| Age | Commit message (Collapse) | Author |
|---|
|
Remove backported patch.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- Backport a patch to fix build failure while APR 1.7.0
...
checking for apr_int64_t Python/C API format string...
configure: error: failed to recognize APR_INT64_T_FMT on this platform
...
- Rebase disable_macos.patch and serfmacro.patch
License-update: no change, declare two new added file
* in build/ac-macros/ax_boost_base.m4
* in build/ac-macros/ax_boost_unit_test_framework.m4
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Commit 5bb47984af79 "subversion: 1.9.7 -> 1.10.0" dropped
serf.m4-Regex-modified-to-allow-D-in-paths.patch
from recipe, but left the patch itself in source tree.
Remove this patch since nobody uses it.
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A maliciously constructed svn+ssh:// URL would cause Subversion clients
before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3
to run an arbitrary shell command. Such a URL could be generated by a
malicious server, by a malicious user committing to a honest server(to
attack another user of that server's repositories), or by a proxy
server.
The vulnerability affects all clients, including those that use
file://, http://, and plain (untunneled) svn://.
Backport patch from:
http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
Reference:
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This reverts commit cfe6f3e251240c9d9a70354be0501600357f0b87.
This is because the apr configure wrong, when the apr configure meets the
cross compiling, it pass 8 bytes to "off_t", in apr source code configure.in,
it was hardcoded:
APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8)
The macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4,
it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross
compiling enable.
But in glibc on the x86 or multilib target the "off_t" was 4 bytes, so this
cases dismatch for softwares which use the apr.h, such as subversion, run this:
svnadmin create test
It failed because the "APR_OFF_T_FMT" was "lld" in apr.h when apr configure,
but the "apr_off_t" was 4 bytes, in the apr source code: apr_snprintf.c
i_quad = va_arg(ap, apr_int64_t);
When the function apr_vformatter meets "lld", it would use the above to parse,
but the above read 8 bytes, so the follow-up data go to wrong.
So we should configure the apr correct when cross compiling. I do this on the
following patchs.
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The existing sed expression can match expressions like
--sysroot=/some/path/xxx-linux/ which clearly isn't intended and
injects incorrect paths into LDFLAGS.
Fix this in the same way we address the problem in CFLAGS. This fixes corrupt
build paths and incorrect paths in .la files amongst other issues.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When run the following command on x86:
svnadmin create /var/test_repo
It cause segmentation fault error like the following:
[16499.751837] svnadmin[21117]: segfault at 83 ip 00000000f74bf7f6 sp 00000000ffdd9b34 error 4 in libc-2.24.so[f7441000+1af000]
Segmentation fault (core dumped)
This is because in source code ./subversion/libsvn_fs_fs/low_level.c,
function svn_fs_fs__unparse_footer, when:
target arch: x86
apr_off_t: 4 bytes
if the "APR_OFF_T_FMT" is "lld", it still use type "apr_off_t" to pass
data to apr, but in apr source code file apr_snprintf.c the function
apr_vformatter meet "lld", it would use the:
i_quad = va_arg(ap, apr_int64_t);
It uses the apr_int64_t to deal data, it read 8 bytes, so the follow-up
data may be error.
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop backported CVE fix patches
libtool2.patch has been rebased and renamed to 0001-Fix-libtool-name-in-configure.ac.patch
LICENSE checksum has been updated because more 3rd party attributions have been added to it,
it's otherwise still Apache 2.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Removing the 1.6.X recipes, since there is a new version 1.8.X recipes,
and hope that all projects already upgraded their premirror caches to
use new format
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
1.8.10 uses an MD5 hash of the URL and authentication realm to store
cached credentials, which makes it easier for remote servers to obtain
the credentials via a crafted authentication realm.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18
and 1.8.x before 1.8.10 does not properly handle wildcards in the Common
Name (CN) or subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof servers via a crafted
certificate.<a href=http://cwe.mitre.org/data/definitions/297.html
target=_blank>CWE-297: Improper Validation of Certificate with Host
Mismatch</a>
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3522
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through
1.8.1 allows local users to overwrite arbitrary files or kill arbitrary
processes via a symlink attack on the file specified by the --pid-file
option.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4277
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21
and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of
service (NULL pointer dereference and crash) via a LOCK on an activity URL.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1846
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20
and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service
(NULL pointer dereference and crash) via an anonymous LOCK for a URL that does
not exist.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1847
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before
1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to
cause a denial of service (memory consumption) by (1) setting or (2)
deleting a large number of properties for a file or directory.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1845
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0
through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass
intended access restrictions and possibly cause a denial of service
(resource consumption) via a relative URL in a REPORT request.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4505
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Reject operations on getcontentlength and getcontenttype properties
if the resource is an activity.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
install-neon-lib needs libsvn_delta-1.la which will be regenerated
during libsvn_delta-1.la's installation, if libsvn_delta-1.la is
in regenerating and at the same time install-neon-lib links it, the
error willl happen.
The error message is:
/bin/ld: cannot find -lsvn_delta-1
collect2: error: ld returned 1 exit status
This is a parallel issue, so it doesn't happen often.
Note:
The autoreconf doesn't generate build-outputs.mk, it would be generated
by autogen.sh (use build.conf as the input), but autogen.sh isn't
suitable for cross compiling, so both modified build-outputs.mk and
build.conf.
[YOCTO #2727]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* upstream detection seems to be doing its job right now
* I don't see how this is supposed to work
-- neon_config="$withval/bin/neon-config"
-+ neon_config="env env PKG_CONFIG_PATH=${withval}:${PKG_CONFIG_PATH} pkg-config neon"
when neon_config should be sysroots/nokia900/usr/bin/crossscripts/neon-config
"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
Rebased this patch to the newer code
modified: subversion/disable-revision-install.patch
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
And update recipe checksums
rebased neon-detection.patch:
upstream code has some of the changes similar to the changes in the
patch. Removing the duplicate changes from the patch file.
subversion: update LIC_CHKSUM_FILES field
Noticed this change in the COPYING file:
$ diff -u COPYING /tmp/COPYING
--- COPYING 2006-05-28 07:41:18.000000000 -0700
+++ /tmp/COPYING 2010-12-03 11:16:15.000000000 -0800
@@ -10,7 +10,7 @@
on), you may use a newer version instead, at your option.
================================================================
-Copyright (c) 2000-2006 CollabNet. All rights reserved.
+Copyright (c) 2000-2009 CollabNet. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
Adrian Bunk
Hongxu Jia
Ruslan Bilovol
Richard Purdie
Wenzong Fan
Dengke Du
Alexander Kanavin
Roy Li
Yue Tao
Robert Yang
Martin Jansa
Nitin A Kamble