  { "foo.example.com", "foofoo.example.com", FALSE },
-+  { "foo.foo.example.com", "foo.example.com", FALSE },
-+  { "foo.example.com", "foo.foo.example.com", FALSE },
-+  { "foo.*.example.com", "foo.bar.example.com", FALSE }, /* RFC 6125 s. 6.4.3
-+                                                            Rule 1 */
-+  { "*.example.com", "foo.example.com", TRUE }, /* RFC 6125 s. 6.4.3 Rule 2 */
-+  { "*.example.com", "bar.foo.example.com", FALSE }, /* Rule 2 */
-+  { "*.example.com", "example.com", FALSE }, /* Rule 2 */
-+  { "*.example.com", ".example.com", FALSE }, /* RFC doesn't say what to do
-+                                                 here and a leading period on
-+                                                 a hostname doesn't make sense
-+                                                 so we'll just reject this. */
-+  { "*", "foo.example.com", FALSE }, /* wildcard must be left-most label,
-+                                        implies that there must be more than
-+                                        one label. */
-+  { "*", "example.com", FALSE },
-+  { "*", "com", FALSE },
-+  { "*.example.com", "foo.example.net", FALSE }, /* difference in literal text
-+                                                    with a wildcard. */
-+  { "*.com", "example.com", TRUE }, /* See Errata ID 3090 for RFC 6125,
-+                                       probably shouldn't allow this but
-+                                       we do for now. */
-+  { "*.", "example.com", FALSE }, /* test some dubious 2 character wildcard
-+                                     patterns */
-+  { "*.", "example.", TRUE }, /* This one feels questionable */
-+  { "*.", "example", FALSE },
-+  { "*.", ".", FALSE },
-+  { "a", "a", TRUE }, /* check that single letter exact matches work */
-+  { "a", "b", FALSE }, /* and single letter not matches shouldn't */
-+  { "*.*.com", "foo.example.com", FALSE }, /* unsupported wildcards */
-+  { "*.*.com", "example.com", FALSE },
-+  { "**.example.com", "foo.example.com", FALSE },
-+  { "**.example.com", "example.com", FALSE },
-+  { "f*.example.com", "foo.example.com", FALSE },
-+  { "f*.example.com", "bar.example.com", FALSE },
-+  { "*o.example.com", "foo.example.com", FALSE },
-+  { "*o.example.com", "bar.example.com", FALSE },
-+  { "f*o.example.com", "foo.example.com", FALSE },
-+  { "f*o.example.com", "bar.example.com", FALSE },
-+  { "foo.e*.com", "foo.example.com", FALSE },
-+  { "foo.*e.com", "foo.example.com", FALSE },
-+  { "foo.e*e.com", "foo.example.com", FALSE },
-+  { "foo.example.com", "foo.example.com.", TRUE }, /* trailing dot */
-+  { "*.example.com", "foo.example.com.", TRUE },
-+  { "foo", "foo.", TRUE },
-+  { "foo.example.com.", "foo.example.com", FALSE },
-+  { "*.example.com.", "foo.example.com", FALSE },
-+  { "foo.", "foo", FALSE },
-+  { "foo.example.com", "foo.example.com..", FALSE },
-+  { "*.example.com", "foo.example.com..", FALSE },
-+  { "foo", "foo..", FALSE },
-+  { "foo.example.com..", "foo.example.com", FALSE },
-+  { "*.example.com..", "foo.example.com", FALSE },
-+  { "foo..", "foo", FALSE },
-+  { NULL }
-+};
-+
-+static svn_error_t *
-+test_cert_match_dns_identity(apr_pool_t *pool)
-+{
-+  return run_cert_match_dns_tests(cert_match_dns_tests, pool);
-+}
-+
-+/* This test table implements results that should happen if we supported
-+ * RFC 6125 s. 6.4.3 Rule 3.  We don't so it's expected to fail for now. */
-+static struct cert_match_dns_test rule3_tests[] = {
-+  { "baz*.example.net", "baz1.example.net", TRUE },
-+  { "*baz.example.net", "foobaz.example.net", TRUE },
-+  { "b*z.example.net", "buuz.example.net", TRUE },
-+  { "b*z.example.net", "bz.example.net", FALSE }, /* presume wildcard can't
-+                                                     match nothing */
-+  { "baz*.example.net", "baz.example.net", FALSE },
