[OE-core] [PATCH 4/4] subversion: upgrade 1.9.6 -> 1.9.7
Richard Purdie
richard.purdie at linuxfoundation.org
Wed Jan 17 15:22:29 UTC 2018
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
.../subversion/subversion/CVE-2017-9800.patch | 136 ---------------------
.../subversion/subversion_1.9.6.bb | 56 ---------
.../subversion/subversion_1.9.7.bb | 55 +++++++++
3 files changed, 55 insertions(+), 192 deletions(-)
delete mode 100644 meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
delete mode 100644 meta/recipes-devtools/subversion/subversion_1.9.6.bb
create mode 100644 meta/recipes-devtools/subversion/subversion_1.9.7.bb
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
deleted file mode 100644
index 0599c2b..0000000
--- a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-------------------------------------------------------------------------
-r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines
-
-Fix CVE-2017-9800.
-
-See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
-
-* subversion/libsvn_ra_svn/client.c
- (svn_ctype.h): Include.
- (find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
- Expect the 'hostinfo' parameter to be URI-decoded.
- (is_valid_hostinfo): New.
- (ra_svn_open): Validate the hostname before using it.
-
-* subversion/libsvn_subr/config_file.c
- (svn_config_ensure): Update the example configuration likewise.
-
-Patch by: philip
-Review by: danielsh
- stsp
- astieger (earlier version)
-
-Upstream-Status: Backport
-http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
-
-CVE: CVE-2017-9800
-
-Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
----
-Index: subversion/libsvn_subr/config_file.c
-===================================================================
---- subversion/libsvn_subr/config_file.c (revision 1804690)
-+++ subversion/libsvn_subr/config_file.c (revision 1804691)
-@@ -1448,12 +1448,12 @@
- "### passed to the tunnel agent as <user>@<hostname>.) If the" NL
- "### built-in ssh scheme were not predefined, it could be defined" NL
- "### as:" NL
-- "# ssh = $SVN_SSH ssh -q" NL
-+ "# ssh = $SVN_SSH ssh -q --" NL
- "### If you wanted to define a new 'rsh' scheme, to be used with" NL
- "### 'svn+rsh:' URLs, you could do so as follows:" NL
-- "# rsh = rsh" NL
-+ "# rsh = rsh --" NL
- "### Or, if you wanted to specify a full path and arguments:" NL
-- "# rsh = /path/to/rsh -l myusername" NL
-+ "# rsh = /path/to/rsh -l myusername --" NL
- "### On Windows, if you are specifying a full path to a command," NL
- "### use a forward slash (/) or a paired backslash (\\\\) as the" NL
- "### path separator. A single backslash will be treated as an" NL
-Index: subversion/libsvn_ra_svn/client.c
-===================================================================
---- subversion/libsvn_ra_svn/client.c (revision 1804690)
-+++ subversion/libsvn_ra_svn/client.c (revision 1804691)
-@@ -46,6 +46,7 @@
- #include "svn_props.h"
- #include "svn_mergeinfo.h"
- #include "svn_version.h"
-+#include "svn_ctype.h"
-
- #include "svn_private_config.h"
-
-@@ -398,7 +399,7 @@
- * versions have it too. If the user is using some other ssh
- * implementation that doesn't accept it, they can override it
- * in the [tunnels] section of the config. */
-- val = "$SVN_SSH ssh -q";
-+ val = "$SVN_SSH ssh -q --";
- }
-
- if (!val || !*val)
-@@ -443,7 +444,7 @@
- for (n = 0; cmd_argv[n] != NULL; n++)
- argv[n] = cmd_argv[n];
-
-- argv[n++] = svn_path_uri_decode(hostinfo, pool);
-+ argv[n++] = hostinfo;
- argv[n++] = "svnserve";
- argv[n++] = "-t";
- argv[n] = NULL;
-@@ -811,7 +812,33 @@
- }
-
-
-+/* A simple whitelist to ensure the following are valid:
-+ * user at server
-+ * [::1]:22
-+ * server-name
-+ * server_name
-+ * 127.0.0.1
-+ * with an extra restriction that a leading '-' is invalid.
