system/cvs: bump to 1.12.13, fix CVE patch

ca8a163a · Anna Wilcox · ef7329b8 · ca8a163a · ef7329b8 · ca8a163a
Verified Commit ca8a163a authored 5 years ago by Anna Wilcox
--- a/system/cvs/APKBUILD
+++ b/system/cvs/APKBUILD
 # Contributor: Michael Mason <ms13sp@gmail.com>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=cvs
-pkgver=1.11.23
-pkgrel=2
+pkgver=1.12.13
+pkgrel=0
 pkgdesc="Concurrent Versions System"
 url="https://www.nongnu.org/cvs/"
 arch="all"
@@ -11,9 +11,7 @@ license="GPL-2.0+"
 depends=""
 makedepends="zlib-dev"
 subpackages="$pkgname-doc"
-source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz
-	cvs-musl.patch
-	CVE-2010-3846.patch
+source="https://ftp.gnu.org/non-gnu/cvs/source/feature/$pkgver/$pkgname-$pkgver.tar.gz
 	CVE-2017-12836.patch
 	"

@@ -39,7 +37,5 @@ package() {
 	make -j1 DESTDIR="$pkgdir" install
 }

-sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a  cvs-1.11.23.tar.gz
-7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245  cvs-musl.patch
-eed761af81c9bcd3edd898559e9be25c6612bdef19984cc6380a08039525179fa34d9ade6c55c1b4f23e495156b34cafeab3e63cfd120c0e68a42aa7992e5e85  CVE-2010-3846.patch
-2775f5bde63d7eaee8c8f7467a8b43d533abbc172cf6b2d6ca7088203133a135e4e6a2a8028191d0102300913165dbd54fcf1f43683e742cb32f04ab06aca121  CVE-2017-12836.patch"
+sha512sums="acd658b7ffa29a67e33f294073a0f80a27aa4e19dc2185cfa43f862d34e511bcf9802012b8e6957f82c7532fdabbb058b33686e0e6046cdd1f1aa9af619e92e9  cvs-1.12.13.tar.gz
+717e2839e38a60413071f9deef1292916d3c91544a87e7f83a37668bb09172fa7ee3ce7777e9bc474e34875e79dffc357952aa4100efb030a676ef14fa365b4c  CVE-2017-12836.patch"
--- a/system/cvs/CVE-2010-3846.patch
+++ b/system/cvs/CVE-2010-3846.patch
-From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001
-From: Larry Jones <lawrence.jones@siemens.com>
-Date: Thu, 21 Oct 2010 10:08:16 +0200
-Subject: [PATCH] Fix for CVE-2010-3846
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Mallformed RCS revision (delete after the end of input file, or overlayed
-deleted regions) screws output file image size computation. This leads to
-write attempt after the allocated memory opening hiden memory corruption
-driven by CVS server.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
---
- src/rcs.c |   52 +++++++++++++++++++++++++++++-----------------------
- 1 files changed, 29 insertions(+), 23 deletions(-)
-
-diff --git a/src/rcs.c b/src/rcs.c
-index 7d0d078..2f88f85 100644
--- a/src/rcs.c
-+++ b/src/rcs.c
-@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
-     struct deltafrag *dfhead;
-     struct deltafrag **dftail;
-     struct deltafrag *df;
-    unsigned long numlines, lastmodline, offset;
-+    unsigned long numlines, offset;
-     struct linevector lines;
-     int err;
- 
-@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 
-     /* New temp data structure to hold new org before
-        copy back into original structure. */
-    lines.nlines = lines.lines_alloced = numlines;
-+    lines.lines_alloced = numlines;
-     lines.vector = xmalloc (numlines * sizeof *lines.vector);
- 
-     /* We changed the list order to first to last -- so the
-        list never gets larger than the size numlines. */
-    lastmodline = 0; 
-+    lines.nlines = 0; 
- 
-     /* offset created when adding/removing lines
-        between new and original structure */
-@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
-     for (df = dfhead; df != NULL; )
-     {
- 	unsigned int ln;
-	unsigned long deltaend;
-+	unsigned long newpos = df->pos - offset;
- 
-	if (df->pos > orig_lines->nlines)
-+	if (newpos < lines.nlines || newpos > numlines)
- 	    err = 1;
- 
- 	/* On error, just free the rest of the list.  */
- 	if (!err)
- 	{
-	    /* Here we need to get to the line where the next insert will
-+	    /* Here we need to get to the line where the next change will
- 	       begin, which is DF->pos in ORIG_LINES.  We will fill up to
- 	       DF->pos - OFFSET in LINES with original items.  */
-	    for (deltaend = df->pos - offset;
-		 lastmodline < deltaend;
-		 lastmodline++)
-+	    while (lines.nlines < newpos)
- 	    {
- 		/* we need to copy from the orig structure into new one */
-		lines.vector[lastmodline] =
-			orig_lines->vector[lastmodline + offset];
-		lines.vector[lastmodline]->refcount++;
-+		lines.vector[lines.nlines] =
-+			orig_lines->vector[lines.nlines + offset];
-+		lines.vector[lines.nlines]->refcount++;
-+		lines.nlines++;
- 	    }
- 
- 	    switch (df->type)
-@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 		    struct line *q;
- 		    int nextline_newline;
- 		    size_t nextline_len;
-		
-+
-+		    if (newpos + df->nlines > numlines)
-+		    {
-+			err = 1;
-+			break;
-+		    }
- 		    textend = df->new_lines + df->len;
- 		    nextline_newline = 0;
- 		    nextline_text = df->new_lines;
-@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 			    q->has_newline = nextline_newline;
- 			    q->refcount = 1;
- 			    memcpy (q->text, nextline_text, nextline_len);
-			    lines.vector[lastmodline++] = q;
-			    offset--;
-+			    lines.vector[lines.nlines++] = q;
- 		    
- 			    nextline_text = (char *)p + 1;
- 			    nextline_newline = 0;
-@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 		    q->has_newline = nextline_newline;
- 		    q->refcount = 1;
- 		    memcpy (q->text, nextline_text, nextline_len);
-		    lines.vector[lastmodline++] = q;
-+		    lines.vector[lines.nlines++] = q;
- 
- 		    /* For each line we add the offset between the #'s
- 		       decreases. */
-		    offset--;
-+		    offset -= df->nlines;
- 		    break;
- 		}
- 
-@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 		    if (df->pos + df->nlines > orig_lines->nlines)
- 			err = 1;
- 		    else if (delvers)
-+		    {
- 			for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
-+			{
- 			    if (orig_lines->vector[ln]->refcount > 1)
- 				/* Annotate needs this but, since the original
- 				 * vector is disposed of before returning from
-@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 				 * there are multiple references.
- 				 */
- 				orig_lines->vector[ln]->vers = delvers;
-+			}
-+		    }
- 		    break;
- 	    }
- 	}
-@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
-     else
-     {
- 	/* add the rest of the remaining lines to the data vector */
-	for (; lastmodline < numlines; lastmodline++)
-+	while (lines.nlines < numlines)
- 	{
- 	    /* we need to copy from the orig structure into new one */
-	    lines.vector[lastmodline] = orig_lines->vector[lastmodline
-+	    lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
- 							   + offset];
-	    lines.vector[lastmodline]->refcount++;
-+	    lines.vector[lines.nlines]->refcount++;
-+	    lines.nlines++;
- 	}
- 
- 	/* Move the lines vector to the original structure for output,
- 	 * first deleting the old.
- 	 */
- 	linevector_free (orig_lines);
-	orig_lines->vector = lines.vector;
-	orig_lines->lines_alloced = numlines;
-	orig_lines->nlines = lines.nlines;
-+	*orig_lines = lines;
-     }
- 
-     return !err;
-- 
-1.7.2.3
-
--- a/system/cvs/CVE-2017-12836.patch
+++ b/system/cvs/CVE-2017-12836.patch
-From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 14 Aug 2017 10:32:25 +0200
 Subject: [PATCH] Fix CVE-2017-12836
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
+From: Thorsten Glaser <tg@mirbsd.de>