-+  { "*baz.example.net", "baz.example.net", FALSE },
-+  { "b*z.example.net", "buuzuuz.example.net", TRUE }, /* presume wildcard
-+                                                         should be greedy */
-+  { NULL }
-+};
-+
-+static svn_error_t *
-+test_rule3(apr_pool_t *pool)
-+{
-+  return run_cert_match_dns_tests(rule3_tests, pool);
-+}
-+
- 
- /* The test table.  */
- 
-@@ -2812,5 +2952,9 @@ struct svn_test_descriptor_t test_funcs[] =
-                    "test svn_fspath__dirname/basename/split"),
-     SVN_TEST_PASS2(test_fspath_get_longest_ancestor,
-                    "test svn_fspath__get_longest_ancestor"),
-+    SVN_TEST_PASS2(test_cert_match_dns_identity,
-+                   "test svn_cert__match_dns_identity"),
-+    SVN_TEST_XFAIL2(test_rule3,
-+                    "test match with RFC 6125 s. 6.4.3 Rule 3"),
-     SVN_TEST_NULL
-   };
diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.10.bb
index 1ef59a0c00..b223d26b3d 100644
--- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.8.10.bb
@@ -12,11 +12,9 @@ inherit gettext
 SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://libtool2.patch \
           file://disable_macos.patch \
-           file://subversion-CVE-2014-3522.patch;striplevel=0 \
-           file://subversion-CVE-2014-3528.patch \
 "
-SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
+SRC_URI[md5sum] = "3068256761b40863df96128834d6b71b"
-SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"
+SRC_URI[sha256sum] = "1cc900c8a7974337c3ed389dc6b5c59012ec48c7d4107ae31fd7c929ded47dcc"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=1c2f0119e478700b5428e26386cff923"

diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/disable_macos.patch b/meta/recipes-devtools/subversion/subversion-1.8.10/disable_macos.patch index ec3be496f3..ec3be496f3 100644 --- a/meta/recipes-devtools/subversion/subversion-1.8.9/disable_macos.patch +++ b/meta/recipes-devtools/subversion/subversion-1.8.10/disable_macos.patch


diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/libtool2.patch b/meta/recipes-devtools/subversion/subversion-1.8.10/libtool2.patch index 5cd572bfc8..5cd572bfc8 100644 --- a/meta/recipes-devtools/subversion/subversion-1.8.9/libtool2.patch +++ b/meta/recipes-devtools/subversion/subversion-1.8.10/libtool2.patch


diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch b/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch deleted file mode 100644 index f259e5490a..0000000000 --- a/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch +++ /dev/null
@@ -1,444 +0,0 @@
1	Upstream-Status: Backport
2
3	Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
4
5	Index: subversion/include/private/svn_cert.h
6	===================================================================
7	--- subversion/include/private/svn_cert.h (nonexistent)
8	+++ subversion/include/private/svn_cert.h (working copy)
9	@@ -0,0 +1,68 @@
10	+/**
11	+ * @copyright
12	+ * ====================================================================
13	+ * Licensed to the Apache Software Foundation (ASF) under one
14	+ * or more contributor license agreements. See the NOTICE file
15	+ * distributed with this work for additional information
16	+ * regarding copyright ownership. The ASF licenses this file
17	+ * to you under the Apache License, Version 2.0 (the
18	+ * "License"); you may not use this file except in compliance
19	+ * with the License. You may obtain a copy of the License at
20	+ *
21	+ * http://www.apache.org/licenses/LICENSE-2.0
22	+ *
23	+ * Unless required by applicable law or agreed to in writing,
24	+ * software distributed under the License is distributed on an
25	+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
26	+ * KIND, either express or implied. See the License for the
27	+ * specific language governing permissions and limitations
28	+ * under the License.
