mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 12:29:55 +00:00
Code Issues Projects Releases Wiki Activity

subversion: fix CVE-2017-9800

Browse Source 
A maliciously constructed svn+ssh:// URL would cause Subversion clients
before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3
to run an arbitrary shell command. Such a URL could be generated by a
malicious server, by a malicious user committing to a honest server(to
attack another user of that server's repositories), or by a proxy
server.

The vulnerability affects all clients, including those that use
file://, http://, and plain (untunneled) svn://.

Backport patch from:
http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691

Reference:
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt

(From OE-Core rev: 6e1f8001a0f3c26cce9c692d25987a3c47ff2f74)

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Wenzong Fan
2017-09-07 02:49:06 -07:00
committed by Richard Purdie
parent f2a8f94430
commit 3f5906e086
2 changed files with 137 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
+136
View File
@@ -0,0 +1,136 @@
------------------------------------------------------------------------
r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines
Fix CVE-2017-9800.
See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
* subversion/libsvn_ra_svn/client.c
(svn_ctype.h): Include.
(find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
Expect the 'hostinfo' parameter to be URI-decoded.
(is_valid_hostinfo): New.
(ra_svn_open): Validate the hostname before using it.
* subversion/libsvn_subr/config_file.c
(svn_config_ensure): Update the example configuration likewise.
Patch by: philip
Review by: danielsh
stsp
astieger (earlier version)
Upstream-Status: Backport
http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691
CVE: CVE-2017-9800
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
Index: subversion/libsvn_subr/config_file.c
===================================================================
--- subversion/libsvn_subr/config_file.c (revision 1804690)
+++ subversion/libsvn_subr/config_file.c (revision 1804691)
@@ -1448,12 +1448,12 @@
"### passed to the tunnel agent as <user>@<hostname>.) If the" NL
"### built-in ssh scheme were not predefined, it could be defined" NL
"### as:" NL
- "# ssh = $SVN_SSH ssh -q" NL
+ "# ssh = $SVN_SSH ssh -q --" NL
"### If you wanted to define a new 'rsh' scheme, to be used with" NL
"### 'svn+rsh:' URLs, you could do so as follows:" NL
- "# rsh = rsh" NL
+ "# rsh = rsh --" NL
"### Or, if you wanted to specify a full path and arguments:" NL
- "# rsh = /path/to/rsh -l myusername" NL
+ "# rsh = /path/to/rsh -l myusername --" NL
"### On Windows, if you are specifying a full path to a command," NL
"### use a forward slash (/) or a paired backslash (\\\\) as the" NL
"### path separator. A single backslash will be treated as an" NL
Index: subversion/libsvn_ra_svn/client.c
===================================================================
--- subversion/libsvn_ra_svn/client.c (revision 1804690)
+++ subversion/libsvn_ra_svn/client.c (revision 1804691)
@@ -46,6 +46,7 @@
#include "svn_props.h"
#include "svn_mergeinfo.h"
#include "svn_version.h"
+#include "svn_ctype.h"
#include "svn_private_config.h"
@@ -398,7 +399,7 @@
* versions have it too. If the user is using some other ssh
* implementation that doesn't accept it, they can override it
* in the [tunnels] section of the config. */
- val = "$SVN_SSH ssh -q";
+ val = "$SVN_SSH ssh -q --";
}
if (!val || !*val)
@@ -443,7 +444,7 @@
for (n = 0; cmd_argv[n] != NULL; n++)
argv[n] = cmd_argv[n];
- argv[n++] = svn_path_uri_decode(hostinfo, pool);
+ argv[n++] = hostinfo;
argv[n++] = "svnserve";
argv[n++] = "-t";
argv[n] = NULL;
@@ -811,7 +812,33 @@
}
+/* A simple whitelist to ensure the following are valid:
+ * user@server
+ * [::1]:22
+ * server-name
+ * server_name
+ * 127.0.0.1
+ * with an extra restriction that a leading '-' is invalid.
+ */
+static svn_boolean_t
+is_valid_hostinfo(const char *hostinfo)
+{
+ const char *p = hostinfo;
+ if (p[0] == '-')
+ return FALSE;
+
+ while (*p)
+ {
+ if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
+ return FALSE;
+
+ ++p;
+ }
+
+ return TRUE;
+}
+
static svn_error_t *ra_svn_open(svn_ra_session_t *session,
const char **corrected_url,
const char *url,
@@ -844,8 +871,18 @@
|| (callbacks->check_tunnel_func && callbacks->open_tunnel_func
&& !callbacks->check_tunnel_func(callbacks->tunnel_baton,
tunnel))))
- SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
- result_pool));
+ {
+ const char *decoded_hostinfo;
+
+ decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
+
+ if (!is_valid_hostinfo(decoded_hostinfo))
+ return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
+ uri.hostinfo);
+
+ SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
+ config, result_pool));
+ }
else
tunnel_argv = NULL;
------------------------------------------------------------------------
meta/recipes-devtools/subversion/subversion_1.9.6.bb
+1
View File
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
file://0001-Fix-libtool-name-in-configure.ac.patch \
file://serfmacro.patch \
file://CVE-2017-9800.patch;striplevel=0 \
"
SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"