summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/cvs/APKBUILD13
-rw-r--r--system/cvs/CVE-2010-3846.patch167
-rw-r--r--system/cvs/CVE-2017-12836.patch58
3 files changed, 236 insertions, 2 deletions
diff --git a/system/cvs/APKBUILD b/system/cvs/APKBUILD
index 8dfcca172..f9160f62b 100644
--- a/system/cvs/APKBUILD
+++ b/system/cvs/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=cvs
pkgver=1.11.23
-pkgrel=1
+pkgrel=2
pkgdesc="Concurrent Versions System"
url="https://www.nongnu.org/cvs/"
arch="all"
@@ -14,8 +14,15 @@ install=
subpackages="$pkgname-doc"
source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz
cvs-musl.patch
+ CVE-2010-3846.patch
+ CVE-2017-12836.patch
"
+# secfixes:
+# 1.11.23-r2:
+# - CVE-2010-3846
+# - CVE-2017-12836
+
build() {
cd "$builddir"
./configure \
@@ -36,4 +43,6 @@ package() {
}
sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a cvs-1.11.23.tar.gz
-7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch"
+7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch
+eed761af81c9bcd3edd898559e9be25c6612bdef19984cc6380a08039525179fa34d9ade6c55c1b4f23e495156b34cafeab3e63cfd120c0e68a42aa7992e5e85 CVE-2010-3846.patch
+2775f5bde63d7eaee8c8f7467a8b43d533abbc172cf6b2d6ca7088203133a135e4e6a2a8028191d0102300913165dbd54fcf1f43683e742cb32f04ab06aca121 CVE-2017-12836.patch"
diff --git a/system/cvs/CVE-2010-3846.patch b/system/cvs/CVE-2010-3846.patch
new file mode 100644
index 000000000..e1560cef8
--- /dev/null
+++ b/system/cvs/CVE-2010-3846.patch
@@ -0,0 +1,167 @@
+From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001
+From: Larry Jones <lawrence.jones@siemens.com>
+Date: Thu, 21 Oct 2010 10:08:16 +0200
+Subject: [PATCH] Fix for CVE-2010-3846
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Mallformed RCS revision (delete after the end of input file, or overlayed
+deleted regions) screws output file image size computation. This leads to
+write attempt after the allocated memory opening hiden memory corruption
+driven by CVS server.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/rcs.c | 52 +++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 29 insertions(+), 23 deletions(-)
+
+diff --git a/src/rcs.c b/src/rcs.c
+index 7d0d078..2f88f85 100644
+--- a/src/rcs.c
++++ b/src/rcs.c
+@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ struct deltafrag *dfhead;
+ struct deltafrag **dftail;
+ struct deltafrag *df;
+- unsigned long numlines, lastmodline, offset;
++ unsigned long numlines, offset;
+ struct linevector lines;
+ int err;
+
+@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+
+ /* New temp data structure to hold new org before
+ copy back into original structure. */
+- lines.nlines = lines.lines_alloced = numlines;
++ lines.lines_alloced = numlines;
+ lines.vector = xmalloc (numlines * sizeof *lines.vector);
+
+ /* We changed the list order to first to last -- so the
+ list never gets larger than the size numlines. */
+- lastmodline = 0;
++ lines.nlines = 0;
+
+ /* offset created when adding/removing lines
+ between new and original structure */
+@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ for (df = dfhead; df != NULL; )
+ {
+ unsigned int ln;
+- unsigned long deltaend;
++ unsigned long newpos = df->pos - offset;
+
+- if (df->pos > orig_lines->nlines)
++ if (newpos < lines.nlines || newpos > numlines)
+ err = 1;
+
+ /* On error, just free the rest of the list. */
+ if (!err)
+ {
+- /* Here we need to get to the line where the next insert will
++ /* Here we need to get to the line where the next change will
+ begin, which is DF->pos in ORIG_LINES. We will fill up to
+ DF->pos - OFFSET in LINES with original items. */
+- for (deltaend = df->pos - offset;
+- lastmodline < deltaend;
+- lastmodline++)
++ while (lines.nlines < newpos)
+ {
+ /* we need to copy from the orig structure into new one */
+- lines.vector[lastmodline] =
+- orig_lines->vector[lastmodline + offset];
+- lines.vector[lastmodline]->refcount++;
++ lines.vector[lines.nlines] =