-+ */
-+static svn_boolean_t
-+is_valid_hostinfo(const char *hostinfo)
-+{
-+ const char *p = hostinfo;
-
-+ if (p[0] == '-')
-+ return FALSE;
-+
-+ while (*p)
-+ {
-+ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
-+ return FALSE;
-+
-+ ++p;
-+ }
-+
-+ return TRUE;
-+}
-+
- static svn_error_t *ra_svn_open(svn_ra_session_t *session,
- const char **corrected_url,
- const char *url,
-@@ -844,8 +871,18 @@
- || (callbacks->check_tunnel_func && callbacks->open_tunnel_func
- && !callbacks->check_tunnel_func(callbacks->tunnel_baton,
- tunnel))))
-- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
-- result_pool));
-+ {
-+ const char *decoded_hostinfo;
-+
-+ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
-+
-+ if (!is_valid_hostinfo(decoded_hostinfo))
-+ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
-+ uri.hostinfo);
-+
-+ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
-+ config, result_pool));
-+ }
- else
- tunnel_argv = NULL;
-
-
-------------------------------------------------------------------------
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
deleted file mode 100644
index 532edeb..0000000
--- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb
+++ /dev/null
@@ -1,56 +0,0 @@
-SUMMARY = "Subversion (svn) version control system client"
-SECTION = "console/network"
-DEPENDS = "apr-util serf sqlite3 file"
-DEPENDS_append_class-native = " file-replacement-native"
-RDEPENDS_${PN} = "serf"
-LICENSE = "Apache-2"
-HOMEPAGE = "http://subversion.tigris.org"
-
-BBCLASSEXTEND = "native"
-
-inherit gettext pkgconfig
-
-SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
- file://disable_macos.patch \
- file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
- file://0001-Fix-libtool-name-in-configure.ac.patch \
- file://serfmacro.patch \
- file://CVE-2017-9800.patch;striplevel=0 \
- "
-
-SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"
-SRC_URI[sha256sum] = "dbcbc51fb634082f009121f2cb64350ce32146612787ffb0f7ced351aacaae19"
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=af81ae49ba359e70626c05e9bf313709"
-
-PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl"
-PACKAGECONFIG[gnome-keyring] = "--with-gnome-keyring,--without-gnome-keyring,glib-2.0 gnome-keyring"
-
-EXTRA_OECONF = " \
- --without-berkeley-db --without-apxs \
- --without-swig --with-apr=${STAGING_BINDIR_CROSS} \
- --with-apr-util=${STAGING_BINDIR_CROSS} \
- --disable-keychain \
- ac_cv_path_RUBY=none"
-
-inherit autotools
-
-export LDFLAGS += " -L${STAGING_LIBDIR} "
-CPPFLAGS += "-P"
-BUILD_CPPFLAGS += "-P"
-
-acpaths = "-I build/ -I build/ac-macros/"
-
-do_configure_prepend () {
- rm -f ${S}/libtool
- rm -f ${S}/build/libtool.m4 ${S}/build/ltmain.sh ${S}/build/ltoptions.m4 ${S}/build/ltsugar.m4 ${S}/build/ltversion.m4 ${S}/build/lt~obsolete.m4
- rm -f ${S}/aclocal.m4
- sed -i -e 's:with_sasl="/usr/local":with_sasl="${STAGING_DIR}":' ${S}/build/ac-macros/sasl.m4
-}
-
-#| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_ra_local/libsvn_ra_local-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_repos/libsvn_repos-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| /usr/bin/ld: cannot find -lsvn_delta-1| collect2: ld returned 1 exit status| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/su!