29	+ * ====================================================================
30	+ * @endcopyright
31	+ *
32	+ * @file svn_cert.h
33	+ * @brief Implementation of certificate validation functions
34	+ */
35	+
36	+#ifndef SVN_CERT_H
37	+#define SVN_CERT_H
38	+
39	+#include <apr.h>
40	+
41	+#include "svn_types.h"
42	+#include "svn_string.h"
43	+
44	+#ifdef __cplusplus
45	+extern "C" {
46	+#endif /* __cplusplus */
47	+
48	+
49	+/* Return TRUE iff @a pattern matches @a hostname as defined
50	+ * by the matching rules of RFC 6125. In the context of RFC
51	+ * 6125 the pattern is the domain name portion of the presented
52	+ * identifier (which comes from the Common Name or a DNSName
53	+ * portion of the subjectAltName of an X.509 certificate) and
54	+ * the hostname is the source domain (i.e. the host portion
55	+ * of the URI the user entered).
56	+ *
57	+ * @note With respect to wildcards we only support matching
58	+ * wildcards in the left-most label and as the only character
59	+ * in the left-most label (i.e. we support RFC 6125 s. 6.4.3
60	+ * Rule 1 and 2 but not the optional Rule 3). This may change
61	+ * in the future.
62	+ *
63	+ * @note Subversion does not at current support internationalized
64	+ * domain names. Both values are presumed to be in NR-LDH label
65	+ * or A-label form (see RFC 5890 for the definition).
66	+ *
67	+ * @since New in 1.9.
68	+ */
69	+svn_boolean_t
70	+svn_cert__match_dns_identity(svn_string_t pattern, svn_string_t hostname);
71	+
72	+
73	+#ifdef __cplusplus
74	+}
75	+#endif /* __cplusplus */
76	+
77	+#endif /* SVN_CERT_H */
78	Index: subversion/libsvn_ra_serf/util.c
79	===================================================================
80	--- subversion/libsvn_ra_serf/util.c (revision 1615128)
81	+++ subversion/libsvn_ra_serf/util.c (working copy)
82	@@ -28,7 +28,6 @@
83	#define APR_WANT_STRFUNC
84	#include <apr.h>
85	#include <apr_want.h>
86	-#include <apr_fnmatch.h>
87
88	#include <serf.h>
89	#include <serf_bucket_types.h>
90	@@ -49,6 +48,7 @@
91	#include "private/svn_fspath.h"
92	#include "private/svn_subr_private.h"
93	#include "private/svn_auth_private.h"
94	+#include "private/svn_cert.h"
95
96	#include "ra_serf.h"
97
98	@@ -274,7 +274,6 @@ ssl_server_cert(void *baton, int failures,
99	apr_hash_t *subject = NULL;
100	apr_hash_t *serf_cert = NULL;
101	void *creds;
102	- int found_matching_hostname = 0;
103
104	svn_failures = (ssl_convert_serf_failures(failures)
105	\| conn->server_cert_failures);
106	@@ -286,26 +285,37 @@ ssl_server_cert(void *baton, int failures,
107	### This should really be handled by serf, which should pass an error
108	for this case, but that has backwards compatibility issues. */
109	apr_array_header_t *san;
110	+ svn_boolean_t found_san_entry = FALSE;
111	+ svn_boolean_t found_matching_hostname = FALSE;
112	+ svn_string_t *actual_hostname =
113	+ svn_string_create(conn->session->session_url.hostname, scratch_pool);
114
115	serf_cert = serf_ssl_cert_certificate(cert, scratch_pool);
116
117	san = svn_hash_gets(serf_cert, "subjectAltName");
118	/* Try to find matching server name via subjectAltName first... */
119	- if (san) {
120	+ if (san)
121	+ {
122	int i;
123	- for (i = 0; i < san->nelts; i++) {
124	+ found_san_entry = san->nelts > 0;
125	+ for (i = 0; i < san->nelts; i++)
126	+ {
127	const char s = APR_ARRAY_IDX(san, i, const char);
128	- if (apr_fnmatch(s, conn->session->session_url.hostname,
129	- APR_FNM_PERIOD \| APR_FNM_CASE_BLIND) == APR_SUCCESS)
130	- {
131	- found_matching_hostname = 1;
132	+ svn_string_t *cert_hostname = svn_string_create(s, scratch_pool);
133	+
134	+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
135	+ {
136	+ found_matching_hostname = TRUE;
137	break;
138	- }
139	- }
140	- }
141	+ }
142	+ }
143	+ }
144
145	- /* Match server certificate CN with the hostname of the server */
146	- if (!found_matching_hostname)
147	+ /* Match server certificate CN with the hostname of the server iff
148	+ * we didn't find any subjectAltName fields and try to match them.
