This reverts commit cfe6f3e251.
This is because the apr configure wrong, when the apr configure meets the
cross compiling, it pass 8 bytes to "off_t", in apr source code configure.in,
it was hardcoded:
APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8)
The macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4,
it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross
compiling enable.
But in glibc on the x86 or multilib target the "off_t" was 4 bytes, so this
cases dismatch for softwares which use the apr.h, such as subversion, run this:
svnadmin create test
It failed because the "APR_OFF_T_FMT" was "lld" in apr.h when apr configure,
but the "apr_off_t" was 4 bytes, in the apr source code: apr_snprintf.c
i_quad = va_arg(ap, apr_int64_t);
When the function apr_vformatter meets "lld", it would use the above to parse,
but the above read 8 bytes, so the follow-up data go to wrong.
So we should configure the apr correct when cross compiling. I do this on the
following patchs.
(From OE-Core rev: fbdfb39c011676fe61a4d58b62226126e0e9ec62)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The existing sed expression can match expressions like
--sysroot=/some/path/xxx-linux/ which clearly isn't intended and
injects incorrect paths into LDFLAGS.
Fix this in the same way we address the problem in CFLAGS. This fixes corrupt
build paths and incorrect paths in .la files amongst other issues.
(From OE-Core rev: 9a8382422ddbb0972dc25b752204f4908bb9857c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When run the following command on x86:
svnadmin create /var/test_repo
It cause segmentation fault error like the following:
[16499.751837] svnadmin[21117]: segfault at 83 ip 00000000f74bf7f6 sp 00000000ffdd9b34 error 4 in libc-2.24.so[f7441000+1af000]
Segmentation fault (core dumped)
This is because in source code ./subversion/libsvn_fs_fs/low_level.c,
function svn_fs_fs__unparse_footer, when:
target arch: x86
apr_off_t: 4 bytes
if the "APR_OFF_T_FMT" is "lld", it still use type "apr_off_t" to pass
data to apr, but in apr source code file apr_snprintf.c the function
apr_vformatter meet "lld", it would use the:
i_quad = va_arg(ap, apr_int64_t);
It uses the apr_int64_t to deal data, it read 8 bytes, so the follow-up
data may be error.
(From OE-Core rev: 7ea7e3db7801b58495b89a95ec2751d618d3a29f)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 8620d13f8cf18be13429b0015d11e4efefe75b20)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It would be useful if swig was enabled, but it isn't.
(From OE-Core rev: 54cbeb2975e2ea386386fce077146935afa0f719)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop backported CVE fix patches
libtool2.patch has been rebased and renamed to 0001-Fix-libtool-name-in-configure.ac.patch
LICENSE checksum has been updated because more 3rd party attributions have been added to it,
it's otherwise still Apache 2.
(From OE-Core rev: b57f57ea092f93bd7e1268b04c7d3c4af2149a77)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The svn_repos_trace_node_locations function in Apache Subversion before
1.7.21 and 1.8.x before 1.8.14, when path-based authorization is used,
allows remote authenticated users to obtain sensitive path information
by reading the history of a node that has been moved from a hidden path.
Patch is from:
http://subversion.apache.org/security/CVE-2015-3187-advisory.txt
(From OE-Core rev: 6da25614edcad30fdb4bea8ff47b81ff81cdaed2)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before
1.8.14, when using Apache httpd 2.4.x, does not properly restrict
anonymous access, which allows remote anonymous users to read hidden
files via the path name.
Patch is from:
http://subversion.apache.org/security/CVE-2015-3184-advisory.txt
(From OE-Core rev: 29eb921ed074d86fa8d5b205a313eb3177473a63)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Modified the regex sed in serf.m4 to allow the use of '-D' characters
in project folder names without having compilation error from
subversion-native.
[YOCTO #7874]
(From OE-Core rev: 04554b128c358e3c10f6581fd4506764a65240b8)
Signed-off-by: Jose Lamego <jose.a.lamego@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removing the 1.6.X recipes, since there is a new version 1.8.X recipes,
and hope that all projects already upgraded their premirror caches to
use new format
(From OE-Core rev: 65c4dcbefbe118eb1b04335d7d6171236a1315c2)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
upgrade to fix two CVE defects: CVE-2015-0248 and CVE-2015-0251
(From OE-Core rev: cb00b9e0330970b5c768aae9ddd4703a7172acbe)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
see https://gcc.gnu.org/gcc-5/porting_to.html
we need to stop the preprocessor from generating the #line directives
or we run into issues like
| checking for apr_int64_t Python/C API format string...
