commit: a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f Author: Felix Janda <felix.janda <AT> posteo <DOT> de> AuthorDate: Sat Oct 22 00:17:27 2016 +0000 Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> CommitDate: Sun Oct 23 00:05:16 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a06f6c59
dev-vcs/cvs: security fix, QA fix and musl compilation fix * add patch for CVE-2012-0804 (#402593) * respect AR (#440270) * fix format-security (#520508) * fix compilation with musl libc * modernize ebuild Gentoo-Bug: https://bugs.gentoo.org/402593 Gentoo-Bug: https://bugs.gentoo.org/440270 Gentoo-Bug: https://bugs.gentoo.org/520508 dev-vcs/cvs/cvs-1.12.12-r11.ebuild | 104 +++++++++++++++++++++ dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch | 30 ++++++ .../cvs/files/cvs-1.12.12-format-security.patch | 22 +++++ dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch | 4 +- dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch | 4 +- .../cvs/files/cvs-1.12.12-mktime-configure.patch | 4 +- dev-vcs/cvs/files/cvs-1.12.12-musl.patch | 13 +++ .../cvs/files/cvs-1.12.12-rcs2log-coreutils.patch | 6 +- 8 files changed, 178 insertions(+), 9 deletions(-) diff --git a/dev-vcs/cvs/cvs-1.12.12-r11.ebuild b/dev-vcs/cvs/cvs-1.12.12-r11.ebuild new file mode 100644 index 00000000..860cd3f --- /dev/null +++ b/dev-vcs/cvs/cvs-1.12.12-r11.ebuild @@ -0,0 +1,104 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 + +inherit pam toolchain-funcs + +DESCRIPTION="Concurrent Versions System - source code revision control tools" +HOMEPAGE="http://cvs.nongnu.org/"; + +SRC_URI="mirror://gnu/non-gnu/cvs/source/feature/${PV}/${P}.tar.bz2 + doc? ( mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.html.tar.bz2 + mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.pdf + mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.ps )" + +LICENSE="GPL-2 LGPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 + ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd + ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint + ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + +IUSE="crypt doc kerberos nls pam server" +RESTRICT="test" + +DEPEND=">=sys-libs/zlib-1.1.4 + kerberos? ( virtual/krb5 ) + pam? ( virtual/pam )" +RDEPEND="${DEPEND}" + +src_unpack() { + unpack ${P}.tar.bz2 + use doc && unpack cederqvist-${PV}.html.tar.bz2 +} + +PATCHES=( + "${FILESDIR}"/${P}-cvsbug-tmpfix.patch + "${FILESDIR}"/${P}-openat.patch + "${FILESDIR}"/${P}-block-requests.patch + "${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch + "${FILESDIR}"/${P}-install-sh.patch + "${FILESDIR}"/${P}-hash-nameclash.patch # for AIX + "${FILESDIR}"/${P}-getdelim.patch # 314791 + "${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114 + "${FILESDIR}"/${P}-mktime-x32.patch # 395641 + "${FILESDIR}"/${P}-fix-massive-leak.patch + "${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208 + "${FILESDIR}"/${P}-CVE-2012-0804.patch + "${FILESDIR}"/${P}-format-security.patch + "${FILESDIR}"/${P}-musl.patch + ) +DOCS=( BUGS ChangeLog{,.zoo} DEVEL-CVS FAQ HACKING MINOR-BUGS NEWS \ + PROJECTS README TESTS TODO ) + +src_prepare() { + default + + sed -i "/^AR/s/ar/$(tc-getAR)/" diff/Makefile.in lib/Makefile.in || die +} + +src_configure() { + if tc-is-cross-compiler ; then + # Sane defaults when cross-compiling (as these tests want to + # try and execute code). + export cvs_cv_func_printf_ptr="yes" + fi + econf \ + --with-external-zlib \ + --with-tmpdir=${EPREFIX%/}/tmp \ + $(use_enable crypt encryption) \ + $(use_with kerberos gssapi) \ + $(use_enable nls) \ + $(use_enable pam) \ + $(use_enable server) +} + +src_install() { + # Not installed into emacs site-lisp because it clobbers the normal C + # indentations. + DOCS+=( cvs-format.el ) + + if use doc; then + DOCS+=( "${DISTDIR}"/cederqvist-${PV}.{pdf,ps} ) + HTML_DOCS=( ../cederqvist-${PV}.html/. ) + fi + + default + + use doc && dosym cvs.html /usr/share/doc/${PF}/html/index.html + + if use server; then + newdoc "${FILESDIR}"/cvs-1.12.12-cvs-custom.c cvs-custom.c + insinto /etc/xinetd.d + newins "${FILESDIR}"/cvspserver.xinetd.d cvspserver + newenvd "${FILESDIR}"/01-cvs-env.d 01cvs + fi + + newpamd "${FILESDIR}"/cvs.pam-include-1.12.12 cvs +} + +pkg_postinst() { + use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!" +} diff --git a/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch new file mode 100644 index 00000000..107c3ea --- /dev/null +++ b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch @@ -0,0 +1,30 @@ +[CVE-2012-0804] Fix proxy response parser + +If proxy sends overlong HTTP vesion string, the string will be copied +to unallocatd space (write_buf) causing heap overflow. + +This patch fixes it by ignoring the HTTP version string and checking +the response line has been parsed correctly. + +See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more +details. + +Index: src/client.c +=================================================================== +RCS file: /sources/cvs/ccvs/src/client.c,v +retrieving revision 1.483 +diff -u -r1.483 client.c +--- a/src/client.c 18 Nov 2008 22:59:02 -0000 1.483 ++++ b/src/client.c 26 Jan 2012 16:32:25 -0000 +@@ -4339,9 +4339,9 @@ + * code. + */ + read_line_via (from_server, to_server, &read_buf); +- sscanf (read_buf, "%s %d", write_buf, &codenum); ++ count = sscanf (read_buf, "%*s %d", &codenum); + +- if ((codenum / 100) != 2) ++ if (count != 1 || (codenum / 100) != 2) + error (1, 0, "proxy server %s:%d does not support http tunnelling", + root->proxy_hostname, proxy_port_number); + free (read_buf); diff --git a/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch b/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch new file mode 100644 index 00000000..d710a90 --- /dev/null +++ b/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch @@ -0,0 +1,22 @@ +--- a/diff/diff3.c ++++ b/diff/diff3.c +@@ -1503,7 +1503,7 @@ + line = 0; + do + { +- printf_output (line_prefix); ++ printf_output ("%s", line_prefix); + cp = D_RELNUM (ptr, realfile, line); + length = D_RELLEN (ptr, realfile, line); + write_output (cp, length); +--- a/src/main.c ++++ b/src/main.c +@@ -1375,7 +1375,7 @@ + { + (void) fprintf (stderr, *cpp++, program_name, cvs_cmd_name); + for (; *cpp; cpp++) +- (void) fprintf (stderr, *cpp); ++ (void) fprintf (stderr, "%s", *cpp); + exit (EXIT_FAILURE); + } + diff --git a/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch b/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch index 04eb03a..837d440 100644 --- a/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch +++ b/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch @@ -8,8 +8,8 @@ http://bugs.gentoo.org/314791 Already comitted upstream: http://cvs.savannah.gnu.org/viewvc/ccvs/src/myndbm.c?root=cvs&r1=1.38&r2=1.39 ---- src/myndbm.c.orig -+++ src/myndbm.c +--- a/src/myndbm.c.orig ++++ b/src/myndbm.c @@ -213,7 +213,7 @@ mydbm_load_file (FILE *fp, List *list, char *filename) { diff --git a/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch b/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch index 0a33eea..95fd61e 100644 --- a/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch +++ b/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch @@ -1,8 +1,8 @@ http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/hash.h?r1=1.14.6.2&r2=1.14.6.3&pathrev=cvs1-11-x-branch fixed in cvs-1.11.23, cvs-HEAD after cvs-1.12.13a ---- src/hash.h.orig 2005-02-01 22:56:48 +0100 -+++ src/hash.h 2010-03-10 19:00:11 +0100 +--- a/src/hash.h.orig 2005-02-01 22:56:48 +0100 ++++ b/src/hash.h 2010-03-10 19:00:11 +0100 @@ -27,26 +27,26 @@ }; typedef enum ntype Ntype; diff --git a/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch b/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch index 1a9c47b..03d7f35 100644 --- a/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch +++ b/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch @@ -3,8 +3,8 @@ https://bugs.gentoo.org/570208 update mktime check to latest autoconf version which is less buggy ---- configure -+++ configure +--- a/configure ++++ b/configure @@ -5299,26 +6059,25 @@ cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ diff --git a/dev-vcs/cvs/files/cvs-1.12.12-musl.patch b/dev-vcs/cvs/files/cvs-1.12.12-musl.patch new file mode 100644 index 00000000..e426cf5 --- /dev/null +++ b/dev-vcs/cvs/files/cvs-1.12.12-musl.patch @@ -0,0 +1,13 @@ +http://gcc.gnu.org/ml/gcc/2003-04/msg00518.html + +--- a/lib/regex.c ++++ b/lib/regex.c +@@ -8184,7 +8184,7 @@ + if (msg_size > errbuf_size) + { + #if defined HAVE_MEMPCPY || defined _LIBC +- *((char *) __mempcpy (errbuf, msg, errbuf_size - 1)) = '\0'; ++ *((char *) mempcpy (errbuf, msg, errbuf_size - 1)) = '\0'; + #else + memcpy (errbuf, msg, errbuf_size - 1); + errbuf[errbuf_size - 1] = 0; diff --git a/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch b/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch index 0fb4c6c..7dda3f0 100644 --- a/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch +++ b/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch @@ -1,8 +1,8 @@ X-Gentoo-bug: 144114 -diff -Nuar cvs-1.12.12.orig//contrib/rcs2log.sh cvs-1.12.12//contrib/rcs2log.sh ---- cvs-1.12.12.orig//contrib/rcs2log.sh 2003-02-25 21:32:51.000000000 +0000 -+++ cvs-1.12.12//contrib/rcs2log.sh 2010-12-06 21:14:33.831532212 +0000 +diff -Nuar cvs-1.12.12.orig/contrib/rcs2log.sh cvs-1.12.12/contrib/rcs2log.sh +--- cvs-1.12.12.orig/contrib/rcs2log.sh 2003-02-25 21:32:51.000000000 +0000 ++++ cvs-1.12.12/contrib/rcs2log.sh 2010-12-06 21:14:33.831532212 +0000 @@ -620,7 +620,7 @@ # Sort the log entries, first by date+time (in reverse order), # then by author, then by log entry, and finally by file name and revision
