[oe-commits] Yue Tao : subversion: Security Advisory - subversion - CVE-2014-3528
git at git.openembedded.org
git at git.openembedded.org
Fri Nov 21 16:51:28 UTC 2014
Module: openembedded-core.git
Branch: dizzy
Commit: 4ff3355e4daf841c66fb78e88bf2d6e26d8f9ced
URL: http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=4ff3355e4daf841c66fb78e88bf2d6e26d8f9ced
Author: Yue Tao <Yue.Tao at windriver.com>
Date: Wed Oct 22 03:37:29 2014 -0400
subversion: Security Advisory - subversion - CVE-2014-3528
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
1.8.10 uses an MD5 hash of the URL and authentication realm to store
cached credentials, which makes it easier for remote servers to obtain
the credentials via a crafted authentication realm.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528
(From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806)
Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
.../subversion/subversion-CVE-2014-3528.patch | 29 ++++++++++++++++++++++
.../subversion/subversion_1.6.15.bb | 1 +
.../subversion/subversion_1.8.9.bb | 1 +
3 files changed, 31 insertions(+)
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
new file mode 100644
index 0000000..23e738e
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao at windriver.com>
+
+diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c
+index ff50270..c511d04 100644
+--- a/subversion/libsvn_subr/config_auth.c.old
++++ b/subversion/libsvn_subr/config_auth.c
+@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
+ if (kind == svn_node_file)
+ {
+ svn_stream_t *stream;
++ svn_string_t *stored_realm;
+
+ SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
+ _("Unable to open auth file for reading"));
+@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
+ apr_psprintf(pool, _("Error parsing '%s'"),
+ svn_path_local_style(auth_path, pool)));
+
++ stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
++ APR_HASH_KEY_STRING);
++
++ if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
++ *hash = NULL; /* Hash collision, or somebody tampering with storage */
++
+ SVN_ERR(svn_stream_close(stream));
+ }
+
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
index 6680ab6..b135bb7 100644
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
file://subversion-CVE-2013-4277.patch \
file://subversion-CVE-2014-3522.patch \
+ file://subversion-CVE-2014-3528.patch \
"
SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
index e1ab945..1ef59a0 100644
--- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
@@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://libtool2.patch \
file://disable_macos.patch \
file://subversion-CVE-2014-3522.patch;striplevel=0 \
+ file://subversion-CVE-2014-3528.patch \
"
SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"
More information about the Openembedded-commits
mailing list