Hello community, here is the log from the commit of package cvs for openSUSE:11.4 checked in at Mon Feb 13 15:58:18 CET 2012.
-------- --- old-versions/11.4/all/cvs/cvs.changes 2010-09-20 11:21:05.000000000 +0200 +++ 11.4/cvs/cvs.changes 2012-02-10 15:53:52.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Jan 30 14:35:57 CET 2012 - [email protected] + +- Fix the way CVS reads proxy connection HTTP responses + (bnc#744059, CVE-2012-0804). + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/cvs Destination is old-versions/11.4/UPDATES/all/cvs calling whatdependson for 11.4-i586 New: ---- cvs-CVE-2012-0804.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cvs.spec ++++++ --- /var/tmp/diff_new_pack.YtkdNO/_old 2012-02-13 15:57:31.000000000 +0100 +++ /var/tmp/diff_new_pack.YtkdNO/_new 2012-02-13 15:57:31.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package cvs (Version 1.12.12) +# spec file for package cvs # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,18 +15,17 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild Name: cvs -BuildRequires: gdbm-devel zlib-devel -License: GPLv2+ ; LGPLv2.1+ -Group: Development/Tools/Version Control +BuildRequires: gdbm-devel +BuildRequires: zlib-devel Url: http://www.nongnu.org/cvs/ -AutoReqProv: on Version: 1.12.12 -Release: 164 +Release: 166.<RELEASE167> Summary: Concurrent Versions System +License: GPL-2.0+ ; LGPL-2.1+ +Group: Development/Tools/Version Control Requires: /bin/mktemp, /usr/bin/csh Source: %name-%version.tar.bz2 # http://www.does-not-exist.org/roessler/cvslock-0.2.tar.gz @@ -58,6 +57,7 @@ Patch26: cvs-request_rcs_installation.diff Patch27: cvs-fix_printf_format.diff Patch28: cvs-gnulib.diff +Patch29: cvs-CVE-2012-0804.patch PreReq: %install_info_prereq BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -74,7 +74,7 @@ Jeff Polk <[email protected]> %package doc -License: GPLv2+ ; LGPLv2.1+ + Summary: Info pages and Open Source Development with CVS, 2nd Edition Book Group: Development/Tools/Version Control %if 0%{?suse_version} >= 1120 @@ -116,6 +116,7 @@ %patch26 %patch27 %patch28 +%patch29 %build autoreconf -fi ++++++ cvs-CVE-2012-0804.patch ++++++ Index: src/client.c =================================================================== --- src/client.c.orig 2012-01-30 14:32:50.000000000 +0100 +++ src/client.c 2012-01-30 14:34:59.644866100 +0100 @@ -3491,9 +3491,9 @@ connect_to_pserver (cvsroot_t *root, str * code. */ read_line_via (from_server, to_server, &read_buf); - sscanf (read_buf, "%s %d", write_buf, &codenum); + count = sscanf (read_buf, "%s %d", write_buf, &codenum); - if ((codenum / 100) != 2) + if (count != 1 || (codenum / 100) != 2) error (1, 0, "proxy server %s:%d does not support http tunnelling", root->proxy_hostname, proxy_port_number); free (read_buf); continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
