[OE-core] [PATCH] subversion: fix CVE-2017-9800

wenzong.fan at windriver.com wenzong.fan at windriver.com
Thu Sep 7 09:49:06 UTC 2017


From: Wenzong Fan <wenzong.fan at windriver.com>

A maliciously constructed svn+ssh:// URL would cause Subversion clients
before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3
to run an arbitrary shell command. Such a URL could be generated by a
malicious server, by a malicious user committing to a honest server(to
attack another user of that server's repositories), or by a proxy
server.

The vulnerability affects all clients, including those that use
file://, http://, and plain (untunneled) svn://.

Backport patch from:
http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691

Reference:
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt

Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
 .../subversion/subversion/CVE-2017-9800.patch      | 136 +++++++++++++++++++++
 .../subversion/subversion_1.9.6.bb                 |   1 +
 2 files changed, 137 insertions(+)
 create mode 100644 meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch

diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
new file mode 100644
index 0000000000..0599c2badb
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2017-9800.patch
@@ -0,0 +1,136 @@
+------------------------------------------------------------------------
+r1804691 | danielsh | 2017-08-10 11:14:13 -0700 (Thu, 10 Aug 2017) | 18 lines
+
+Fix CVE-2017-9800.
+
+See: https://subversion.apache.org/security/CVE-2017-0800-advisory.txt
+
+* subversion/libsvn_ra_svn/client.c
+  (svn_ctype.h): Include.
+  (find_tunnel_agent): Pass a "--" end-of-options guard to ssh.
+    Expect the 'hostinfo' parameter to be URI-decoded.
+  (is_valid_hostinfo): New.
+  (ra_svn_open): Validate the hostname before using it.
+
+* subversion/libsvn_subr/config_file.c
+  (svn_config_ensure): Update the example configuration likewise.
+
+Patch by: philip
+Review by: danielsh
+           stsp
+           astieger (earlier version)
+
+Upstream-Status: Backport
+http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691
+
+CVE: CVE-2017-9800
+
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
+---
+Index: subversion/libsvn_subr/config_file.c
+===================================================================
+--- subversion/libsvn_subr/config_file.c	(revision 1804690)
++++ subversion/libsvn_subr/config_file.c	(revision 1804691)
+@@ -1448,12 +1448,12 @@
+         "### passed to the tunnel agent as <user>@<hostname>.)  If the"      NL
+         "### built-in ssh scheme were not predefined, it could be defined"   NL
+         "### as:"                                                            NL
+-        "# ssh = $SVN_SSH ssh -q"                                            NL
++        "# ssh = $SVN_SSH ssh -q --"                                         NL
+         "### If you wanted to define a new 'rsh' scheme, to be used with"    NL
+         "### 'svn+rsh:' URLs, you could do so as follows:"                   NL
+-        "# rsh = rsh"                                                        NL
++        "# rsh = rsh --"                                                     NL
+         "### Or, if you wanted to specify a full path and arguments:"        NL
+-        "# rsh = /path/to/rsh -l myusername"                                 NL
++        "# rsh = /path/to/rsh -l myusername --"                              NL
+         "### On Windows, if you are specifying a full path to a command,"    NL
+         "### use a forward slash (/) or a paired backslash (\\\\) as the"    NL
+         "### path separator.  A single backslash will be treated as an"      NL
+Index: subversion/libsvn_ra_svn/client.c
+===================================================================
+--- subversion/libsvn_ra_svn/client.c	(revision 1804690)
++++ subversion/libsvn_ra_svn/client.c	(revision 1804691)
+@@ -46,6 +46,7 @@
+ #include "svn_props.h"
+ #include "svn_mergeinfo.h"
+ #include "svn_version.h"
++#include "svn_ctype.h"
+ 
+ #include "svn_private_config.h"
+ 
+@@ -398,7 +399,7 @@
+        * versions have it too. If the user is using some other ssh
+        * implementation that doesn't accept it, they can override it
+        * in the [tunnels] section of the config. */
+-      val = "$SVN_SSH ssh -q";
++      val = "$SVN_SSH ssh -q --";
+     }
+ 
+   if (!val || !*val)
+@@ -443,7 +444,7 @@
+   for (n = 0; cmd_argv[n] != NULL; n++)
+     argv[n] = cmd_argv[n];
+ 
+-  argv[n++] = svn_path_uri_decode(hostinfo, pool);
++  argv[n++] = hostinfo;
+   argv[n++] = "svnserve";
+   argv[n++] = "-t";
+   argv[n] = NULL;
+@@ -811,7 +812,33 @@
+ }
+ 
+ 
++/* A simple whitelist to ensure the following are valid:
++ *   user at server
++ *   [::1]:22
++ *   server-name
++ *   server_name
++ *   127.0.0.1
++ * with an extra restriction that a leading '-' is invalid.
++ */
++static svn_boolean_t
++is_valid_hostinfo(const char *hostinfo)
++{
++  const char *p = hostinfo;
+ 
++  if (p[0] == '-')
++    return FALSE;
++
++  while (*p)
++    {
++      if (!svn_ctype_isalnum(*p) && !strchr(":.-_[]@", *p))
++        return FALSE;
++
++      ++p;
++    }
++
++  return TRUE;
++}
++
+ static svn_error_t *ra_svn_open(svn_ra_session_t *session,
+                                 const char **corrected_url,
+                                 const char *url,
+@@ -844,8 +871,18 @@
+           || (callbacks->check_tunnel_func && callbacks->open_tunnel_func
+               && !callbacks->check_tunnel_func(callbacks->tunnel_baton,
+                                                tunnel))))
+-    SVN_ERR(find_tunnel_agent(tunnel, uri.hostinfo, &tunnel_argv, config,
+-                              result_pool));
++    {
++      const char *decoded_hostinfo;
++
++      decoded_hostinfo = svn_path_uri_decode(uri.hostinfo, result_pool);
++
++      if (!is_valid_hostinfo(decoded_hostinfo))
++        return svn_error_createf(SVN_ERR_BAD_URL, NULL, _("Invalid host '%s'"),
++                                 uri.hostinfo);
++
++      SVN_ERR(find_tunnel_agent(tunnel, decoded_hostinfo, &tunnel_argv,
++                                config, result_pool));
++    }
+   else
+     tunnel_argv = NULL;
+ 
+
+------------------------------------------------------------------------
diff --git a/meta/recipes-devtools/subversion/subversion_1.9.6.bb b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
index f49e26a5c8..532edeb080 100644
--- a/meta/recipes-devtools/subversion/subversion_1.9.6.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.9.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://serf.m4-Regex-modified-to-allow-D-in-paths.patch \
            file://0001-Fix-libtool-name-in-configure.ac.patch \
            file://serfmacro.patch \
+           file://CVE-2017-9800.patch;striplevel=0 \
            "
 
 SRC_URI[md5sum] = "f27e00338d4a9f7f9aec9d4a3f8b418b"
-- 
2.13.0




More information about the Openembedded-core mailing list