| configure: error: failed to recognize APR_INT64_T_FMT on this platform
| Configure failed. The contents of all config.log files follows to aid
debugging
| ERROR: oe_runconf failed
Rightly subversion should be fixed but lets leave that to subversion
folks
Change-Id: I02a89798ff949f79967ab0a73adcddaa4218662d
(From OE-Core rev: 7793b1c425077ed6ed11a9bc2a8b1b96612b1c96)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before
1.8.10 uses an MD5 hash of the URL and authentication realm to store
cached credentials, which makes it easier for remote servers to obtain
the credentials via a crafted authentication realm.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3528
(From OE-Core rev: e0dc0432b13f38d16f642bdadf8ebc78b7a74806)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18
and 1.8.x before 1.8.10 does not properly handle wildcards in the Common
Name (CN) or subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof servers via a crafted
certificate.<a href=http://cwe.mitre.org/data/definitions/297.html
target=_blank>CWE-297: Improper Validation of Certificate with Host
Mismatch</a>
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3522
(From OE-Core rev: 06a33cd00ea11abec1ebe9d5883e44778075ccc6)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The Makefile generation for subversion is horrible, I can't figure out
where the dependencies are missing, it looks like they might be missing
everywhere. Give up and disable parallel make install.
(From OE-Core rev: f5569d30b98418b201766ad07b177aac5fae4a41)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Dropped neon patches as neon support was dropped.
Dropped CVE patches as applied in later version
Added patch to avoid OS-X check which doesn't cross compile
Add PACKAGECONFIG for gnome-keyring
Addition to license:
For the file subversion/libsvn_subr/utf_width.c
* Markus Kuhn -- 2007-05-26 (Unicode 5.0)
*
* Permission to use, copy, modify, and distribute this software
* for any purpose and without fee is hereby granted. The author
* disclaims all warranties with regard to this software.
(From OE-Core rev: 99c3225cfe39f8de89555df5bd3f1e93cd731269)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through
1.8.1 allows local users to overwrite arbitrary files or kill arbitrary
processes via a symlink attack on the file specified by the --pid-file
option.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4277
(From OE-Core rev: e0e483c5b2f481240e590ebb7d6189a211450a7e)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21
and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of
service (NULL pointer dereference and crash) via a LOCK on an activity URL.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1846
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20
and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service
(NULL pointer dereference and crash) via an anonymous LOCK for a URL that does
not exist.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1847
(From OE-Core rev: 3962b76185194fa56be7f1689204a1188ea44737)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before
1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to
cause a denial of service (memory consumption) by (1) setting or (2)
deleting a large number of properties for a file or directory.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1845
(From OE-Core rev: 432666b84b80f8b0d13672aa94855369f577c56d)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through
1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause
a denial of service (assertion failure or out-of-bounds read) via a
certain (1) COPY, (2) DELETE, or (3) MOVE request against a revision
root.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4131
(From OE-Core rev: ce41ed3ca5b6ef06c02c5ca65f285e5ee8c04e7f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0
through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass
intended access restrictions and possibly cause a denial of service
(resource consumption) via a relative URL in a REPORT request.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4505
(From OE-Core rev: 02314673619f44e5838ddb65bbe22f9342ee6167)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reject operations on getcontentlength and getcontenttype properties
if the resource is an activity.
(From OE-Core rev: 94e8b503e8a5ae476037d4aa86f8e27d4a8c23ea)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A lot of our recipes had short one-line DESCRIPTION values and no
SUMMARY value set. In this case it's much better to just set SUMMARY
since DESCRIPTION is defaulted from SUMMARY anyway and then the SUMMARY
is at least useful. I also took the opportunity to fix up a lot of the
new SUMMARY values, making them concisely explain the function of the
recipe / package where possible.
(From OE-Core rev: b8feee3cf21f70ba4ec3b822d2f596d4fc02a292)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If sysroot contains '-D' or '-I' characters, the SVN_NEON_INCLUDES and
the corresponding CFLAGS will not get the correct value.
This will cause build failures.
This patch fixes the above problem.
[YOCTO #5458]
(From OE-Core rev: 7078397ef39de43244fca7e24683b2a83913cbbf)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The neon update is not recognized but subversion, so we need to patch the configure.ac
to know about 0.30, otherwise we don't have http/https support in subversion.
