[OE-core] [PATCH 1/6] subversion: Security Advisory - subversion - CVE-2014-3528

wenzong fan wenzong.fan at windriver.com
Wed Nov 19 09:18:08 UTC 2014 

On 11/19/2014 02:07 PM, akuster808 wrote:
> Wenzong,
>
> I wanted to just patch 1.8.9 for dizzy since 1.8.10 included more than
> just security fixes.   Looks like my subject should have included
> [dizzy] even though the cover letter did.  I will have to be more
> careful next time.
>

You have clear cover page 'Dizzy next':)

Since I updated serf on master, so I wonder how the subversion related 
CVEes will be processed on Dizzy.

Thanks for the clarification.

Wenzong


> thanks,
> Armin
>
> On 11/18/2014 05:29 PM, wenzong fan wrote:
>> There's subversion 1.8.10 in master branch that has included the CVE
>> fixes.
>>
>> Would you like to backport 1.8.10 from master? Or just patch 1.8.9 to
>> fix this CVE?
>>
>> Thanks
>> Wenzong
>>
>> On 11/19/2014 12:18 AM, Armin Kuster wrote:
>>> From: Yue Tao <Yue.Tao at windriver.com>
>>>
>>> Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
>>> 1.8.10 uses an MD5 hash of the URL and authentication realm to store
>>> cached credentials, which makes it easier for remote servers to obtain
>>> the credentials via a crafted authentication realm.
>>>
>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528
>>>
>>> (From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806)
>>>
>>> Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
>>> Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
>>> Signed-off-by: Ross Burton <ross.burton at intel.com>
>>> Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
>>> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>>> ---
>>>   .../subversion/subversion-CVE-2014-3528.patch      | 29
>>> ++++++++++++++++++++++
>>>   .../subversion/subversion_1.6.15.bb                |  1 +
>>>   .../subversion/subversion_1.8.9.bb                 |  1 +
>>>   3 files changed, 31 insertions(+)
>>>   create mode 100644
>>> meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>>
>>>
>>>
>>> diff --git
>>> a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>>
>>> b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>>
>>>
>>> new file mode 100644
>>> index 0000000..23e738e
>>> --- /dev/null
>>> +++
>>> b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>>
>>>
>>> @@ -0,0 +1,29 @@
>>> +Upstream-Status: Backport
>>> +
>>> +Signed-off-by: Yue Tao <yue.tao at windriver.com>
>>> +
>>> +diff --git a/subversion/libsvn_subr/config_auth.c.old
>>> b/subversion/libsvn_subr/config_auth.c
>>> +index ff50270..c511d04 100644
>>> +--- a/subversion/libsvn_subr/config_auth.c.old
>>> ++++ b/subversion/libsvn_subr/config_auth.c
>>> +@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
>>> +   if (kind == svn_node_file)
>>> +     {
>>> +       svn_stream_t *stream;
>>> ++      svn_string_t *stored_realm;
>>> +
>>> +       SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool,
>>> pool),
>>> +                 _("Unable to open auth file for reading"));
>>> +@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
>>> +                 apr_psprintf(pool, _("Error parsing '%s'"),
>>> +                              svn_path_local_style(auth_path, pool)));
>>> +
>>> ++      stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
>>> ++                                  APR_HASH_KEY_STRING);
>>> ++
>>> ++      if (!stored_realm || strcmp(stored_realm->data, realmstring)
>>> != 0)
>>> ++        *hash = NULL; /* Hash collision, or somebody tampering with
>>> storage */
>>> ++
>>> +       SVN_ERR(svn_stream_close(stream));
>>> +     }
>>> +
>>> diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>>> b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>>> index 6680ab6..b135bb7 100644
>>> --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>>> +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>>> @@ -19,6 +19,7 @@ SRC_URI =
>>> "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
>>>              file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
>>>              file://subversion-CVE-2013-4277.patch \
>>>              file://subversion-CVE-2014-3522.patch \
>>> +           file://subversion-CVE-2014-3528.patch \
>>>   "
>>>
>>>   SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
>>> diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>>> b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>>> index e1ab945..1ef59a0 100644
>>> --- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>>> +++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>>> @@ -13,6 +13,7 @@ SRC_URI =
>>> "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
>>>              file://libtool2.patch \
>>>              file://disable_macos.patch \
>>>              file://subversion-CVE-2014-3522.patch;striplevel=0 \
>>> +           file://subversion-CVE-2014-3528.patch \
>>>   "
>>>   SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
>>>   SRC_URI[sha256sum] =
>>> "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"
>>>
>
>

More information about the Openembedded-core mailing list