subversion: Security Advisory - subversion - CVE-2014-3528

Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528 (From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-22 03:37:29 -04:00 · 2014-10-22 03:37:29 -04:00 · a64e37ac0e
parent 514a91df49
commit a64e37ac0e
3 changed files with 31 additions and 0 deletions
--- a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
+++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3528.patch
@ -0,0 +1,29 @@
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+diff --git a/subversion/libsvn_subr/config_auth.c.old b/subversion/libsvn_subr/config_auth.c
+index ff50270..c511d04 100644
+--- a/subversion/libsvn_subr/config_auth.c.old
+++ b/subversion/libsvn_subr/config_auth.c
+@@ -85,6 +85,7 @@ svn_config_read_auth_data(apr_hash_t **hash,
+   if (kind == svn_node_file)
+     {
+       svn_stream_t *stream;
+      svn_string_t *stored_realm;
+ 
+       SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool),
+                 _("Unable to open auth file for reading"));
+@@ -95,6 +96,12 @@ svn_config_read_auth_data(apr_hash_t **hash,
+                 apr_psprintf(pool, _("Error parsing '%s'"),
+                              svn_path_local_style(auth_path, pool)));
+ 
+      stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY,
+                                  APR_HASH_KEY_STRING);
+
+      if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0)
+        *hash = NULL; /* Hash collision, or somebody tampering with storage */
+
+       SVN_ERR(svn_stream_close(stream));
+     }
+ 
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@ -19,6 +19,7 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
           file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
           file://subversion-CVE-2013-4277.patch \
           file://subversion-CVE-2014-3522.patch \
+           file://subversion-CVE-2014-3528.patch \
 "

 SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
--- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
@ -13,6 +13,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://libtool2.patch \
           file://disable_macos.patch \
           file://subversion-CVE-2014-3522.patch;striplevel=0 \
+           file://subversion-CVE-2014-3528.patch \
 "
 SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
 SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"