149	+ * Per RFC 2818 they are authoritative if present and CommonName
150	+ * should be ignored. */
151	+ if (!found_matching_hostname && !found_san_entry)
152	{
153	const char *hostname = NULL;
154
155	@@ -314,13 +324,20 @@ ssl_server_cert(void *baton, int failures,
156	if (subject)
157	hostname = svn_hash_gets(subject, "CN");
158
159	- if (!hostname
160	- \|\| apr_fnmatch(hostname, conn->session->session_url.hostname,
161	- APR_FNM_PERIOD \| APR_FNM_CASE_BLIND) != APR_SUCCESS)
162	- {
163	- svn_failures \|= SVN_AUTH_SSL_CNMISMATCH;
164	- }
165	- }
166	+ if (hostname)
167	+ {
168	+ svn_string_t *cert_hostname = svn_string_create(hostname,
169	+ scratch_pool);
170	+
171	+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
172	+ {
173	+ found_matching_hostname = TRUE;
174	+ }
175	+ }
176	+ }
177	+
178	+ if (!found_matching_hostname)
179	+ svn_failures \|= SVN_AUTH_SSL_CNMISMATCH;
180	}
181
182	if (!svn_failures)
183	Index: subversion/libsvn_subr/dirent_uri.c
184	===================================================================
185	--- subversion/libsvn_subr/dirent_uri.c (revision 1615128)
186	+++ subversion/libsvn_subr/dirent_uri.c (working copy)
187	@@ -38,6 +38,7 @@
188
189	#include "dirent_uri.h"
190	#include "private/svn_fspath.h"
191	+#include "private/svn_cert.h"
192
193	/* The canonical empty path. Can this be changed? Well, change the empty
194	test below and the path library will work, not so sure about the fs/wc
195	@@ -2597,3 +2598,81 @@ svn_urlpath__canonicalize(const char *uri,
196	}
197	return uri;
198	}
199	+
200	+
201	+/* -------------- The cert API (see private/svn_cert.h) ------------- */
202	+
203	+svn_boolean_t
204	+svn_cert__match_dns_identity(svn_string_t pattern, svn_string_t hostname)
205	+{
206	+ apr_size_t pattern_pos = 0, hostname_pos = 0;
207	+
208	+ /* support leading wildcards that composed of the only character in the
209	+ * left-most label. */
210	+ if (pattern->len >= 2 &&
211	+ pattern->data[pattern_pos] == '*' &&
212	+ pattern->data[pattern_pos + 1] == '.')
213	+ {
214	+ while (hostname_pos < hostname->len &&
215	+ hostname->data[hostname_pos] != '.')
216	+ {
217	+ hostname_pos++;
218	+ }
219	+ /* Assume that the wildcard must match something. Rule 2 says
220	+ * that *.example.com should not match example.com. If the wildcard
221	+ * ends up not matching anything then it matches .example.com which
222	+ * seems to be essentially the same as just example.com */
223	+ if (hostname_pos == 0)
224	+ return FALSE;
225	+
226	+ pattern_pos++;
227	+ }
228	+
229	+ while (pattern_pos < pattern->len && hostname_pos < hostname->len)
230	+ {
231	+ char pattern_c = pattern->data[pattern_pos];
232	+ char hostname_c = hostname->data[hostname_pos];
233	+
234	+ /* fold case as described in RFC 4343.
