Insufficient validation of filenames against control characters in
Apache Subversion repositories served via mod_dav_svn allows
authenticated users with commit access to commit a corrupted revision,
leading to disruption for users of the repository. All versions of
Subversion up to and including Subversion 1.14.4 are affected if serving
repositories via mod_dav_svn. Users are recommended to upgrade to
version 1.14.5, which fixes this issue. Repositories served via other
access methods are not affected.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-46901
Upstream patches:
https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
(From OE-Core rev: 16c212bd9a9e9c35256ff308da72a518c76ce11d)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This release is primarily to fix two CVEs:
- CVE-2021-28544
- CVE-2022-24070
It also rewrites the macOS autoconf macros to be cross-compile friendly,
so we don't need to delete them anymore.
(From OE-Core rev: ecfbc2ef45a76ab96d215954ca0a109545e6ff02)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libtool is now longer renamed to ${host}-libtool, so remove the changes
to support this.
(From OE-Core rev: 0610df3e56e350493731d49fe67261b62d346573)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Backport a patch to fix build failure while APR 1.7.0
...
checking for apr_int64_t Python/C API format string...
configure: error: failed to recognize APR_INT64_T_FMT on this platform
...
- Rebase disable_macos.patch and serfmacro.patch
License-update: no change, declare two new added file
* in build/ac-macros/ax_boost_base.m4
* in build/ac-macros/ax_boost_unit_test_framework.m4
(From OE-Core rev: 68ae5e624642218e7e01805c096da09098a8706f)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Commit 5bb47984af79 "subversion: 1.9.7 -> 1.10.0" dropped
serf.m4-Regex-modified-to-allow-D-in-paths.patch
from recipe, but left the patch itself in source tree.
Remove this patch since nobody uses it.
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 803d834780cb9380e19209f2bb93953ac3cb6165)
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit cfe6f3e251.
This is because the apr configure wrong, when the apr configure meets the
cross compiling, it pass 8 bytes to "off_t", in apr source code configure.in,
it was hardcoded:
APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8)
The macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4,
it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross
compiling enable.
But in glibc on the x86 or multilib target the "off_t" was 4 bytes, so this
cases dismatch for softwares which use the apr.h, such as subversion, run this:
svnadmin create test
It failed because the "APR_OFF_T_FMT" was "lld" in apr.h when apr configure,
but the "apr_off_t" was 4 bytes, in the apr source code: apr_snprintf.c
i_quad = va_arg(ap, apr_int64_t);
When the function apr_vformatter meets "lld", it would use the above to parse,
but the above read 8 bytes, so the follow-up data go to wrong.
So we should configure the apr correct when cross compiling. I do this on the
following patchs.
(From OE-Core rev: fbdfb39c011676fe61a4d58b62226126e0e9ec62)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The existing sed expression can match expressions like
--sysroot=/some/path/xxx-linux/ which clearly isn't intended and
injects incorrect paths into LDFLAGS.
Fix this in the same way we address the problem in CFLAGS. This fixes corrupt
build paths and incorrect paths in .la files amongst other issues.
(From OE-Core rev: 9a8382422ddbb0972dc25b752204f4908bb9857c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When run the following command on x86:
svnadmin create /var/test_repo
It cause segmentation fault error like the following:
[16499.751837] svnadmin[21117]: segfault at 83 ip 00000000f74bf7f6 sp 00000000ffdd9b34 error 4 in libc-2.24.so[f7441000+1af000]
Segmentation fault (core dumped)
This is because in source code ./subversion/libsvn_fs_fs/low_level.c,
function svn_fs_fs__unparse_footer, when:
target arch: x86
apr_off_t: 4 bytes
if the "APR_OFF_T_FMT" is "lld", it still use type "apr_off_t" to pass
data to apr, but in apr source code file apr_snprintf.c the function
apr_vformatter meet "lld", it would use the:
i_quad = va_arg(ap, apr_int64_t);
It uses the apr_int64_t to deal data, it read 8 bytes, so the follow-up
data may be error.
(From OE-Core rev: 7ea7e3db7801b58495b89a95ec2751d618d3a29f)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop backported CVE fix patches
libtool2.patch has been rebased and renamed to 0001-Fix-libtool-name-in-configure.ac.patch
LICENSE checksum has been updated because more 3rd party attributions have been added to it,
it's otherwise still Apache 2.
(From OE-Core rev: b57f57ea092f93bd7e1268b04c7d3c4af2149a77)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removing the 1.6.X recipes, since there is a new version 1.8.X recipes,
and hope that all projects already upgraded their premirror caches to
use new format
(From OE-Core rev: 65c4dcbefbe118eb1b04335d7d6171236a1315c2)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
install-neon-lib needs libsvn_delta-1.la which will be regenerated
during libsvn_delta-1.la's installation, if libsvn_delta-1.la is
in regenerating and at the same time install-neon-lib links it, the
error willl happen.
The error message is:
/bin/ld: cannot find -lsvn_delta-1
collect2: error: ld returned 1 exit status
This is a parallel issue, so it doesn't happen often.
Note:
The autoreconf doesn't generate build-outputs.mk, it would be generated
by autogen.sh (use build.conf as the input), but autogen.sh isn't
suitable for cross compiling, so both modified build-outputs.mk and
build.conf.
[YOCTO #2727]
(From OE-Core rev: ce37c45abb4cf43e5009867f695982de2eb33450)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* upstream detection seems to be doing its job right now
* I don't see how this is supposed to work
-- neon_config="$withval/bin/neon-config"
-+ neon_config="env env PKG_CONFIG_PATH=${withval}:${PKG_CONFIG_PATH} pkg-config neon"
when neon_config should be sysroots/nokia900/usr/bin/crossscripts/neon-config
"
(From OE-Core rev: 6466de31048260089b8988280f77efdb14ac2f21)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
And update recipe checksums
rebased neon-detection.patch:
upstream code has some of the changes similar to the changes in the
patch. Removing the duplicate changes from the patch file.
subversion: update LIC_CHKSUM_FILES field
Noticed this change in the COPYING file:
$ diff -u COPYING /tmp/COPYING
--- COPYING 2006-05-28 07:41:18.000000000 -0700
+++ /tmp/COPYING 2010-12-03 11:16:15.000000000 -0800
@@ -10,7 +10,7 @@
on), you may use a newer version instead, at your option.
================================================================
-Copyright (c) 2000-2006 CollabNet. All rights reserved.
+Copyright (c) 2000-2009 CollabNet. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