++ orig_lines->vector[lines.nlines + offset];
++ lines.vector[lines.nlines]->refcount++;
++ lines.nlines++;
+ }
+
+ switch (df->type)
+@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ struct line *q;
+ int nextline_newline;
+ size_t nextline_len;
+-
++
++ if (newpos + df->nlines > numlines)
++ {
++ err = 1;
++ break;
++ }
+ textend = df->new_lines + df->len;
+ nextline_newline = 0;
+ nextline_text = df->new_lines;
+@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ q->has_newline = nextline_newline;
+ q->refcount = 1;
+ memcpy (q->text, nextline_text, nextline_len);
+- lines.vector[lastmodline++] = q;
+- offset--;
++ lines.vector[lines.nlines++] = q;
+
+ nextline_text = (char *)p + 1;
+ nextline_newline = 0;
+@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ q->has_newline = nextline_newline;
+ q->refcount = 1;
+ memcpy (q->text, nextline_text, nextline_len);
+- lines.vector[lastmodline++] = q;
++ lines.vector[lines.nlines++] = q;
+
+ /* For each line we add the offset between the #'s
+ decreases. */
+- offset--;
++ offset -= df->nlines;
+ break;
+ }
+
+@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ if (df->pos + df->nlines > orig_lines->nlines)
+ err = 1;
+ else if (delvers)
++ {
+ for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
++ {
+ if (orig_lines->vector[ln]->refcount > 1)
+ /* Annotate needs this but, since the original
+ * vector is disposed of before returning from
+@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ * there are multiple references.
+ */
+ orig_lines->vector[ln]->vers = delvers;
++ }
++ }
+ break;
+ }
+ }
+@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ else
+ {
+ /* add the rest of the remaining lines to the data vector */
+- for (; lastmodline < numlines; lastmodline++)
++ while (lines.nlines < numlines)
+ {
+ /* we need to copy from the orig structure into new one */
+- lines.vector[lastmodline] = orig_lines->vector[lastmodline
++ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
+ + offset];
+- lines.vector[lastmodline]->refcount++;
++ lines.vector[lines.nlines]->refcount++;
++ lines.nlines++;
+ }
+
+ /* Move the lines vector to the original structure for output,
+ * first deleting the old.
+ */
+ linevector_free (orig_lines);
+- orig_lines->vector = lines.vector;
+- orig_lines->lines_alloced = numlines;
+- orig_lines->nlines = lines.nlines;
++ *orig_lines = lines;
+ }
+
+ return !err;
+--
+1.7.2.3
+
diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch
new file mode 100644
index 000000000..770115a5e
--- /dev/null
+++ b/system/cvs/CVE-2017-12836.patch
@@ -0,0 +1,58 @@
+From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 14 Aug 2017 10:32:25 +0200
+Subject: [PATCH] Fix CVE-2017-12836
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The hostname passed to RSH (ssh) client could be interpreted by
+OpenSSH client as an option and lead to local command execution.
+
+This fix adds no-more-options "--" separator before the hostname
+argument to the RSH client command.
+
+Original patch by Thorsten Glaser <tg@mirbsd.de> from
+<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to
+1.11.23.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/client.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/client.c b/src/client.c
+index 2bef1a0..e87cda9 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server)
+ char *cvs_rsh;
+ char *cvs_server = getenv ("CVS_SERVER");
+ int i = 0;
+- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
++ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
+ "cmd (w/ args)", and NULL. We leave some room to grow. */
+ char *rsh_argv[10];
+
+@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server)
+ rsh_argv[i++] = root->username;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
++
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+ rsh_argv[i++] = "server";
+@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server)
+ *p++ = root->username;
+ }
+
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;
+--
+2.9.5
+