[OE-core] [PATCH 1/6] subversion: Security Advisory - subversion - CVE-2014-3528

Wed Nov 19 06:07:12 UTC 2014

Wenzong,

I wanted to just patch 1.8.9 for dizzy since 1.8.10 included more than 
just security fixes.   Looks like my subject should have included 
[dizzy] even though the cover letter did.  I will have to be more 
careful next time.

thanks,
Armin

On 11/18/2014 05:29 PM, wenzong fan wrote:
> There's subversion 1.8.10 in master branch that has included the CVE fixes.
>
> Would you like to backport 1.8.10 from master? Or just patch 1.8.9 to
> fix this CVE?
>
> Thanks
> Wenzong
>
> On 11/19/2014 12:18 AM, Armin Kuster wrote:
>> From: Yue Tao <Yue.Tao at windriver.com>
>>
>> Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
>> 1.8.10 uses an MD5 hash of the URL and authentication realm to store
>> cached credentials, which makes it easier for remote servers to obtain
>> the credentials via a crafted authentication realm.
>>
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528
>>
>> (From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806)
>>
>> Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
>> Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
>> Signed-off-by: Ross Burton <ross.burton at intel.com>
>> Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
>> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>> ---
>>   .../subversion/subversion-CVE-2014-3528.patch      | 29
>> ++++++++++++++++++++++
>>   .../subversion/subversion_1.6.15.bb                |  1 +
>>   .../subversion/subversion_1.8.9.bb                 |  1 +
>>   3 files changed, 31 insertions(+)
>>   create mode 100644
>> meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>
>>
>> diff --git
>> a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>> b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>
>> new file mode 100644
>> index 0000000..23e738e
>> --- /dev/null
>> +++
>> b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>
>> @@ -0,0 +1,29 @@
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Yue Tao <yue.tao at windriver.com>
>> +
>> +diff --git a/subversion/libsvn_subr/config_auth.c.old
>> b/subversion/libsvn_subr/config_auth.c
>> +index ff50270..c511d04 100644
>> +--- a/subversion/libsvn_subr/config_auth.c.old
>> ++++ b/subversion/libsvn_subr/config_auth.c
>> +@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
>> +   if (kind == svn_node_file)
>> +     {
>> +       svn_stream_t *stream;
>> ++      svn_string_t *stored_realm;
>> +
>> +       SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool,
>> pool),
>> +                 _("Unable to open auth file for reading"));
>> +@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
>> +                 apr_psprintf(pool, _("Error parsing '%s'"),
>> +                              svn_path_local_style(auth_path, pool)));
>> +
>> ++      stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
>> ++                                  APR_HASH_KEY_STRING);
>> ++
>> ++      if (!stored_realm || strcmp(stored_realm->data, realmstring)
>> != 0)
>> ++        *hash = NULL; /* Hash collision, or somebody tampering with
>> storage */
>> ++
>> +       SVN_ERR(svn_stream_close(stream));
>> +     }
>> +
>> diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>> b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>> index 6680ab6..b135bb7 100644
>> --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>> +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>> @@ -19,6 +19,7 @@ SRC_URI =
>> "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
>>              file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
>>              file://subversion-CVE-2013-4277.patch \
>>              file://subversion-CVE-2014-3522.patch \
>> +           file://subversion-CVE-2014-3528.patch \
>>   "
>>
>>   SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
>> diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>> b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>> index e1ab945..1ef59a0 100644
>> --- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>> +++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>> @@ -13,6 +13,7 @@ SRC_URI =
>> "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
>>              file://libtool2.patch \
>>              file://disable_macos.patch \
>>              file://subversion-CVE-2014-3522.patch;striplevel=0 \
>> +           file://subversion-CVE-2014-3528.patch \
>>   "
>>   SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
>>   SRC_URI[sha256sum] =
>> "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"
>>