235	+ * Note: We actually convert to lowercase, since our URI
236	+ * canonicalization code converts to lowercase and generally
237	+ * most certs are issued with lowercase DNS names, meaning
238	+ * this avoids the fold operation in most cases. The RFC
239	+ * suggests the opposite transformation, but doesn't require
240	+ * any specific implementation in any case. It is critical
241	+ * that this folding be locale independent so you can't use
242	+ * tolower(). */
243	+ pattern_c = canonicalize_to_lower(pattern_c);
244	+ hostname_c = canonicalize_to_lower(hostname_c);
245	+
246	+ if (pattern_c != hostname_c)
247	+ {
248	+ /* doesn't match */
249	+ return FALSE;
250	+ }
251	+ else
252	+ {
253	+ /* characters match so skip both */
254	+ pattern_pos++;
255	+ hostname_pos++;
256	+ }
257	+ }
258	+
259	+ /* ignore a trailing period on the hostname since this has no effect on the
260	+ * security of the matching. See the following for the long explanation as
261	+ * to why:
262	+ * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28
263	+ */
264	+ if (pattern_pos == pattern->len &&
265	+ hostname_pos == hostname->len - 1 &&
266	+ hostname->data[hostname_pos] == '.')
267	+ hostname_pos++;
268	+
269	+ if (pattern_pos != pattern->len \|\| hostname_pos != hostname->len)
270	+ {
271	+ /* end didn't match */
272	+ return FALSE;
273	+ }
274	+
275	+ return TRUE;
276	+}
277	Index: subversion/tests/libsvn_subr/dirent_uri-test.c
278	===================================================================
279	--- subversion/tests/libsvn_subr/dirent_uri-test.c (revision 1615128)
280	+++ subversion/tests/libsvn_subr/dirent_uri-test.c (working copy)
281	@@ -37,6 +37,7 @@
282	#include "svn_pools.h"
283	#include "svn_dirent_uri.h"
284	#include "private/svn_fspath.h"
285	+#include "private/svn_cert.h"
286
287	#include "../svn_test.h"
288
289	@@ -2714,6 +2715,145 @@ test_fspath_get_longest_ancestor(apr_pool_t *pool)
290	return SVN_NO_ERROR;
291	}
292
293	+struct cert_match_dns_test {
294	+ const char *pattern;
295	+ const char *hostname;
296	+ svn_boolean_t expected;
297	+};
298	+
299	+static svn_error_t *
300	+run_cert_match_dns_tests(struct cert_match_dns_test tests, apr_pool_t pool)
301	+{
302	+ struct cert_match_dns_test *ct;
303	+ apr_pool_t *iterpool = svn_pool_create(pool);
304	+
305	+ for (ct = tests; ct->pattern; ct++)
306	+ {
307	+ svn_boolean_t result;
308	+ svn_string_t pattern, hostname;
309	+
310	+ svn_pool_clear(iterpool);
311	+
312	+ pattern = svn_string_create(ct->pattern, iterpool);
313	+ hostname = svn_string_create(ct->hostname, iterpool);
314	+
315	+ result = svn_cert__match_dns_identity(pattern, hostname);
316	+ if (result != ct->expected)
317	+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
318	+ "Expected %s but got %s for pattern '%s' on "
319	+ "hostname '%s'",
320	+ ct->expected ? "match" : "no match",
321	+ result ? "match" : "no match",
322	+ pattern->data, hostname->data);
323	+
324	+ }
325	+
326	+ svn_pool_destroy(iterpool);
327	+
328	+ return SVN_NO_ERROR;
329	+}
330	+
331	+static struct cert_match_dns_test cert_match_dns_tests[] = {
332	+ { "foo.example.com", "foo.example.com", TRUE }, /* exact match */
