[gentoo-commits] repo/gentoo:master commit in: dev-vcs/cvs/files/, dev-vcs/cvs/

[gentoo-commits] repo/gentoo:master commit in: dev-vcs/cvs/files/, dev-vcs/cvs/

[Mike Frysinger]

commit:     8c48112665e85affda864ff1ffa119ab78e3e40d
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 28 02:49:01 2016 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Feb 28 04:46:04 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c481126

dev-vcs/cvs: fix buggy mktime tests #570208

 dev-vcs/cvs/cvs-1.12.12-r10.ebuild                 |   1 +
 dev-vcs/cvs/cvs-1.12.12-r6.ebuild                  |   1 +
 dev-vcs/cvs/cvs-1.12.12-r7.ebuild                  |   1 +
 dev-vcs/cvs/cvs-1.12.12-r8.ebuild                  |   1 +
 dev-vcs/cvs/cvs-1.12.12-r9.ebuild                  |   1 +
 .../cvs/files/cvs-1.12.12-mktime-configure.patch   | 201 +++++++++++++++++++++
 6 files changed, 206 insertions(+)

diff --git a/dev-vcs/cvs/cvs-1.12.12-r10.ebuild b/dev-vcs/cvs/cvs-1.12.12-r10.ebuild
index 5198af4..01964f0 100644
--- a/dev-vcs/cvs/cvs-1.12.12-r10.ebuild
+++ b/dev-vcs/cvs/cvs-1.12.12-r10.ebuild
@@ -41,6 +41,7 @@ src_prepare() {
 	epatch "${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114
 	epatch "${FILESDIR}"/${P}-mktime-x32.patch # 395641
 	epatch "${FILESDIR}"/${P}-fix-massive-leak.patch
+	epatch "${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
 	use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
 }
 

diff --git a/dev-vcs/cvs/cvs-1.12.12-r6.ebuild b/dev-vcs/cvs/cvs-1.12.12-r6.ebuild
index 4f5a353..bfc1818 100644
--- a/dev-vcs/cvs/cvs-1.12.12-r6.ebuild
+++ b/dev-vcs/cvs/cvs-1.12.12-r6.ebuild
@@ -33,6 +33,7 @@ src_unpack() {
 	epatch "${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch
 	epatch "${FILESDIR}"/${P}-install-sh.patch
 	epatch "${FILESDIR}"/${P}-mktime-x32.patch # 395641
+	epatch "${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
 	use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
 }
 

diff --git a/dev-vcs/cvs/cvs-1.12.12-r7.ebuild b/dev-vcs/cvs/cvs-1.12.12-r7.ebuild
index 754e0c1..b33ca47 100644
--- a/dev-vcs/cvs/cvs-1.12.12-r7.ebuild
+++ b/dev-vcs/cvs/cvs-1.12.12-r7.ebuild
@@ -37,6 +37,7 @@ src_prepare() {
 	epatch "${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch
 	epatch "${FILESDIR}"/${P}-install-sh.patch
 	epatch "${FILESDIR}"/${P}-hash-nameclash.patch # for AIX
+	epatch "${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
 	elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
 }
 

diff --git a/dev-vcs/cvs/cvs-1.12.12-r8.ebuild b/dev-vcs/cvs/cvs-1.12.12-r8.ebuild
index 18e0e6c..a65db04 100644
--- a/dev-vcs/cvs/cvs-1.12.12-r8.ebuild
+++ b/dev-vcs/cvs/cvs-1.12.12-r8.ebuild
@@ -38,6 +38,7 @@ src_prepare() {
 	epatch "${FILESDIR}"/${P}-install-sh.patch
 	epatch "${FILESDIR}"/${P}-hash-nameclash.patch # for AIX
 	epatch "${FILESDIR}"/${P}-getdelim.patch # 314791
+	epatch "${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
 	elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
 }
 

diff --git a/dev-vcs/cvs/cvs-1.12.12-r9.ebuild b/dev-vcs/cvs/cvs-1.12.12-r9.ebuild
index 4531ce4..d88e63b 100644
--- a/dev-vcs/cvs/cvs-1.12.12-r9.ebuild
+++ b/dev-vcs/cvs/cvs-1.12.12-r9.ebuild
@@ -40,6 +40,7 @@ src_prepare() {
 	epatch "${FILESDIR}"/${P}-getdelim.patch # 314791
 	epatch "${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114
 	epatch "${FILESDIR}"/${P}-mktime-x32.patch # 395641
+	epatch "${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
 	use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
 }
 

