summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFelix Janda <felix.janda@posteo.de>2016-10-21 20:17:27 -0400
committerFelix Janda <felix.janda@posteo.de>2016-10-22 20:05:16 -0400
commita06f6c599f999a9ae9b1e7ca448712ebfb31ad5f (patch)
tree30ffa23f68f10619cad6de668316065c879d9b0f /dev-vcs
parentdev-vcs/qgit: x86 stable (diff)
downloadgentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.tar.gz
gentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.tar.bz2
gentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.zip
dev-vcs/cvs: security fix, QA fix and musl compilation fix
* add patch for CVE-2012-0804 (#402593) * respect AR (#440270) * fix format-security (#520508) * fix compilation with musl libc * modernize ebuild Gentoo-Bug: https://bugs.gentoo.org/402593 Gentoo-Bug: https://bugs.gentoo.org/440270 Gentoo-Bug: https://bugs.gentoo.org/520508
Diffstat (limited to 'dev-vcs')
-rw-r--r--dev-vcs/cvs/cvs-1.12.12-r11.ebuild104
-rw-r--r--dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch30
-rw-r--r--dev-vcs/cvs/files/cvs-1.12.12-format-security.patch22
-rw-r--r--dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch4
-rw-r--r--dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch4
-rw-r--r--dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch4
-rw-r--r--dev-vcs/cvs/files/cvs-1.12.12-musl.patch13
-rw-r--r--dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch6
8 files changed, 178 insertions, 9 deletions
diff --git a/dev-vcs/cvs/cvs-1.12.12-r11.ebuild b/dev-vcs/cvs/cvs-1.12.12-r11.ebuild
new file mode 100644
index 000000000000..860cd3f7db43
--- /dev/null
+++ b/dev-vcs/cvs/cvs-1.12.12-r11.ebuild
@@ -0,0 +1,104 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit pam toolchain-funcs
+
+DESCRIPTION="Concurrent Versions System - source code revision control tools"
+HOMEPAGE="http://cvs.nongnu.org/"
+
+SRC_URI="mirror://gnu/non-gnu/cvs/source/feature/${PV}/${P}.tar.bz2
+ doc? ( mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.html.tar.bz2
+ mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.pdf
+ mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.ps )"
+
+LICENSE="GPL-2 LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64
+ ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
+ ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint
+ ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+
+IUSE="crypt doc kerberos nls pam server"
+RESTRICT="test"
+
+DEPEND=">=sys-libs/zlib-1.1.4
+ kerberos? ( virtual/krb5 )
+ pam? ( virtual/pam )"
+RDEPEND="${DEPEND}"
+
+src_unpack() {
+ unpack ${P}.tar.bz2
+ use doc && unpack cederqvist-${PV}.html.tar.bz2
+}
+
+PATCHES=(
+ "${FILESDIR}"/${P}-cvsbug-tmpfix.patch
+ "${FILESDIR}"/${P}-openat.patch
+ "${FILESDIR}"/${P}-block-requests.patch
+ "${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch
+ "${FILESDIR}"/${P}-install-sh.patch
+ "${FILESDIR}"/${P}-hash-nameclash.patch # for AIX
+ "${FILESDIR}"/${P}-getdelim.patch # 314791
+ "${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114
+ "${FILESDIR}"/${P}-mktime-x32.patch # 395641
+ "${FILESDIR}"/${P}-fix-massive-leak.patch
+ "${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
+ "${FILESDIR}"/${P}-CVE-2012-0804.patch
+ "${FILESDIR}"/${P}-format-security.patch
+ "${FILESDIR}"/${P}-musl.patch
+ )
+DOCS=( BUGS ChangeLog{,.zoo} DEVEL-CVS FAQ HACKING MINOR-BUGS NEWS \
+ PROJECTS README TESTS TODO )
+
+src_prepare() {
+ default
+
+ sed -i "/^AR/s/ar/$(tc-getAR)/" diff/Makefile.in lib/Makefile.in || die
+}
+
+src_configure() {
+ if tc-is-cross-compiler ; then
+ # Sane defaults when cross-compiling (as these tests want to
+ # try and execute code).
+ export cvs_cv_func_printf_ptr="yes"
+ fi
+ econf \
+ --with-external-zlib \
+ --with-tmpdir=${EPREFIX%/}/tmp \
+ $(use_enable crypt encryption) \
+ $(use_with kerberos gssapi) \
+ $(use_enable nls) \
+ $(use_enable pam) \
+ $(use_enable server)
+}
+
+src_install() {
+ # Not installed into emacs site-lisp because it clobbers the normal C
+ # indentations.
+ DOCS+=( cvs-format.el )
+
+ if use doc; then
+ DOCS+=( "${DISTDIR}"/cederqvist-${PV}.{pdf,ps} )
+ HTML_DOCS=( ../cederqvist-${PV}.html/. )
+ fi
+
+ default
+
+ use doc && dosym cvs.html /usr/share/doc/${PF}/html/index.html
+
+ if use server; then
+ newdoc "${FILESDIR}"/cvs-1.12.12-cvs-custom.c cvs-custom.c
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}"/cvspserver.xinetd.d cvspserver
+ newenvd "${FILESDIR}"/01-cvs-env.d 01cvs
+ fi
+
+ newpamd "${FILESDIR}"/cvs.pam-include-1.12.12 cvs
+}
+
+pkg_postinst() {
+ use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
+}
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch
new file mode 100644
index 000000000000..107c3ea12204
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch
@@ -0,0 +1,30 @@
+[CVE-2012-0804] Fix proxy response parser
+
+If proxy sends overlong HTTP vesion string, the string will be copied
+to unallocatd space (write_buf) causing heap overflow.