333	+ { "foo.example.com", "FOO.EXAMPLE.COM", TRUE }, /* case differences */
334	+ { "FOO.EXAMPLE.COM", "foo.example.com", TRUE },
335	+ { "*.example.com", "FoO.ExAmPlE.CoM", TRUE },
336	+ { "*.ExAmPlE.CoM", "foo.example.com", TRUE },
337	+ { "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz", TRUE },
338	+ { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", TRUE },
339	+ { "foo.example.com", "bar.example.com", FALSE }, /* difference at start */
340	+ { "foo.example.com", "foo.example.net", FALSE }, /* difference at end */
341	+ { "foo.example.com", "foo.example.commercial", FALSE }, /* hostname longer */
342	+ { "foo.example.commercial", "foo.example.com", FALSE }, /* pattern longer */
343	+ { "foo.example.comcom", "foo.example.com", FALSE }, /* repeated suffix */
344	+ { "foo.example.com", "foo.example.comcom", FALSE },
345	+ { "foo.example.com.com", "foo.example.com", FALSE },
346	+ { "foo.example.com", "foo.example.com.com", FALSE },
347	+ { "foofoo.example.com", "foo.example.com", FALSE }, /* repeated prefix */
348	+ { "foo.example.com", "foofoo.example.com", FALSE },
349	+ { "foo.foo.example.com", "foo.example.com", FALSE },
350	+ { "foo.example.com", "foo.foo.example.com", FALSE },
351	+ { "foo..example.com", "foo.bar.example.com", FALSE }, / RFC 6125 s. 6.4.3
352	+ Rule 1 */
353	+ { ".example.com", "foo.example.com", TRUE }, / RFC 6125 s. 6.4.3 Rule 2 */
354	+ { ".example.com", "bar.foo.example.com", FALSE }, / Rule 2 */
355	+ { ".example.com", "example.com", FALSE }, / Rule 2 */
356	+ { ".example.com", ".example.com", FALSE }, / RFC doesn't say what to do
357	+ here and a leading period on
358	+ a hostname doesn't make sense
359	+ so we'll just reject this. */
360	+ { "", "foo.example.com", FALSE }, / wildcard must be left-most label,
361	+ implies that there must be more than
362	+ one label. */
363	+ { "*", "example.com", FALSE },
364	+ { "*", "com", FALSE },
365	+ { ".example.com", "foo.example.net", FALSE }, / difference in literal text
366	+ with a wildcard. */
367	+ { ".com", "example.com", TRUE }, / See Errata ID 3090 for RFC 6125,
368	+ probably shouldn't allow this but
369	+ we do for now. */
370	+ { ".", "example.com", FALSE }, / test some dubious 2 character wildcard
371	+ patterns */
372	+ { ".", "example.", TRUE }, / This one feels questionable */
373	+ { "*.", "example", FALSE },
374	+ { "*.", ".", FALSE },
375	+ { "a", "a", TRUE }, /* check that single letter exact matches work */
376	+ { "a", "b", FALSE }, /* and single letter not matches shouldn't */
377	+ { "..com", "foo.example.com", FALSE }, /* unsupported wildcards */
378	+ { "..com", "example.com", FALSE },
379	+ { "**.example.com", "foo.example.com", FALSE },
380	+ { "**.example.com", "example.com", FALSE },
381	+ { "f*.example.com", "foo.example.com", FALSE },
382	+ { "f*.example.com", "bar.example.com", FALSE },
383	+ { "*o.example.com", "foo.example.com", FALSE },
384	+ { "*o.example.com", "bar.example.com", FALSE },
385	+ { "f*o.example.com", "foo.example.com", FALSE },
386	+ { "f*o.example.com", "bar.example.com", FALSE },
387	+ { "foo.e*.com", "foo.example.com", FALSE },
388	+ { "foo.*e.com", "foo.example.com", FALSE },
