diff options
-rw-r--r-- | system/cvs/APKBUILD | 14 | ||||
-rw-r--r-- | system/cvs/CVE-2010-3846.patch | 167 | ||||
-rw-r--r-- | system/cvs/CVE-2017-12836.patch | 61 | ||||
-rw-r--r-- | system/cvs/cvs-musl.patch | 27 |
4 files changed, 25 insertions, 244 deletions
diff --git a/system/cvs/APKBUILD b/system/cvs/APKBUILD index 1e84aeff3..ae7b86d08 100644 --- a/system/cvs/APKBUILD +++ b/system/cvs/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Michael Mason <ms13sp@gmail.com> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=cvs -pkgver=1.11.23 -pkgrel=2 +pkgver=1.12.13 +pkgrel=0 pkgdesc="Concurrent Versions System" url="https://www.nongnu.org/cvs/" arch="all" @@ -11,9 +11,7 @@ license="GPL-2.0+" depends="" makedepends="zlib-dev" subpackages="$pkgname-doc" -source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz - cvs-musl.patch - CVE-2010-3846.patch +source="https://ftp.gnu.org/non-gnu/cvs/source/feature/$pkgver/$pkgname-$pkgver.tar.gz CVE-2017-12836.patch " @@ -39,7 +37,5 @@ package() { make -j1 DESTDIR="$pkgdir" install } -sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a cvs-1.11.23.tar.gz -7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch -eed761af81c9bcd3edd898559e9be25c6612bdef19984cc6380a08039525179fa34d9ade6c55c1b4f23e495156b34cafeab3e63cfd120c0e68a42aa7992e5e85 CVE-2010-3846.patch -2775f5bde63d7eaee8c8f7467a8b43d533abbc172cf6b2d6ca7088203133a135e4e6a2a8028191d0102300913165dbd54fcf1f43683e742cb32f04ab06aca121 CVE-2017-12836.patch" +sha512sums="acd658b7ffa29a67e33f294073a0f80a27aa4e19dc2185cfa43f862d34e511bcf9802012b8e6957f82c7532fdabbb058b33686e0e6046cdd1f1aa9af619e92e9 cvs-1.12.13.tar.gz +717e2839e38a60413071f9deef1292916d3c91544a87e7f83a37668bb09172fa7ee3ce7777e9bc474e34875e79dffc357952aa4100efb030a676ef14fa365b4c CVE-2017-12836.patch" diff --git a/system/cvs/CVE-2010-3846.patch b/system/cvs/CVE-2010-3846.patch deleted file mode 100644 index e1560cef8..000000000 --- a/system/cvs/CVE-2010-3846.patch +++ /dev/null @@ -1,167 +0,0 @@ -From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001 -From: Larry Jones <lawrence.jones@siemens.com> -Date: Thu, 21 Oct 2010 10:08:16 +0200 -Subject: [PATCH] Fix for CVE-2010-3846 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Mallformed RCS revision (delete after the end of input file, or overlayed -deleted regions) screws output file image size computation. This leads to -write attempt after the allocated memory opening hiden memory corruption -driven by CVS server. - -Signed-off-by: Petr Písař <ppisar@redhat.com> ---- - src/rcs.c | 52 +++++++++++++++++++++++++++++----------------------- - 1 files changed, 29 insertions(+), 23 deletions(-) - -diff --git a/src/rcs.c b/src/rcs.c -index 7d0d078..2f88f85 100644 ---- a/src/rcs.c -+++ b/src/rcs.c -@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - struct deltafrag *dfhead; - struct deltafrag **dftail; - struct deltafrag *df; -- unsigned long numlines, lastmodline, offset; -+ unsigned long numlines, offset; - struct linevector lines; - int err; - -@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - - /* New temp data structure to hold new org before - copy back into original structure. */ -- lines.nlines = lines.lines_alloced = numlines; -+ lines.lines_alloced = numlines; - lines.vector = xmalloc (numlines * sizeof *lines.vector); - - /* We changed the list order to first to last -- so the - list never gets larger than the size numlines. */ -- lastmodline = 0; -+ lines.nlines = 0; - - /* offset created when adding/removing lines - between new and original structure */ -@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - for (df = dfhead; df != NULL; ) - { - unsigned int ln; -- unsigned long deltaend; -+ unsigned long newpos = df->pos - offset; - -- if (df->pos > orig_lines->nlines) -+ if (newpos < lines.nlines || newpos > numlines) - err = 1; - - /* On error, just free the rest of the list. */ - if (!err) - { -- /* Here we need to get to the line where the next insert will -+ /* Here we need to get to the line where the next change will - begin, which is DF->pos in ORIG_LINES. We will fill up to - DF->pos - OFFSET in LINES with original items. */ -- for (deltaend = df->pos - offset; -- lastmodline < deltaend; -- lastmodline++) -+ while (lines.nlines < newpos) - { - /* we need to copy from the orig structure into new one */ -- lines.vector[lastmodline] = -- orig_lines->vector[lastmodline + offset]; -- lines.vector[lastmodline]->refcount++; -+ lines.vector[lines.nlines] = -+ orig_lines->vector[lines.nlines + offset]; -+ lines.vector[lines.nlines]->refcount++; -+ lines.nlines++; - } - - switch (df->type) -@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - struct line *q; - int nextline_newline; - size_t nextline_len; -- -+ -+ if (newpos + df->nlines > numlines) -+ { -+ err = 1; -+ break; -+ } - textend = df->new_lines + df->len; - nextline_newline = 0; - nextline_text = df->new_lines; -@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - q->has_newline = nextline_newline; - q->refcount = 1; - memcpy (q->text, nextline_text, nextline_len); -- lines.vector[lastmodline++] = q; -- offset--; -+ lines.vector[lines.nlines++] = q; - - nextline_text = (char *)p + 1; - nextline_newline = 0; -@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - q->has_newline = nextline_newline; - q->refcount = 1; - memcpy (q->text, nextline_text, nextline_len); -- lines.vector[lastmodline++] = q; -+ lines.vector[lines.nlines++] = q; - - /* For each line we add the offset between the #'s - decreases. */ -- offset--; -+ offset -= df->nlines; - break; - } - -@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - if (df->pos + df->nlines > orig_lines->nlines) - err = 1; - else if (delvers) -+ { - for (ln = df->pos; ln < df->pos + df->nlines; ++ln) -+ { - if (orig_lines->vector[ln]->refcount > 1) - /* Annotate needs this but, since the original - * vector is disposed of before returning from -@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - * there are multiple references. - */ - orig_lines->vector[ln]->vers = delvers; -+ } -+ } - break; - } - } -@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) - else - { - /* add the rest of the remaining lines to the data vector */ -- for (; lastmodline < numlines; lastmodline++) -+ while (lines.nlines < numlines) - { - /* we need to copy from the orig structure into new one */ -- lines.vector[lastmodline] = orig_lines->vector[lastmodline -+ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines - + offset]; -- lines.vector[lastmodline]->refcount++; -+ lines.vector[lines.nlines]->refcount++; -+ lines.nlines++; - } - - /* Move the lines vector to the original structure for output, - * first deleting the old. - */ - linevector_free (orig_lines); -- orig_lines->vector = lines.vector; -- orig_lines->lines_alloced = numlines; -- orig_lines->nlines = lines.nlines; -+ *orig_lines = lines; - } - - return !err; --- -1.7.2.3 - diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch index 770115a5e..d6fc3b035 100644 --- a/system/cvs/CVE-2017-12836.patch +++ b/system/cvs/CVE-2017-12836.patch @@ -1,58 +1,37 @@ -From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> -Date: Mon, 14 Aug 2017 10:32:25 +0200 Subject: [PATCH] Fix CVE-2017-12836 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit +From: Thorsten Glaser <tg@mirbsd.de> -The hostname passed to RSH (ssh) client could be interpreted by -OpenSSH client as an option and lead to local command execution. - -This fix adds no-more-options "--" separator before the hostname -argument to the RSH client command. - -Original patch by Thorsten Glaser <tg@mirbsd.de> from -<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to -1.11.23. - -Signed-off-by: Petr Písař <ppisar@redhat.com> ---- - src/client.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/client.c b/src/client.c -index 2bef1a0..e87cda9 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server) - char *cvs_rsh; - char *cvs_server = getenv ("CVS_SERVER"); +--- cvs-1.12.13+real/src/rsh-client.c ++++ cvs-1.12.13+real/src/rsh-client.c +@@ -53,7 +53,8 @@ + char *cvs_server = (root->cvs_server != NULL + ? root->cvs_server : getenv ("CVS_SERVER")); int i = 0; - /* This needs to fit "rsh", "-b", "-l", "USER", "host", -+ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host", - "cmd (w/ args)", and NULL. We leave some room to grow. */ - char *rsh_argv[10]; - -@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server) - rsh_argv[i++] = root->username; +- "cmd (w/ args)", and NULL. We leave some room to grow. */ +- char *rsh_argv[10]; ++ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, ++ "--", "host", "cvs", "-R", "server", and NULL. ++ We leave some room to grow. */ ++ char *rsh_argv[16]; + +@@ -105,6 +106,9 @@ + rsh_argv[i++] = argvport; } - + + /* Only non-option arguments from here. (CVE-2017-12836) */ + rsh_argv[i++] = "--"; + rsh_argv[i++] = root->hostname; rsh_argv[i++] = cvs_server; - rsh_argv[i++] = "server"; -@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server) - *p++ = root->username; + if (readonlyfs) +@@ -189,6 +193,8 @@ + *p++ = argvport; } - + + *p++ = "--"; + *p++ = root->hostname; *p++ = command; *p++ = NULL; --- -2.9.5 diff --git a/system/cvs/cvs-musl.patch b/system/cvs/cvs-musl.patch deleted file mode 100644 index 313377dbd..000000000 --- a/system/cvs/cvs-musl.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- cvs-1.11.23.org/lib/getline.h 2013-09-16 18:28:13.026099577 +0000 -+++ cvs-1.11.23/lib/getline.h 2013-09-16 18:44:33.356064387 +0000 -@@ -12,8 +12,6 @@ - #define GETLINE_NO_LIMIT -1 - - int -- getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream)); --int - getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream, - int limit)); - int ---- cvs-1.11.23.org/lib/getline.c 2013-09-16 18:28:13.021099577 +0000 -+++ cvs-1.11.23/lib/getline.c 2013-09-16 18:45:14.463062911 +0000 -@@ -154,12 +154,7 @@ - return ret; - } - --int --getline (lineptr, n, stream) -- char **lineptr; -- size_t *n; -- FILE *stream; --{ -+ssize_t getline(char ** lineptr, size_t * n, FILE *stream) { - return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT); - } - |