diff --git a/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch b/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch
new file mode 100644
index 0000000..1a9c47b
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch
@@ -0,0 +1,201 @@
+https://bugs.gentoo.org/220040
+https://bugs.gentoo.org/570208
+
+update mktime check to latest autoconf version which is less buggy
+
+--- configure
++++ configure
+@@ -5299,26 +6059,25 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+ /* Test program from Paul Eggert and Tony Leneis.  */
+-#if TIME_WITH_SYS_TIME
++#ifdef TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>
+ #else
+-# if HAVE_SYS_TIME_H
++# ifdef HAVE_SYS_TIME_H
+ #  include <sys/time.h>
+ # else
+ #  include <time.h>
+ # endif
+ #endif
+ 
+-#if HAVE_STDLIB_H
+-# include <stdlib.h>
+-#endif
++#include <limits.h>
++#include <stdlib.h>
+ 
+-#if HAVE_UNISTD_H
++#ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+ #endif
+ 
+-#if !HAVE_ALARM
++#ifndef HAVE_ALARM
+ # define alarm(X) /* empty */
+ #endif
+ 
+@@ -5335,9 +6094,9 @@
+ };
+ #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
+ 
+-/* Fail if mktime fails to convert a date in the spring-forward gap.
++/* Return 0 if mktime fails to convert a date in the spring-forward gap.
+    Based on a problem report from Andreas Jaeger.  */
+-static void
++static int
+ spring_forward_gap ()
+ {
+   /* glibc (up to about 1998-10-07) failed this test. */
+@@ -5356,29 +6115,27 @@
+   tm.tm_min = 0;
+   tm.tm_sec = 0;
+   tm.tm_isdst = -1;
+-  if (mktime (&tm) == (time_t)-1)
+-    exit (1);
++  return mktime (&tm) != (time_t) -1;
+ }
+ 
+-static void
++static int
+ mktime_test1 (now)
+      time_t now;
+ {
+   struct tm *lt;
+-  if ((lt = localtime (&now)) && mktime (lt) != now)
+-    exit (1);
++  return ! (lt = localtime (&now)) || mktime (lt) == now;
+ }
+ 
+-static void
++static int
+ mktime_test (now)
+      time_t now;
+ {
+-  mktime_test1 (now);
+-  mktime_test1 ((time_t) (time_t_max - now));
+-  mktime_test1 ((time_t) (time_t_min + now));
++  return (mktime_test1 (now)
++	  && mktime_test1 ((time_t) (time_t_max - now))
++	  && mktime_test1 ((time_t) (time_t_min + now)));
+ }
+ 
+-static void
++static int
+ irix_6_4_bug ()
+ {
+   /* Based on code from Ariel Faigon.  */
+@@ -5391,11 +6148,10 @@
+   tm.tm_sec = 0;
+   tm.tm_isdst = -1;
+   mktime (&tm);
+-  if (tm.tm_mon != 2 || tm.tm_mday != 31)
+-    exit (1);
++  return tm.tm_mon == 2 && tm.tm_mday == 31;
+ }
+ 
+-static void
++static int
+ bigtime_test (j)
+      int j;
+ {
+@@ -5417,8 +6173,39 @@
+ 	     && lt->tm_wday == tm.tm_wday
+ 	     && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
+ 		  == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
+-	exit (1);
++	return 0;
+     }
++  return 1;
++}
++
++static int
++year_2050_test ()
++{
++  /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
++     ignoring leap seconds.  */
++  unsigned long int answer = 2527315200UL;
++
++  struct tm tm;
++  time_t t;
++  tm.tm_year = 2050 - 1900;
++  tm.tm_mon = 2 - 1;
++  tm.tm_mday = 1;
++  tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
++  tm.tm_isdst = -1;
++
++  /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
++     instead of "TZ=America/Vancouver" in order to detect the bug even
++     on systems that don't support the Olson extension, or don't have the
++     full zoneinfo tables installed.  */
++  putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
++
++  t = mktime (&tm);
++
++  /* Check that the result is either a failure, or close enough
++     to the correct answer that we can assume the discrepancy is
++     due to leap seconds.  */
++  return (t == (time_t) -1
++	  || (0 < t && answer - 120 <= t && t <= answer + 120));
+ }
+ 
+ int
+@@ -5432,12 +6219,15 @@
+      isn't worth using anyway.  */
+   alarm (60);
+ 
+-  for (time_t_max = 1; 0 < time_t_max; time_t_max *= 2)
+-    continue;
+-  time_t_max--;
+-  if ((time_t) -1 < 0)
+-    for (time_t_min = -1; (time_t) (time_t_min * 2) < 0; time_t_min *= 2)
+-      continue;
++  for (;;)
++    {
++      t = (time_t_max << 1) + 1;
++      if (t <= time_t_max)
++	break;
++      time_t_max = t;
++    }
++  time_t_min = - ((time_t) ~ (time_t) 0 == (time_t) -1) - time_t_max;
++
+   delta = time_t_max / 997; /* a suitable prime number */
+   for (i = 0; i < N_STRINGS; i++)
+     {
+@@ -5445,18 +6235,22 @@
+ 	putenv (tz_strings[i]);
+ 
+       for (t = 0; t <= time_t_max - delta; t += delta)
+-	mktime_test (t);
+-      mktime_test ((time_t) 1);
+-      mktime_test ((time_t) (60 * 60));
+-      mktime_test ((time_t) (60 * 60 * 24));
+-
+-      for (j = 1; 0 < j; j *= 2)
+-	bigtime_test (j);
+-      bigtime_test (j - 1);
++	if (! mktime_test (t))
++	  return 1;
++      if (! (mktime_test ((time_t) 1)
++	     && mktime_test ((time_t) (60 * 60))
++	     && mktime_test ((time_t) (60 * 60 * 24))))
++	return 1;
++
++      for (j = 1; ; j <<= 1)
++	if (! bigtime_test (j))
++	  return 1;
++	else if (INT_MAX / 2 < j)
++	  break;
++      if (! bigtime_test (INT_MAX))
++	return 1;
+     }
+-  irix_6_4_bug ();
+-  spring_forward_gap ();
+-  exit (0);
++  return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
+ }
+ _ACEOF
+ rm -f conftest$ac_exeext

