From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail1.windriver.com (mail1.windriver.com [147.11.146.13]) by mail.openembedded.org (Postfix) with ESMTP id 49A467190D for ; Wed, 19 Nov 2014 01:29:20 +0000 (UTC) Received: from ALA-HCB.corp.ad.wrs.com (ala-hcb.corp.ad.wrs.com [147.11.189.41]) by mail1.windriver.com (8.14.9/8.14.5) with ESMTP id sAJ1THtm027204 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 18 Nov 2014 17:29:18 -0800 (PST) Received: from [128.224.162.168] (128.224.162.168) by ALA-HCB.corp.ad.wrs.com (147.11.189.41) with Microsoft SMTP Server id 14.3.174.1; Tue, 18 Nov 2014 17:29:17 -0800 Message-ID: <546BF26B.10206@windriver.com> Date: Wed, 19 Nov 2014 09:29:15 +0800 From: wenzong fan User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Armin Kuster , References: In-Reply-To: Subject: Re: [PATCH 1/6] subversion: Security Advisory - subversion - CVE-2014-3528 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2014 01:29:26 -0000 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit There's subversion 1.8.10 in master branch that has included the CVE fixes. Would you like to backport 1.8.10 from master? Or just patch 1.8.9 to fix this CVE? Thanks Wenzong On 11/19/2014 12:18 AM, Armin Kuster wrote: > From: Yue Tao > > Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before > 1.8.10 uses an MD5 hash of the URL and authentication realm to store > cached credentials, which makes it easier for remote servers to obtain > the credentials via a crafted authentication realm. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528 > > (From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806) > > Signed-off-by: Yue Tao > Signed-off-by: Jackie Huang > Signed-off-by: Ross Burton > Signed-off-by: Richard Purdie > Signed-off-by: Armin Kuster > --- > .../subversion/subversion-CVE-2014-3528.patch | 29 ++++++++++++++++++++++ > .../subversion/subversion_1.6.15.bb | 1 + > .../subversion/subversion_1.8.9.bb | 1 + > 3 files changed, 31 insertions(+) > create mode 100644 meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch > > diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch > new file mode 100644 > index 0000000..23e738e > --- /dev/null > +++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch > @@ -0,0 +1,29 @@ > +Upstream-Status: Backport > + > +Signed-off-by: Yue Tao > + > +diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c > +index ff50270..c511d04 100644 > +--- a/subversion/libsvn_subr/config_auth.c.old > ++++ b/subversion/libsvn_subr/config_auth.c > +@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash, > + if (kind == svn_node_file) > + { > + svn_stream_t *stream; > ++ svn_string_t *stored_realm; > + > + SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool), > + _("Unable to open auth file for reading")); > +@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash, > + apr_psprintf(pool, _("Error parsing '%s'"), > + svn_path_local_style(auth_path, pool))); > + > ++ stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY, > ++ APR_HASH_KEY_STRING); > ++ > ++ if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0) > ++ *hash = NULL; /* Hash collision, or somebody tampering with storage */ > ++ > + SVN_ERR(svn_stream_close(stream)); > + } > + > diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb > index 6680ab6..b135bb7 100644 > --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb > +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb > @@ -19,6 +19,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \ > file://subversion-CVE-2013-1847-CVE-2013-1846.patch \ > file://subversion-CVE-2013-4277.patch \ > file://subversion-CVE-2014-3522.patch \ > + file://subversion-CVE-2014-3528.patch \ > " > > SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" > diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.9.bb > index e1ab945..1ef59a0 100644 > --- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb > +++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb > @@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ > file://libtool2.patch \ > file://disable_macos.patch \ > file://subversion-CVE-2014-3522.patch;striplevel=0 \ > + file://subversion-CVE-2014-3528.patch \ > " > SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db" > SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33" >