bversion/libsvn_ra_svn/libsvn_ra_svn-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_ra_serf/libsvn_ra_serf-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'
-#| x86_64-linux-libtool: install: error: relink `libsvn_ra_serf-1.la' with the above command before installing it
-#| x86_64-linux-libtool: install: warning: `../../subversion/libsvn_repos/libsvn_repos-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'
-#| /home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/subversion-1.8.9/build-outputs.mk:1090: recipe for target 'install-serf-lib' failed
-#| make: *** [install-serf-lib] Error 1
-PARALLEL_MAKEINST = ""
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.7.bb b/meta/recipes-devtools/subversion/subversion_1.9.7.bb
new file mode 100644
index 0000000..57735f7
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion_1.9.7.bb
@@ -0,0 +1,55 @@
+SUMMARY = "Subversion (svn) version control system client"
+SECTION = "console/network"
+DEPENDS = "apr-util serf sqlite3 file"
+DEPENDS_append_class-native = " file-replacement-native"
+RDEPENDS_${PN} = "serf"
+LICENSE = "Apache-2"
+HOMEPAGE = "http://subversion.tigris.org"
+
+BBCLASSEXTEND = "native"
+
+inherit gettext pkgconfig
+
+SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
+ file://disable_macos.patch \
+ file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
+ file://0001-Fix-libtool-name-in-configure.ac.patch \
+ file://serfmacro.patch \
+ "
+
+SRC_URI[md5sum] = "05b0c677681073920f938c1f322e0be2"
+SRC_URI[sha256sum] = "c3b118333ce12e501d509e66bb0a47bcc34d053990acab45559431ac3e491623"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=af81ae49ba359e70626c05e9bf313709"
+
+PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl"
+PACKAGECONFIG[gnome-keyring] = "--with-gnome-keyring,--without-gnome-keyring,glib-2.0 gnome-keyring"
+
+EXTRA_OECONF = " \
+ --without-berkeley-db --without-apxs \
+ --without-swig --with-apr=${STAGING_BINDIR_CROSS} \
+ --with-apr-util=${STAGING_BINDIR_CROSS} \
+ --disable-keychain \
+ ac_cv_path_RUBY=none"
+
+inherit autotools
+
+export LDFLAGS += " -L${STAGING_LIBDIR} "
+CPPFLAGS += "-P"
+BUILD_CPPFLAGS += "-P"
+
+acpaths = "-I build/ -I build/ac-macros/"
+
+do_configure_prepend () {
+ rm -f ${S}/libtool
+ rm -f ${S}/build/libtool.m4 ${S}/build/ltmain.sh ${S}/build/ltoptions.m4 ${S}/build/ltsugar.m4 ${S}/build/ltversion.m4 ${S}/build/lt~obsolete.m4
+ rm -f ${S}/aclocal.m4
+ sed -i -e 's:with_sasl="/usr/local":with_sasl="${STAGING_DIR}":' ${S}/build/ac-macros/sasl.m4
+}
+
+#| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_ra_local/libsvn_ra_local-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_repos/libsvn_repos-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| /usr/bin/ld: cannot find -lsvn_delta-1| collect2: ld returned 1 exit status| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/su!
bversion/libsvn_ra_svn/libsvn_ra_svn-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'| x86_64-linux-libtool: install: warning: `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/build/subversion/libsvn_ra_serf/libsvn_ra_serf-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'
+#| x86_64-linux-libtool: install: error: relink `libsvn_ra_serf-1.la' with the above command before installing it
+#| x86_64-linux-libtool: install: warning: `../../subversion/libsvn_repos/libsvn_repos-1.la' has not been installed in `/home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/sysroots/x86_64-linux/usr/lib'
+#| /home/pokybuild/yocto-autobuilder/yocto-worker/nightly-qa-logrotate/build/build/tmp/work/x86_64-linux/subversion-native/1.8.9-r0/subversion-1.8.9/build-outputs.mk:1090: recipe for target 'install-serf-lib' failed
+#| make: *** [install-serf-lib] Error 1
+PARALLEL_MAKEINST = ""
--
2.7.4
More information about the Openembedded-core
mailing list