Hello community,

here is the log from the commit of package cvs for openSUSE:12.1:Update:Test 
checked in at 2012-02-13 17:30:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update:Test/cvs (Old)
 and      /work/SRC/openSUSE:12.1:Update:Test/.cvs.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "cvs", Maintainer is "[email protected]"

Changes:
--------
--- /work/SRC/openSUSE:12.1:Update:Test/cvs/cvs.changes 2012-02-13 
17:30:34.000000000 +0100
+++ /work/SRC/openSUSE:12.1:Update:Test/.cvs.new/cvs.changes    2012-02-13 
17:30:35.000000000 +0100
@@ -1,0 +2,6 @@
+Mon Jan 30 14:35:57 CET 2012 - [email protected]
+
+- Fix the way CVS reads proxy connection HTTP responses
+  (bnc#744059, CVE-2012-0804).
+
+-------------------------------------------------------------------

New:
----
  cvs-CVE-2012-0804.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cvs.spec ++++++
--- /var/tmp/diff_new_pack.TkeMYL/_old  2012-02-13 17:30:35.000000000 +0100
+++ /var/tmp/diff_new_pack.TkeMYL/_new  2012-02-13 17:30:35.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package cvs
 #
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,15 +16,15 @@
 #
 
 
-
 Name:           cvs
-BuildRequires:  gdbm-devel zlib-devel
-License:        GPLv2+ ; LGPLv2.1+
-Group:          Development/Tools/Version Control
+BuildRequires:  gdbm-devel
+BuildRequires:  zlib-devel
 Url:            http://www.nongnu.org/cvs/
 Version:        1.12.12
-Release:        164
+Release:        0
 Summary:        Concurrent Versions System
+License:        GPL-2.0+ ; LGPL-2.1+
+Group:          Development/Tools/Version Control
 Requires:       /bin/mktemp, /usr/bin/csh
 Source:         %name-%version.tar.bz2
 #               http://www.does-not-exist.org/roessler/cvslock-0.2.tar.gz
@@ -56,6 +56,7 @@
 Patch26:        cvs-request_rcs_installation.diff
 Patch27:        cvs-fix_printf_format.diff
 Patch28:        cvs-gnulib.diff
+Patch29:        cvs-CVE-2012-0804.patch
 PreReq:         %install_info_prereq 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -65,7 +66,6 @@
 CVS, is also included.
 
 %package doc
-License:        GPLv2+ ; LGPLv2.1+
 Summary:        Info pages and Open Source Development with CVS, 2nd Edition 
Book
 Group:          Development/Tools/Version Control
 %if 0%{?suse_version} >= 1120
@@ -100,6 +100,7 @@
 %patch26
 %patch27
 %patch28
+%patch29
 
 %build
 autoreconf -fi 

++++++ cvs-CVE-2012-0804.patch ++++++
Index: src/client.c
===================================================================
--- src/client.c.orig   2012-02-13 14:44:03.028698930 +0100
+++ src/client.c        2012-02-13 14:44:03.273692998 +0100
@@ -3504,9 +3504,9 @@ connect_to_pserver (cvsroot_t *root, str
          * code.
          */
        read_line_via (from_server, to_server, &read_buf);
-       sscanf (read_buf, "%s %d", write_buf, &codenum);
+       count = sscanf (read_buf, "%s %d", write_buf, &codenum);
 
-       if ((codenum / 100) != 2)
+       if (count != 1 || (codenum / 100) != 2)
            error (1, 0, "proxy server %s:%d does not support http tunnelling",
                   root->proxy_hostname, proxy_port_number);
        free (read_buf);
-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to