(From OE-Core rev: 291ab168fac15eae0e4c9234e16f394b0e1547a0)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- fix WARNING: Failed to fetch URL http://www.apache.org/dist/subversion/subversion-1.7.6.tar.bz2
- subversion-1.7.6_mod_dontdothat_svnserve_only.patch doesn't seems to be useful,
cc Marcin to get confirmation
(From OE-Core rev: 60ac9eccd6101967a89ab74344920b4b3ca8cd5f)
Signed-off-by: Eric Bénard <eric@eukrea.com>
Cc: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These were not getting fixed by orignal committer!
(From OE-Core rev: 7db73c70351939c4be9867981a8cf97148bbe57e)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Dropped --without-apache option as it does not exists.
Added patch from subversion-users ML to not build mod_dontdothat.
(From OE-Core rev: c79fb25161b958b07fbfa965768754d51717d616)
Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add missing build dependency on sqlite3
Disable Ruby checking. we do not have Ruby, and subversion always
checks ruby on host which leads to build error when ruby-dev is
installed on host.
(From OE-Core rev: d712e596cbfae59fd21096090de7fc4ac8d086e7)
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
subversion needs an explicit dependency on sqlite3, otherwise it
does not build. Tested by building core-image-minimal.
(From OE-Core rev: 47aca0f0f79c30d1df1f89c710d3e354f436145d)
Signed-off-by: Bogdan Marinescu <bogdan.a.marinescu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
install-neon-lib needs libsvn_delta-1.la which will be regenerated
during libsvn_delta-1.la's installation, if libsvn_delta-1.la is
in regenerating and at the same time install-neon-lib links it, the
error willl happen.
The error message is:
/bin/ld: cannot find -lsvn_delta-1
collect2: error: ld returned 1 exit status
This is a parallel issue, so it doesn't happen often.
Note:
The autoreconf doesn't generate build-outputs.mk, it would be generated
by autogen.sh (use build.conf as the input), but autogen.sh isn't
suitable for cross compiling, so both modified build-outputs.mk and
build.conf.
[YOCTO #2727]
(From OE-Core rev: ce37c45abb4cf43e5009867f695982de2eb33450)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This enables a switch to subversion 1.7 now bitbake is able to cope with
upgrading existing working copies. The impact of this change should be
minimal since we don't have many subversion recipes now.
(From OE-Core rev: ac0aa35ba6d7a21636bdd23d45ae0bf8112bdaa8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion-1.7.* had libtool-2.4, oe-core now has 2.4.2 and it was
failing:
x86_64-linux-libtool: Version mismatch error. This is libtool 2.4.2, but the
x86_64-linux-libtool: definition of this LT_INIT comes from libtool 2.4.
x86_64-linux-libtool: You should recreate aclocal.m4 with macros from libtool 2.4.2
x86_64-linux-libtool: and run autoconf again.
(From OE-Core rev: aa9d0de4225fe482ddbf1486f8018bc87419e228)
Signed-off-by: Klaus Kurzmann <mok@fluxnetz.de>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* intentionaly with negative D_P, bitbake fetcher should be improved to
detect old checkout with newer subversion available or vice versa and
do svn upgrade automaticaly or show better error, but subversion as
client for target or -native for distributions which explicitly say
they want 1.7 (with PREFERRED_VERSION) can be available already from
oe-core.
* be aware that checkouts from 1.7.0 are not compatible with older
subversion clients (ie when builder populating distro PREMIRROR is
using 1.7.0 all builders need to have also 1.7.0)
* and also 1.7.0 client needs to call svn upgrade in checkout first in
order to use it (so if PREMIRROR has tarball from 1.6.x it won't work
on client using 1.7.0 unless fetcher2 is improved to detect this and
call svn upgrade)
* tested on SHR distribution
http://wiki.shr-project.org/trac/wiki/Building%20SHR#subversion1.7inshr-chroot
* only missing part is to add subversion-native dependency, so that
native subversion is built, before building ie elementary (because EFL
are using svnversion from configure.ac to detect source revision and
.svn dir needs to be from compatible version).
* read http://subversion.apache.org/docs/release-notes/1.7.html
(From OE-Core rev: d092efd48d831c762747d2f6e1c6018402c3ee0f)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Dengke Du
Richard Purdie
Robert Yang
Alexander Kanavin
Wenzong Fan
Ross Burton
Jose Lamego
Roy Li
Khem Raj
Yue Tao
Paul Eggleton
Chen Qi
Martin Jansa
Saul Wold
Bogdan Marinescu
Eric Bénard
Marcin Juszkiewicz
Andrei Gherzan
Klaus Kurzmann