+
+This patch fixes it by ignoring the HTTP version string and checking
+the response line has been parsed correctly.
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
+details.
+
+Index: src/client.c
+===================================================================
+RCS file: /sources/cvs/ccvs/src/client.c,v
+retrieving revision 1.483
+diff -u -r1.483 client.c
+--- a/src/client.c 18 Nov 2008 22:59:02 -0000 1.483
++++ b/src/client.c 26 Jan 2012 16:32:25 -0000
+@@ -4339,9 +4339,9 @@
+ * code.
+ */
+ read_line_via (from_server, to_server, &read_buf);
+- sscanf (read_buf, "%s %d", write_buf, &codenum);
++ count = sscanf (read_buf, "%*s %d", &codenum);
+
+- if ((codenum / 100) != 2)
++ if (count != 1 || (codenum / 100) != 2)
+ error (1, 0, "proxy server %s:%d does not support http tunnelling",
+ root->proxy_hostname, proxy_port_number);
+ free (read_buf);
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch b/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch
new file mode 100644
index 000000000000..d710a9020735
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch
@@ -0,0 +1,22 @@
+--- a/diff/diff3.c
++++ b/diff/diff3.c
+@@ -1503,7 +1503,7 @@
+ line = 0;
+ do
+ {
+- printf_output (line_prefix);
++ printf_output ("%s", line_prefix);
+ cp = D_RELNUM (ptr, realfile, line);
+ length = D_RELLEN (ptr, realfile, line);
+ write_output (cp, length);
+--- a/src/main.c
++++ b/src/main.c
+@@ -1375,7 +1375,7 @@
+ {
+ (void) fprintf (stderr, *cpp++, program_name, cvs_cmd_name);
+ for (; *cpp; cpp++)
+- (void) fprintf (stderr, *cpp);
++ (void) fprintf (stderr, "%s", *cpp);
+ exit (EXIT_FAILURE);
+ }
+
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch b/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch
index 04eb03ab600d..837d4408ab1f 100644
--- a/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch
+++ b/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch
@@ -8,8 +8,8 @@ http://bugs.gentoo.org/314791
Already comitted upstream:
http://cvs.savannah.gnu.org/viewvc/ccvs/src/myndbm.c?root=cvs&r1=1.38&r2=1.39
---- src/myndbm.c.orig
-+++ src/myndbm.c
+--- a/src/myndbm.c.orig
++++ b/src/myndbm.c
@@ -213,7 +213,7 @@
mydbm_load_file (FILE *fp, List *list, char *filename)
{
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch b/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch
index 0a33eea873ff..95fd61e0a51a 100644
--- a/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch
+++ b/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch
@@ -1,8 +1,8 @@
http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/hash.h?r1=1.14.6.2&r2=1.14.6.3&pathrev=cvs1-11-x-branch
fixed in cvs-1.11.23, cvs-HEAD after cvs-1.12.13a
---- src/hash.h.orig 2005-02-01 22:56:48 +0100
-+++ src/hash.h 2010-03-10 19:00:11 +0100
+--- a/src/hash.h.orig 2005-02-01 22:56:48 +0100
++++ b/src/hash.h 2010-03-10 19:00:11 +0100
@@ -27,26 +27,26 @@
};
typedef enum ntype Ntype;
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch b/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch
index 1a9c47b68ba8..03d7f35601e2 100644
--- a/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch
+++ b/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch
@@ -3,8 +3,8 @@ https://bugs.gentoo.org/570208
update mktime check to latest autoconf version which is less buggy
---- configure
-+++ configure
+--- a/configure
++++ b/configure
@@ -5299,26 +6059,25 @@
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-musl.patch b/dev-vcs/cvs/files/cvs-1.12.12-musl.patch
new file mode 100644
index 000000000000..e426cf55fcc7
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-musl.patch
@@ -0,0 +1,13 @@
+http://gcc.gnu.org/ml/gcc/2003-04/msg00518.html
+
+--- a/lib/regex.c
++++ b/lib/regex.c
+@@ -8184,7 +8184,7 @@
+ if (msg_size > errbuf_size)
+ {
+ #if defined HAVE_MEMPCPY || defined _LIBC
+- *((char *) __mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
++ *((char *) mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
+ #else
+ memcpy (errbuf, msg, errbuf_size - 1);
+ errbuf[errbuf_size - 1] = 0;
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch b/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch
index 0fb4c6c6d73d..7dda3f0f1724 100644
--- a/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch
+++ b/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch
@@ -1,8 +1,8 @@
X-Gentoo-bug: 144114
-diff -Nuar cvs-1.12.12.orig//contrib/rcs2log.sh cvs-1.12.12//contrib/rcs2log.sh
---- cvs-1.12.12.orig//contrib/rcs2log.sh 2003-02-25 21:32:51.000000000 +0000
-+++ cvs-1.12.12//contrib/rcs2log.sh 2010-12-06 21:14:33.831532212 +0000
+diff -Nuar cvs-1.12.12.orig/contrib/rcs2log.sh cvs-1.12.12/contrib/rcs2log.sh
+--- cvs-1.12.12.orig/contrib/rcs2log.sh 2003-02-25 21:32:51.000000000 +0000
++++ cvs-1.12.12/contrib/rcs2log.sh 2010-12-06 21:14:33.831532212 +0000
@@ -620,7 +620,7 @@
# Sort the log entries, first by date+time (in reverse order),
# then by author, then by log entry, and finally by file name and revision