summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/cvs/APKBUILD14
-rw-r--r--system/cvs/CVE-2010-3846.patch167
-rw-r--r--system/cvs/CVE-2017-12836.patch61
-rw-r--r--system/cvs/cvs-musl.patch27
4 files changed, 25 insertions, 244 deletions
diff --git a/system/cvs/APKBUILD b/system/cvs/APKBUILD
index 1e84aeff3..ae7b86d08 100644
--- a/system/cvs/APKBUILD
+++ b/system/cvs/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=cvs
-pkgver=1.11.23
-pkgrel=2
+pkgver=1.12.13
+pkgrel=0
pkgdesc="Concurrent Versions System"
url="https://www.nongnu.org/cvs/"
arch="all"
@@ -11,9 +11,7 @@ license="GPL-2.0+"
depends=""
makedepends="zlib-dev"
subpackages="$pkgname-doc"
-source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz
- cvs-musl.patch
- CVE-2010-3846.patch
+source="https://ftp.gnu.org/non-gnu/cvs/source/feature/$pkgver/$pkgname-$pkgver.tar.gz
CVE-2017-12836.patch
"
@@ -39,7 +37,5 @@ package() {
make -j1 DESTDIR="$pkgdir" install
}
-sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a cvs-1.11.23.tar.gz
-7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch
-eed761af81c9bcd3edd898559e9be25c6612bdef19984cc6380a08039525179fa34d9ade6c55c1b4f23e495156b34cafeab3e63cfd120c0e68a42aa7992e5e85 CVE-2010-3846.patch
-2775f5bde63d7eaee8c8f7467a8b43d533abbc172cf6b2d6ca7088203133a135e4e6a2a8028191d0102300913165dbd54fcf1f43683e742cb32f04ab06aca121 CVE-2017-12836.patch"
+sha512sums="acd658b7ffa29a67e33f294073a0f80a27aa4e19dc2185cfa43f862d34e511bcf9802012b8e6957f82c7532fdabbb058b33686e0e6046cdd1f1aa9af619e92e9 cvs-1.12.13.tar.gz
+717e2839e38a60413071f9deef1292916d3c91544a87e7f83a37668bb09172fa7ee3ce7777e9bc474e34875e79dffc357952aa4100efb030a676ef14fa365b4c CVE-2017-12836.patch"
diff --git a/system/cvs/CVE-2010-3846.patch b/system/cvs/CVE-2010-3846.patch
deleted file mode 100644
index e1560cef8..000000000
--- a/system/cvs/CVE-2010-3846.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001
-From: Larry Jones <lawrence.jones@siemens.com>
-Date: Thu, 21 Oct 2010 10:08:16 +0200
-Subject: [PATCH] Fix for CVE-2010-3846
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Mallformed RCS revision (delete after the end of input file, or overlayed
-deleted regions) screws output file image size computation. This leads to
-write attempt after the allocated memory opening hiden memory corruption
-driven by CVS server.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- src/rcs.c | 52 +++++++++++++++++++++++++++++-----------------------
- 1 files changed, 29 insertions(+), 23 deletions(-)
-
-diff --git a/src/rcs.c b/src/rcs.c
-index 7d0d078..2f88f85 100644
---- a/src/rcs.c
-+++ b/src/rcs.c
-@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- struct deltafrag *dfhead;
- struct deltafrag **dftail;
- struct deltafrag *df;
-- unsigned long numlines, lastmodline, offset;
-+ unsigned long numlines, offset;
- struct linevector lines;
- int err;
-
-@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
-
- /* New temp data structure to hold new org before
- copy back into original structure. */
-- lines.nlines = lines.lines_alloced = numlines;
-+ lines.lines_alloced = numlines;
- lines.vector = xmalloc (numlines * sizeof *lines.vector);
-
- /* We changed the list order to first to last -- so the
- list never gets larger than the size numlines. */
-- lastmodline = 0;
-+ lines.nlines = 0;
-
- /* offset created when adding/removing lines
- between new and original structure */
-@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- for (df = dfhead; df != NULL; )
- {
- unsigned int ln;
-- unsigned long deltaend;
-+ unsigned long newpos = df->pos - offset;
-
-- if (df->pos > orig_lines->nlines)
-+ if (newpos < lines.nlines || newpos > numlines)
- err = 1;
-
- /* On error, just free the rest of the list. */
- if (!err)
- {
-- /* Here we need to get to the line where the next insert will
-+ /* Here we need to get to the line where the next change will
- begin, which is DF->pos in ORIG_LINES. We will fill up to
- DF->pos - OFFSET in LINES with original items. */
-- for (deltaend = df->pos - offset;
-- lastmodline < deltaend;
-- lastmodline++)
-+ while (lines.nlines < newpos)
- {
- /* we need to copy from the orig structure into new one */
-- lines.vector[lastmodline] =
-- orig_lines->vector[lastmodline + offset];
-- lines.vector[lastmodline]->refcount++;
-+ lines.vector[lines.nlines] =
-+ orig_lines->vector[lines.nlines + offset];
-+ lines.vector[lines.nlines]->refcount++;
-+ lines.nlines++;
- }
-
- switch (df->type)
-@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- struct line *q;
- int nextline_newline;
- size_t nextline_len;
--
-+
-+ if (newpos + df->nlines > numlines)
-+ {
-+ err = 1;
-+ break;
-+ }
- textend = df->new_lines + df->len;
- nextline_newline = 0;
- nextline_text = df->new_lines;
-@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- q->has_newline = nextline_newline;
- q->refcount = 1;
- memcpy (q->text, nextline_text, nextline_len);
-- lines.vector[lastmodline++] = q;
-- offset--;
-+ lines.vector[lines.nlines++] = q;
-
- nextline_text = (char *)p + 1;
- nextline_newline = 0;
-@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- q->has_newline = nextline_newline;
- q->refcount = 1;
- memcpy (q->text, nextline_text, nextline_len);
-- lines.vector[lastmodline++] = q;
-+ lines.vector[lines.nlines++] = q;
-
- /* For each line we add the offset between the #'s
- decreases. */
-- offset--;
-+ offset -= df->nlines;
- break;
- }
-
-@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- if (df->pos + df->nlines > orig_lines->nlines)
- err = 1;
- else if (delvers)
-+ {
- for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
-+ {
- if (orig_lines->vector[ln]->refcount > 1)
- /* Annotate needs this but, since the original
- * vector is disposed of before returning from
-@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- * there are multiple references.
- */
- orig_lines->vector[ln]->vers = delvers;
-+ }
-+ }
- break;
- }
- }
-@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- else
- {
- /* add the rest of the remaining lines to the data vector */
-- for (; lastmodline < numlines; lastmodline++)
-+ while (lines.nlines < numlines)
- {
- /* we need to copy from the orig structure into new one */
-- lines.vector[lastmodline] = orig_lines->vector[lastmodline
-+ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
- + offset];
-- lines.vector[lastmodline]->refcount++;
-+ lines.vector[lines.nlines]->refcount++;
-+ lines.nlines++;
- }
-
- /* Move the lines vector to the original structure for output,
- * first deleting the old.
- */
- linevector_free (orig_lines);
-- orig_lines->vector = lines.vector;
-- orig_lines->lines_alloced = numlines;
-- orig_lines->nlines = lines.nlines;
-+ *orig_lines = lines;
- }
-
- return !err;
---
-1.7.2.3
-
diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch
index 770115a5e..d6fc3b035 100644
--- a/system/cvs/CVE-2017-12836.patch
+++ b/system/cvs/CVE-2017-12836.patch
@@ -1,58 +1,37 @@
-From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 14 Aug 2017 10:32:25 +0200
Subject: [PATCH] Fix CVE-2017-12836
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
+From: Thorsten Glaser <tg@mirbsd.de>
-The hostname passed to RSH (ssh) client could be interpreted by
-OpenSSH client as an option and lead to local command execution.
-
-This fix adds no-more-options "--" separator before the hostname
-argument to the RSH client command.
-
-Original patch by Thorsten Glaser <tg@mirbsd.de> from
-<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to
-1.11.23.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- src/client.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/client.c b/src/client.c
-index 2bef1a0..e87cda9 100644
---- a/src/client.c
-+++ b/src/client.c
-@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server)
- char *cvs_rsh;
- char *cvs_server = getenv ("CVS_SERVER");
+--- cvs-1.12.13+real/src/rsh-client.c
++++ cvs-1.12.13+real/src/rsh-client.c
+@@ -53,7 +53,8 @@
+ char *cvs_server = (root->cvs_server != NULL
+ ? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
-+ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
- "cmd (w/ args)", and NULL. We leave some room to grow. */
- char *rsh_argv[10];
-
-@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server)
- rsh_argv[i++] = root->username;
+- "cmd (w/ args)", and NULL. We leave some room to grow. */
+- char *rsh_argv[10];
++ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
++ "--", "host", "cvs", "-R", "server", and NULL.
++ We leave some room to grow. */
++ char *rsh_argv[16];
+
+@@ -105,6 +106,9 @@
+ rsh_argv[i++] = argvport;
}
-
+
+ /* Only non-option arguments from here. (CVE-2017-12836) */
+ rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
- rsh_argv[i++] = "server";
-@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server)
- *p++ = root->username;
+ if (readonlyfs)
+@@ -189,6 +193,8 @@
+ *p++ = argvport;
}
-
+
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
---
-2.9.5
diff --git a/system/cvs/cvs-musl.patch b/system/cvs/cvs-musl.patch
deleted file mode 100644
index 313377dbd..000000000
--- a/system/cvs/cvs-musl.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- cvs-1.11.23.org/lib/getline.h 2013-09-16 18:28:13.026099577 +0000
-+++ cvs-1.11.23/lib/getline.h 2013-09-16 18:44:33.356064387 +0000
-@@ -12,8 +12,6 @@
- #define GETLINE_NO_LIMIT -1
-
- int
-- getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream));
--int
- getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream,
- int limit));
- int
---- cvs-1.11.23.org/lib/getline.c 2013-09-16 18:28:13.021099577 +0000
-+++ cvs-1.11.23/lib/getline.c 2013-09-16 18:45:14.463062911 +0000
-@@ -154,12 +154,7 @@
- return ret;
- }
-
--int
--getline (lineptr, n, stream)
-- char **lineptr;
-- size_t *n;
-- FILE *stream;
--{
-+ssize_t getline(char ** lineptr, size_t * n, FILE *stream) {
- return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT);
- }
-