389	+ { "foo.e*e.com", "foo.example.com", FALSE },
390	+ { "foo.example.com", "foo.example.com.", TRUE }, /* trailing dot */
391	+ { "*.example.com", "foo.example.com.", TRUE },
392	+ { "foo", "foo.", TRUE },
393	+ { "foo.example.com.", "foo.example.com", FALSE },
394	+ { "*.example.com.", "foo.example.com", FALSE },
395	+ { "foo.", "foo", FALSE },
396	+ { "foo.example.com", "foo.example.com..", FALSE },
397	+ { "*.example.com", "foo.example.com..", FALSE },
398	+ { "foo", "foo..", FALSE },
399	+ { "foo.example.com..", "foo.example.com", FALSE },
400	+ { "*.example.com..", "foo.example.com", FALSE },
401	+ { "foo..", "foo", FALSE },
402	+ { NULL }
403	+};
404	+
405	+static svn_error_t *
406	+test_cert_match_dns_identity(apr_pool_t *pool)
407	+{
408	+ return run_cert_match_dns_tests(cert_match_dns_tests, pool);
409	+}
410	+
411	+/* This test table implements results that should happen if we supported
412	+ * RFC 6125 s. 6.4.3 Rule 3. We don't so it's expected to fail for now. */
413	+static struct cert_match_dns_test rule3_tests[] = {
414	+ { "baz*.example.net", "baz1.example.net", TRUE },
415	+ { "*baz.example.net", "foobaz.example.net", TRUE },
416	+ { "b*z.example.net", "buuz.example.net", TRUE },
417	+ { "bz.example.net", "bz.example.net", FALSE }, / presume wildcard can't
418	+ match nothing */
419	+ { "baz*.example.net", "baz.example.net", FALSE },
420	+ { "*baz.example.net", "baz.example.net", FALSE },
421	+ { "bz.example.net", "buuzuuz.example.net", TRUE }, / presume wildcard
422	+ should be greedy */
423	+ { NULL }
424	+};
425	+
426	+static svn_error_t *
427	+test_rule3(apr_pool_t *pool)
428	+{
429	+ return run_cert_match_dns_tests(rule3_tests, pool);
430	+}
431	+
432
433	/* The test table. */
434
435	@@ -2812,5 +2952,9 @@ struct svn_test_descriptor_t test_funcs[] =
436	"test svn_fspath__dirname/basename/split"),
437	SVN_TEST_PASS2(test_fspath_get_longest_ancestor,
438	"test svn_fspath__get_longest_ancestor"),
439	+ SVN_TEST_PASS2(test_cert_match_dns_identity,
440	+ "test svn_cert__match_dns_identity"),
441	+ SVN_TEST_XFAIL2(test_rule3,
442	+ "test match with RFC 6125 s. 6.4.3 Rule 3"),
443	SVN_TEST_NULL
444	};


diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.10.bb index 1ef59a0c00..b223d26b3d 100644 --- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb +++ b/meta/recipes-devtools/subversion/subversion_1.8.10.bb
@@ -12,11 +12,9 @@ inherit gettext
12	SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \	12	SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
13	file://libtool2.patch \	13	file://libtool2.patch \
14	file://disable_macos.patch \	14	file://disable_macos.patch \
15	file://subversion-CVE-2014-3522.patch;striplevel=0 \
16	file://subversion-CVE-2014-3528.patch \
17	"	15	"
18	SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"	16	SRC_URI[md5sum] = "3068256761b40863df96128834d6b71b"
19	SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"	17	SRC_URI[sha256sum] = "1cc900c8a7974337c3ed389dc6b5c59012ec48c7d4107ae31fd7c929ded47dcc"
20		18
21	LIC_FILES_CHKSUM = "file://LICENSE;md5=1c2f0119e478700b5428e26386cff923"	19	LIC_FILES_CHKSUM = "file://LICENSE;md5=1c2f0119e478700b5428e26386cff923"
22		20