[OE-core] [PATCH 2/2] subversion: Security Advisory - subversion - CVE-2014-3528
jackie.huang at windriver.com
jackie.huang at windriver.com
Wed Oct 22 07:37:29 UTC 2014
From: Yue Tao <Yue.Tao at windriver.com>
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
1.8.10 uses an MD5 hash of the URL and authentication realm to store
cached credentials, which makes it easier for remote servers to obtain
the credentials via a crafted authentication realm.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528
Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
---
.../subversion/subversion-CVE-2014-3528.patch | 29 ++++++++++++++++++++
.../subversion/subversion_1.6.15.bb | 1 +
.../subversion/subversion_1.8.9.bb | 1 +
3 files changed, 31 insertions(+)
create mode 100644 meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
new file mode 100644
index 0000000..23e738e
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao at windriver.com>
+
+diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c
+index ff50270..c511d04 100644
+--- a/subversion/libsvn_subr/config_auth.c.old
++++ b/subversion/libsvn_subr/config_auth.c
+@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
+ if (kind == svn_node_file)
+ {
+ svn_stream_t *stream;
++ svn_string_t *stored_realm;
+
+ SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
+ _("Unable to open auth file for reading"));
+@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
+ apr_psprintf(pool, _("Error parsing '%s'"),
+ svn_path_local_style(auth_path, pool)));
+
++ stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
++ APR_HASH_KEY_STRING);
++
++ if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
++ *hash = NULL; /* Hash collision, or somebody tampering with storage */
++
+ SVN_ERR(svn_stream_close(stream));
+ }
+
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
index 6680ab6..b135bb7 100644
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
file://subversion-CVE-2013-4277.patch \
file://subversion-CVE-2014-3522.patch \
+ file://subversion-CVE-2014-3528.patch \
"
SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
index e1ab945..1ef59a0 100644
--- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
@@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://libtool2.patch \
file://disable_macos.patch \
file://subversion-CVE-2014-3522.patch;striplevel=0 \
+ file://subversion-CVE-2014-3528.patch \
"
SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"
--
1.7.9.5
More information about the Openembedded-core
mailing list