Re: [PATCH 1/6] subversion: Security Advisory - subversion - CVE-2014-3528

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: akuster808 <akuster808@gmail.com>
To: wenzong fan <wenzong.fan@windriver.com>,
	 openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 1/6] subversion: Security Advisory - subversion - CVE-2014-3528
Date: Tue, 18 Nov 2014 22:07:12 -0800	[thread overview]
Message-ID: <546C3390.7060803@gmail.com> (raw)
In-Reply-To: <546BF26B.10206@windriver.com>

Wenzong,

I wanted to just patch 1.8.9 for dizzy since 1.8.10 included more than 
just security fixes.   Looks like my subject should have included 
[dizzy] even though the cover letter did.  I will have to be more 
careful next time.

thanks,
Armin

On 11/18/2014 05:29 PM, wenzong fan wrote:
> There's subversion 1.8.10 in master branch that has included the CVE fixes.
>
> Would you like to backport 1.8.10 from master? Or just patch 1.8.9 to
> fix this CVE?
>
> Thanks
> Wenzong
>
> On 11/19/2014 12:18 AM, Armin Kuster wrote:
>> From: Yue Tao <Yue.Tao@windriver.com>
>>
>> Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
>> 1.8.10 uses an MD5 hash of the URL and authentication realm to store
>> cached credentials, which makes it easier for remote servers to obtain
>> the credentials via a crafted authentication realm.
>>
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528
>>
>> (From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806)
>>
>> Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
>> Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
>> Signed-off-by: Ross Burton <ross.burton@intel.com>
>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>>   .../subversion/subversion-CVE-2014-3528.patch      | 29
>> ++++++++++++++++++++++
>>   .../subversion/subversion_1.6.15.bb                |  1 +
>>   .../subversion/subversion_1.8.9.bb                 |  1 +
>>   3 files changed, 31 insertions(+)
>>   create mode 100644
>> meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>
>>
>> diff --git
>> a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>> b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>
>> new file mode 100644
>> index 0000000..23e738e
>> --- /dev/null
>> +++
>> b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
>>
>> @@ -0,0 +1,29 @@
>> +Upstream-Status: Backport
>> +
>> +Signed-off-by: Yue Tao <yue.tao@windriver.com>
>> +
>> +diff --git a/subversion/libsvn_subr/config_auth.c.old
>> b/subversion/libsvn_subr/config_auth.c
>> +index ff50270..c511d04 100644
>> +--- a/subversion/libsvn_subr/config_auth.c.old
>> ++++ b/subversion/libsvn_subr/config_auth.c
>> +@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
>> +   if (kind == svn_node_file)
>> +     {
>> +       svn_stream_t *stream;
>> ++      svn_string_t *stored_realm;
>> +
>> +       SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool,
>> pool),
>> +                 _("Unable to open auth file for reading"));
>> +@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
>> +                 apr_psprintf(pool, _("Error parsing '%s'"),
>> +                              svn_path_local_style(auth_path, pool)));
>> +
>> ++      stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
>> ++                                  APR_HASH_KEY_STRING);
>> ++
>> ++      if (!stored_realm || strcmp(stored_realm->data, realmstring)
>> != 0)
>> ++        *hash = NULL; /* Hash collision, or somebody tampering with
>> storage */
>> ++
>> +       SVN_ERR(svn_stream_close(stream));
>> +     }
>> +
>> diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>> b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>> index 6680ab6..b135bb7 100644
>> --- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>> +++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
>> @@ -19,6 +19,7 @@ SRC_URI =
>> "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
>>              file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
>>              file://subversion-CVE-2013-4277.patch \
>>              file://subversion-CVE-2014-3522.patch \
>> +           file://subversion-CVE-2014-3528.patch \
>>   "
>>
>>   SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
>> diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>> b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>> index e1ab945..1ef59a0 100644
>> --- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>> +++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
>> @@ -13,6 +13,7 @@ SRC_URI =
>> "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
>>              file://libtool2.patch \
>>              file://disable_macos.patch \
>>              file://subversion-CVE-2014-3522.patch;striplevel=0 \
>> +           file://subversion-CVE-2014-3528.patch \
>>   "
>>   SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
>>   SRC_URI[sha256sum] =
>> "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"
>>

next prev parent reply	other threads:[~2014-11-19  6:07 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-18 16:18 [PATCH 0/6] Dizzy Next Armin Kuster
2014-11-18 16:18 ` [PATCH 1/6] subversion: Security Advisory - subversion - CVE-2014-3528 Armin Kuster
2014-11-19  1:29   ` wenzong fan
2014-11-19  6:07     ` akuster808 [this message]
2014-11-19  9:18       ` wenzong fan
2014-11-18 16:18 ` [PATCH 2/6] curl: Security Advisory - curl - CVE-2014-3613 Armin Kuster
2014-11-18 16:18 ` [PATCH 3/6] curl: Security Advisory - curl - CVE-2014-3620 Armin Kuster
2014-11-18 16:18 ` [PATCH 4/6] nss: CVE-2014-1568 Armin Kuster
2014-11-18 16:18 ` [PATCH 5/6] tzcode: update to 2014j Armin Kuster
2014-11-18 16:18 ` [PATCH 6/6] tzdata: " Armin Kuster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=546C3390.7060803@gmail.com \
    --to=akuster808@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=wenzong.fan@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox