From 1320a328ef2ea539881f6d14c79ca17ef3024f2d Mon Sep 17 00:00:00 2001 From: Max Rees Date: Fri, 21 Jun 2019 12:09:17 -0400 Subject: system/cvs: patch for CVE-2010-3846 and CVE-2017-12836 --- system/cvs/APKBUILD | 13 +++- system/cvs/CVE-2010-3846.patch | 167 ++++++++++++++++++++++++++++++++++++++++ system/cvs/CVE-2017-12836.patch | 58 ++++++++++++++ 3 files changed, 236 insertions(+), 2 deletions(-) create mode 100644 system/cvs/CVE-2010-3846.patch create mode 100644 system/cvs/CVE-2017-12836.patch (limited to 'system') diff --git a/system/cvs/APKBUILD b/system/cvs/APKBUILD index 8dfcca172..f9160f62b 100644 --- a/system/cvs/APKBUILD +++ b/system/cvs/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=cvs pkgver=1.11.23 -pkgrel=1 +pkgrel=2 pkgdesc="Concurrent Versions System" url="https://www.nongnu.org/cvs/" arch="all" @@ -14,8 +14,15 @@ install= subpackages="$pkgname-doc" source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz cvs-musl.patch + CVE-2010-3846.patch + CVE-2017-12836.patch " +# secfixes: +# 1.11.23-r2: +# - CVE-2010-3846 +# - CVE-2017-12836 + build() { cd "$builddir" ./configure \ @@ -36,4 +43,6 @@ package() { } sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a cvs-1.11.23.tar.gz -7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch" +7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch +eed761af81c9bcd3edd898559e9be25c6612bdef19984cc6380a08039525179fa34d9ade6c55c1b4f23e495156b34cafeab3e63cfd120c0e68a42aa7992e5e85 CVE-2010-3846.patch +2775f5bde63d7eaee8c8f7467a8b43d533abbc172cf6b2d6ca7088203133a135e4e6a2a8028191d0102300913165dbd54fcf1f43683e742cb32f04ab06aca121 CVE-2017-12836.patch" diff --git a/system/cvs/CVE-2010-3846.patch b/system/cvs/CVE-2010-3846.patch new file mode 100644 index 000000000..e1560cef8 --- /dev/null +++ b/system/cvs/CVE-2010-3846.patch @@ -0,0 +1,167 @@ +From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001 +From: Larry Jones +Date: Thu, 21 Oct 2010 10:08:16 +0200 +Subject: [PATCH] Fix for CVE-2010-3846 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Mallformed RCS revision (delete after the end of input file, or overlayed +deleted regions) screws output file image size computation. This leads to +write attempt after the allocated memory opening hiden memory corruption +driven by CVS server. + +Signed-off-by: Petr Písař +--- + src/rcs.c | 52 +++++++++++++++++++++++++++++----------------------- + 1 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/src/rcs.c b/src/rcs.c +index 7d0d078..2f88f85 100644 +--- a/src/rcs.c ++++ b/src/rcs.c +@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + struct deltafrag *dfhead; + struct deltafrag **dftail; + struct deltafrag *df; +- unsigned long numlines, lastmodline, offset; ++ unsigned long numlines, offset; + struct linevector lines; + int err; + +@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + + /* New temp data structure to hold new org before + copy back into original structure. */ +- lines.nlines = lines.lines_alloced = numlines; ++ lines.lines_alloced = numlines; + lines.vector = xmalloc (numlines * sizeof *lines.vector); + + /* We changed the list order to first to last -- so the + list never gets larger than the size numlines. */ +- lastmodline = 0; ++ lines.nlines = 0; + + /* offset created when adding/removing lines + between new and original structure */ +@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + for (df = dfhead; df != NULL; ) + { + unsigned int ln; +- unsigned long deltaend; ++ unsigned long newpos = df->pos - offset; + +- if (df->pos > orig_lines->nlines) ++ if (newpos < lines.nlines || newpos > numlines) + err = 1; + + /* On error, just free the rest of the list. */ + if (!err) + { +- /* Here we need to get to the line where the next insert will ++ /* Here we need to get to the line where the next change will + begin, which is DF->pos in ORIG_LINES. We will fill up to + DF->pos - OFFSET in LINES with original items. */ +- for (deltaend = df->pos - offset; +- lastmodline < deltaend; +- lastmodline++) ++ while (lines.nlines < newpos) + { + /* we need to copy from the orig structure into new one */ +- lines.vector[lastmodline] = +- orig_lines->vector[lastmodline + offset]; +- lines.vector[lastmodline]->refcount++; ++ lines.vector[lines.nlines] = ++ orig_lines->vector[lines.nlines + offset]; ++ lines.vector[lines.nlines]->refcount++; ++ lines.nlines++; + } + + switch (df->type) +@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + struct line *q; + int nextline_newline; + size_t nextline_len; +- ++ ++ if (newpos + df->nlines > numlines) ++ { ++ err = 1; ++ break; ++ } + textend = df->new_lines + df->len; + nextline_newline = 0; + nextline_text = df->new_lines; +@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + q->has_newline = nextline_newline; + q->refcount = 1; + memcpy (q->text, nextline_text, nextline_len); +- lines.vector[lastmodline++] = q; +- offset--; ++ lines.vector[lines.nlines++] = q; + + nextline_text = (char *)p + 1; + nextline_newline = 0; +@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + q->has_newline = nextline_newline; + q->refcount = 1; + memcpy (q->text, nextline_text, nextline_len); +- lines.vector[lastmodline++] = q; ++ lines.vector[lines.nlines++] = q; + + /* For each line we add the offset between the #'s + decreases. */ +- offset--; ++ offset -= df->nlines; + break; + } + +@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + if (df->pos + df->nlines > orig_lines->nlines) + err = 1; + else if (delvers) ++ { + for (ln = df->pos; ln < df->pos + df->nlines; ++ln) ++ { + if (orig_lines->vector[ln]->refcount > 1) + /* Annotate needs this but, since the original + * vector is disposed of before returning from +@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + * there are multiple references. + */ + orig_lines->vector[ln]->vers = delvers; ++ } ++ } + break; + } + } +@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + else + { + /* add the rest of the remaining lines to the data vector */ +- for (; lastmodline < numlines; lastmodline++) ++ while (lines.nlines < numlines) + { + /* we need to copy from the orig structure into new one */ +- lines.vector[lastmodline] = orig_lines->vector[lastmodline ++ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines + + offset]; +- lines.vector[lastmodline]->refcount++; ++ lines.vector[lines.nlines]->refcount++; ++ lines.nlines++; + } + + /* Move the lines vector to the original structure for output, + * first deleting the old. + */ + linevector_free (orig_lines); +- orig_lines->vector = lines.vector; +- orig_lines->lines_alloced = numlines; +- orig_lines->nlines = lines.nlines; ++ *orig_lines = lines; + } + + return !err; +-- +1.7.2.3 + diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch new file mode 100644 index 000000000..770115a5e --- /dev/null +++ b/system/cvs/CVE-2017-12836.patch @@ -0,0 +1,58 @@ +From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 14 Aug 2017 10:32:25 +0200 +Subject: [PATCH] Fix CVE-2017-12836 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The hostname passed to RSH (ssh) client could be interpreted by +OpenSSH client as an option and lead to local command execution. + +This fix adds no-more-options "--" separator before the hostname +argument to the RSH client command. + +Original patch by Thorsten Glaser from + ported to +1.11.23. + +Signed-off-by: Petr Písař +--- + src/client.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/client.c b/src/client.c +index 2bef1a0..e87cda9 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server) + char *cvs_rsh; + char *cvs_server = getenv ("CVS_SERVER"); + int i = 0; +- /* This needs to fit "rsh", "-b", "-l", "USER", "host", ++ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host", + "cmd (w/ args)", and NULL. We leave some room to grow. */ + char *rsh_argv[10]; + +@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server) + rsh_argv[i++] = root->username; + } + ++ /* Only non-option arguments from here. (CVE-2017-12836) */ ++ rsh_argv[i++] = "--"; ++ + rsh_argv[i++] = root->hostname; + rsh_argv[i++] = cvs_server; + rsh_argv[i++] = "server"; +@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server) + *p++ = root->username; + } + ++ *p++ = "--"; ++ + *p++ = root->hostname; + *p++ = command; + *p++ = NULL; +-- +2.9.5 + -- cgit v1.2.3-70-g09d2