From: Yue Tao Date: Wed, 22 Oct 2014 07:37:29 +0000 (-0400) Subject: subversion: Security Advisory - subversion - CVE-2014-3528 X-Git-Tag: lucaceresoli/bug-15201-perf-libtraceevent-missing~32148 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0dc0432b13f38d16f642bdadf8ebc78b7a74806;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git subversion: Security Advisory - subversion - CVE-2014-3528 Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528 Signed-off-by: Yue Tao Signed-off-by: Jackie Huang Signed-off-by: Ross Burton --- diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch new file mode 100644 index 00000000000..23e738e9857 --- /dev/null +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch @@ -0,0 +1,29 @@ +Upstream-Status: Backport + +Signed-off-by: Yue Tao + +diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c +index ff50270..c511d04 100644 +--- a/subversion/libsvn_subr/config_auth.c.old ++++ b/subversion/libsvn_subr/config_auth.c +@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash, + if (kind == svn_node_file) + { + svn_stream_t *stream; ++ svn_string_t *stored_realm; + + SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool), + _("Unable to open auth file for reading")); +@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash, + apr_psprintf(pool, _("Error parsing '%s'"), + svn_path_local_style(auth_path, pool))); + ++ stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY, ++ APR_HASH_KEY_STRING); ++ ++ if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0) ++ *hash = NULL; /* Hash collision, or somebody tampering with storage */ ++ + SVN_ERR(svn_stream_close(stream)); + } + diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb index 6680ab6d342..b135bb7a3f9 100644 --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb @@ -19,6 +19,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \ file://subversion-CVE-2013-1847-CVE-2013-1846.patch \ file://subversion-CVE-2013-4277.patch \ file://subversion-CVE-2014-3522.patch \ + file://subversion-CVE-2014-3528.patch \ " SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.9.bb index e1ab945896b..1ef59a0c00c 100644 --- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb +++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb @@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://libtool2.patch \ file://disable_macos.patch \ file://subversion-CVE-2014-3522.patch;striplevel=0 \ + file://subversion-CVE-2014-3528.patch \ " SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db" SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"