[gentoo-commits] repo/gentoo:master commit in: dev-vcs/cvs/files/, dev-vcs/cvs/

[Robin H. Johnson]

commit:     e1af6ce004ccc7c13d7d5680efe8d8fa46ffaca4
Author:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 27 22:08:03 2016 +0000
Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Mon Jun 27 22:11:22 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1af6ce0

dev-vcs/cvs: drop old "stable" 1.11.x series.

Package-Manager: portage-2.2.28

 dev-vcs/cvs/Manifest                              |   4 -
 dev-vcs/cvs/cvs-1.11.23.ebuild                    |  62 --------
 dev-vcs/cvs/files/cvs-1.11.23-CVE-2010-3846.patch | 167 ----------------------
 dev-vcs/cvs/files/cvs-1.11.23-getline64.patch     |  36 -----
 4 files changed, 269 deletions(-)

diff --git a/dev-vcs/cvs/Manifest b/dev-vcs/cvs/Manifest
index a6876db..e350aaf 100644
--- a/dev-vcs/cvs/Manifest
+++ b/dev-vcs/cvs/Manifest
@@ -1,8 +1,4 @@
-DIST cederqvist-1.11.23.html.bz2 112336 SHA256 7b44791e77d3cc56e2ce970303f4003a8a759e432cfa97de93fa45c4d78f80d9 SHA512 671d9d0d364c7ec21c8b5ae357bf7be097447342053b6eb442d6b367ff1b79e17b8494cac21a08c7a897c039ede7e08992d4af158fb2a68847506f7841f98789 WHIRLPOOL c58dba2bf0ca96a17099f5488f34b1343385e67a22a20697a0de4c9affb30f21fbd790b5fd874487e5f40ce2978ee961e8b876910ac520da35ec7ceb07edf139
-DIST cederqvist-1.11.23.pdf 1134081 SHA256 0ef6dc37510e43be1bcae50c635dedcbb2d56f16968946ff0a304a43f87a7d59 SHA512 6b5f7603ff38eaf0747d364f74960c5bb3ba172fd93436440644396ba9e94538cc3c258c8c44d5fc3437c73eacc8727381f0caa94651227a74353bb46029d490 WHIRLPOOL 31d5e9ff2abe0bf93f9be6f8657690a24c55037d621bc54e735d078a7ac1b089d55d0ea57b8450c47611d6ea7aff54aeed7f7bfbe1ff02188b25abcea164bcd0
-DIST cederqvist-1.11.23.ps 1129600 SHA256 6b35cbeecd6fa069e59743716f2766f5bfffe3013a59cf72d833e5837b20abc0 SHA512 0a0e14bb611a210d4fbacd187a8fd2d8ce2746df1487ec0272cb4abe9027194109adfa7ffe97fada1457203eac7428605e3b3def11a6fece4140e08b66ded17e WHIRLPOOL c24b5dea728a9a317fdbdf212351bb04525daebccc94a68fee8bc717f68ce8f1a9de7446422bffc07e9a27a005bf4a8d6bffcee31a2e83cb3cac34ee993f8cbb
 DIST cederqvist-1.12.12.html.tar.bz2 137581 SHA256 6bdd66581ec363e05313a14db27cd3c201b547cdfc9ea2f8edde74e78301f0f6 SHA512 c4f6bdc294b719c1c9f6e8b7d1d4faa9e2aafccd37924e9d4772f8d802da3e7f5ae1778b295989db256b23bb1d0914023db7237adaf07833caaee499ae6b6fa3 WHIRLPOOL 41dd1e0d944a02eeca10539b87b5cfcadbf4fd5923c872aa86e5673bb6a98f774d5378e8b4f1c2e6c6a62e6dc6a4d02c69b5e51ad03da899903070effd62adc9