-The hostname passed to RSH (ssh) client could be interpreted by
-OpenSSH client as an option and lead to local command execution.
-
-This fix adds no-more-options "--" separator before the hostname
-argument to the RSH client command.
-
-Original patch by Thorsten Glaser <tg@mirbsd.de> from
-<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to
-1.11.23.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
---
- src/client.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/client.c b/src/client.c
-index 2bef1a0..e87cda9 100644
--- a/src/client.c
-+++ b/src/client.c
-@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server)
-     char *cvs_rsh;
-     char *cvs_server = getenv ("CVS_SERVER");
+--- cvs-1.12.13+real/src/rsh-client.c
+++ cvs-1.12.13+real/src/rsh-client.c
+@@ -53,7 +53,8 @@
+     char *cvs_server = (root->cvs_server != NULL
+ 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
 -    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
-+    /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
-        "cmd (w/ args)", and NULL.  We leave some room to grow. */
-     char *rsh_argv[10];
- 
-@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server)
- 	rsh_argv[i++] = root->username;
+-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+-    char *rsh_argv[10];
+    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+       "--", "host", "cvs", "-R", "server", and NULL.
+       We leave some room to grow. */
+    char *rsh_argv[16];
+
+@@ -105,6 +106,9 @@
+ 	rsh_argv[i++] = argvport;
     }
- 
+
 +    /* Only non-option arguments from here. (CVE-2017-12836) */
 +    rsh_argv[i++] = "--";
 +
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
-     rsh_argv[i++] = "server";
-@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server)
- 	    *p++ = root->username;
+     if (readonlyfs)
+@@ -189,6 +193,8 @@
+ 		*p++ = argvport;
 	}
- 
+
 +	*p++ = "--";
 +
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;
-- 
-2.9.5

--- a/system/cvs/cvs-musl.patch
+++ b/system/cvs/cvs-musl.patch
--- cvs-1.11.23.org/lib/getline.h	2013-09-16 18:28:13.026099577 +0000
-+++ cvs-1.11.23/lib/getline.h	2013-09-16 18:44:33.356064387 +0000
-@@ -12,8 +12,6 @@
- #define GETLINE_NO_LIMIT -1
- 
- int
-  getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream));
-int
-   getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream,
-                          int limit));
- int
--- cvs-1.11.23.org/lib/getline.c	2013-09-16 18:28:13.021099577 +0000
-+++ cvs-1.11.23/lib/getline.c	2013-09-16 18:45:14.463062911 +0000
-@@ -154,12 +154,7 @@
-   return ret;
- }
- 
-int
-getline (lineptr, n, stream)
-     char **lineptr;
-     size_t *n;
-     FILE *stream;
-{
-+ssize_t getline(char ** lineptr, size_t * n, FILE *stream) {
-   return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT);
- }
-