Hello community, here is the log from the commit of package cvs for openSUSE:Factory checked in at 2017-08-24 18:21:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cvs (Old) and /work/SRC/openSUSE:Factory/.cvs.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cvs" Thu Aug 24 18:21:25 2017 rev:31 rq:516133 version:1.12.12 Changes: -------- --- /work/SRC/openSUSE:Factory/cvs/cvs.changes 2017-06-20 10:59:26.455621507 +0200 +++ /work/SRC/openSUSE:Factory/.cvs.new/cvs.changes 2017-08-24 18:21:35.629760694 +0200 @@ -1,0 +2,8 @@ +Fri Aug 11 12:21:12 UTC 2017 - [email protected] + +- Disallow a leading dash in the argument of the "-d" option. + [bsc#1053364, cvs-Bug-1053364-disallow-dash.patch] +- Changed license to "GPL-2.0" + see http://cvs.savannah.nongnu.org/viewvc/cvs/ccvs/cvs.spec.in + +------------------------------------------------------------------- New: ---- cvs-Bug-1053364-disallow-dash.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cvs.spec ++++++ --- /var/tmp/diff_new_pack.zHWcDq/_old 2017-08-24 18:21:37.125550081 +0200 +++ /var/tmp/diff_new_pack.zHWcDq/_new 2017-08-24 18:21:37.129549518 +0200 @@ -1,7 +1,7 @@ # # spec file for package cvs # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Version: 1.12.12 Release: 0 Summary: Concurrent Versions System -License: GPL-2.0+ AND LGPL-2.1+ +License: GPL-2.0 Group: Development/Tools/Version Control Url: http://www.nongnu.org/cvs/ Source: http://ftp.gnu.org/non-gnu/%{name}/source/feature/%{version}/%{name}-%{version}.tar.bz2 @@ -52,6 +52,7 @@ Patch27: cvs-fix_printf_format.diff Patch28: cvs-gnulib.diff Patch29: cvs-CVE-2012-0804.patch +Patch30: cvs-Bug-1053364-disallow-dash.patch BuildRequires: automake BuildRequires: gdbm-devel BuildRequires: groff @@ -104,6 +105,7 @@ %patch27 %patch28 %patch29 +%patch30 -p1 %build autoreconf -fvi ++++++ cvs-Bug-1053364-disallow-dash.patch ++++++ Index: cvs-1.12.12/src/root.c =================================================================== --- cvs-1.12.12.orig/src/root.c +++ cvs-1.12.12/src/root.c @@ -615,6 +615,24 @@ parse_cvsroot (const char *root_in) } #endif /* defined (CLIENT_SUPPORT) || defined (SERVER_SUPPORT) */ } + else if (*cvsroot_copy == '-') + { + /* + * If the first character is not a colon, it may be the start of + * - a username + * - a hostname + * - a pathname + * The syntax of a hostname is defined by RFCs 952 and 1123 + * and it must start with a letter or a digit. + * According to the definition above, a path should start with a slash + * but even if not, there are other tools that croak upon a leading dash + * so you could just as well prepend a "./" if it was a relative path! + * But there is no clear definition of what is permissable at the start of a username + * and this may vary between server OSes, so we just disallow a dash. + */ + error (0, 0, "CVSROOT (`%s') must not start with a dash.", cvsroot_copy); + goto error_exit; + } else { /* If the method isn't specified, assume EXT_METHOD if the string looks
