aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWenzong Fan <wenzong.fan@windriver.com>2017-09-07 02:49:06 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-11 17:30:13 +0100
commit6e1f8001a0f3c26cce9c692d25987a3c47ff2f74 (patch)
tree3e204fb030fc5715fd52ef275d38b4fe10e759db
parent34cde8e965acca2706d3e3d8b5b3e9f4c3e010c3 (diff)
downloadopenembedded-core-contrib-6e1f8001a0f3c26cce9c692d25987a3c47ff2f74.tar.gz
subversion: fix CVE-2017-9800
A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server(to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. Backport patch from: http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691 Reference: http://subversion.apache.org/security/CVE-2017-9800-advisory.txt Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r--meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch136
-rw-r--r--meta/recipes-devtools/subversion/subversion_1.9.6.bb1
2 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
new file mode 100644
index 0000000000..0599c2badb
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
@@ -0,0 +1,136 @@
+------------------------------------------------------------------------
+r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines
+
+Fix CVE-2017-9800.
+
+See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
+
+* subversion/libsvn_ra_svn/client.c
+ (svn_ctype.h): Include.
+ (find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
+ Expect the 'hostinfo' parameter to be URI-decoded.
+ (is_valid_hostinfo): New.
+ (ra_svn_open): Validate the hostname before using it.
+
+* subversion/libsvn_subr/config_file.c
+ (svn_config_ensure): Update the example configuration likewise.
+
+Patch by: philip
+Review by: danielsh
+ stsp
+ astieger (earlier version)
+
+Upstream-Status: Backport
+http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691
+
+CVE: CVE-2017-9800
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+Index: subversion/libsvn_subr/config_file.c
+===================================================================
+--- subversion/libsvn_subr/config_file.c (revision 1804690)
++++ subversion/libsvn_subr/config_file.c (revision 1804691)
+@@ -1448,12 +1448,12 @@
+ "### passed to the tunnel agent as <user>@<hostname>.) If the" NL
+ "### built-in ssh scheme were not predefined, it could be defined" NL
+ "### as:" NL
+- "# ssh = $SVN_SSH ssh -q" NL
++ "# ssh = $SVN_SSH ssh -q --" NL
+ "### If you wanted to define a new 'rsh' scheme, to be used with" NL
+ "### 'svn+rsh:' URLs, you could do so as follows:" NL
+- "# rsh = rsh" NL
++ "# rsh = rsh --" NL
+ "### Or, if you wanted to specify a full path and arguments:" NL
+- "# rsh = /path/to/rsh -l myusername" NL
++ "# rsh = /path/to/rsh -l myusername --" NL
+ "### On Windows, if you are specifying a full path to a command," NL
+ "### use a forward slash (/) or a paired backslash (\\\\) as the" NL
+ "### path separator. A single backslash will be treated as an" NL
+Index: subversion/libsvn_ra_svn/client.c
+===================================================================
+--- subversion/libsvn_ra_svn/client.c (revision 1804690)
++++ subversion/libsvn_ra_svn/client.c (revision 1804691)
+@@ -46,6 +46,7 @@
+ #include "svn_props.h"
+ #include "svn_mergeinfo.h"
+ #include "svn_version.h"
++#include "svn_ctype.h"
+
+ #include "svn_private_config.h"
+
+@@ -398,7 +399,7 @@
+ * versions have it too. If the user is using some other ssh
+ * implementation that doesn't accept it, they can override it
+ * in the [tunnels] section of the config. */
+- val = "$SVN_SSH ssh -q";
++ val = "$SVN_SSH ssh -q --";
+ }
+
+ if (!val || !*val)
+@@ -443,7 +444,7 @@
+ for (n = 0; cmd_argv[n] != NULL; n++)
+ argv[n] = cmd_argv[n];
+
+- argv[n++] = svn_path_uri_decode(hostinfo, pool);
++ argv[n++] = hostinfo;
+ argv[n++] = "svnserve";
+ argv[n++] = "-t";
+ argv[n] = NULL;
+@@ -811,7 +812,33 @@
+ }
+
+
++/* A simple whitelist to ensure the following are valid:
++ * user@server
++ * [::1]:22
++ * server-name
++ * server_name
++ * 127.0.0.1
++ * with an extra restriction that a leading '-' is invalid.
++ */
++static svn_boolean_t
++is_valid_hostinfo(const char *hostinfo)
++{
++ const char *p = hostinfo;
+
++ if (p[0] == '-')
++ return FALSE;
++
++ while (*p)
++ {
++ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
++ return FALSE;
++
++ ++p;
++ }
++
++ return TRUE;
++}
++
+ static svn_error_t *ra_svn_open(svn_ra_session_t *session,
+ const char **corrected_url,
+ const char *url,
+@@ -844,8 +871,18 @@
+ || (callbacks->check_tunnel_func && callbacks->open_tunnel_func
+ && !callbacks->check_tunnel_func(callbacks->tunnel_baton,
+ tunnel))))
+- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
+- result_pool));
++ {
++ const char *decoded_hostinfo;
++
++ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
++
++ if (!is_valid_hostinfo(decoded_hostinfo))
++ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
++ uri.hostinfo);
++
++ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
++ config, result_pool));
++ }
+ else
+ tunnel_argv = NULL;
+
+
+------------------------------------------------------------------------
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
index f49e26a5c8..532edeb080 100644
--- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
file://0001-Fix-libtool-name-in-configure.ac.patch \
file://serfmacro.patch \
+ file://CVE-2017-9800.patch;striplevel=0 \
"
SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"