 DIST cederqvist-1.12.12.pdf 1252423 SHA256 211c5792d24bfd5694f23bc217a161d880bfb2447c41016fab6f657168b041ce SHA512 aa90b76664ca103cf41831a5595d5e99df9fd87633aa5a500569f43854ca6e409a26b655f02ed59cde1c37ce88c40e06f3b3376ad71fdc9487032c3f0898706a WHIRLPOOL 88d015117c05716df6d0cdc763f16dc488f0641624475e9bd33478485dd32e36a7ee5c49a1789ebdd173e665ae5963e75975342d7308e8e453adb65dd31ec6c5
 DIST cederqvist-1.12.12.ps 1262208 SHA256 0e14189614e2c5ead49bfe0ecd187239f8adc3e66371b49d52163be821e44cab SHA512 9a061ef90c664fbb4f882644f72c4f80ffbe0233b6b364511b1c7f18f0a53383980a6ddda326b6df1f2fe1899aed3225de89b55a65a1d9101ba81d1c10c067e2 WHIRLPOOL fb1616ca734e51a626713e7e78786ecbff18378966c2c131f6992df248096d38e850123449d3a5a6aa111ee209f90ef48848da7366b21cb6befeccf07ce54ab6
-DIST cvs-1.11.23.tar.bz2 2942652 SHA256 400f51b59d85116e79b844f2d5dbbad4759442a789b401a94aa5052c3d7a4aa9 SHA512 d84360b51b966f19ac3f1728265ff25e46d3a3ce6d9e7e30b154f0975bb10ce4f82f5ca3f308d2ff169c2b5dd97b0243e910d2e8ad59a5857aef7a70b9026b19 WHIRLPOOL 0f4a14989c29ee76a911edcbcb9b946f3710d1015391e7a219c841bf3cd03678994d572f23a66975030e9ca2eb64abc7f7665a535203bc81653d754491039252
 DIST cvs-1.12.12.tar.bz2 3197171 SHA256 9fb9176d268b9019768fc57dedc2920c28fbeda5ba224c2348550d4f25043edc SHA512 31c679b77b887e02d9c8c381b0dfb42f1207ef4ca806cd92843638eb2126ed032e99bda70a3e20ea2a029670ff39c40088a43435632e381739e6c2f978e6f4bb WHIRLPOOL 74257976cdb957e86fb9fb7e54fc8c0b7210f72136ce05327203d935195e7a3bdda0c1d616dc04cb1d6495cb038ca7275e88488eddb5d936c1cfceb94583278c

diff --git a/dev-vcs/cvs/cvs-1.11.23.ebuild b/dev-vcs/cvs/cvs-1.11.23.ebuild
deleted file mode 100644
index b85ae1d..0000000
--- a/dev-vcs/cvs/cvs-1.11.23.ebuild
+++ /dev/null
@@ -1,62 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=3
-
-inherit eutils
-
-DESCRIPTION="Concurrent Versions System - source code revision control tools"
-HOMEPAGE="http://www.nongnu.org/cvs/"
-SRC_URI="mirror://gnu/non-gnu/cvs/source/stable/${PV}/${P}.tar.bz2
-	doc? ( mirror://gnu/non-gnu/cvs/source/stable/${PV}/cederqvist-${PV}.html.bz2
-		mirror://gnu/non-gnu/cvs/source/stable/${PV}/cederqvist-${PV}.pdf
-		mirror://gnu/non-gnu/cvs/source/stable/${PV}/cederqvist-${PV}.ps )"
-
-LICENSE="GPL-2 LGPL-2"
-SLOT="0"
-#KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
-KEYWORDS="~arm64 ~ppc-aix ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="doc emacs"
-RESTRICT='test'
-
-DEPEND=">=sys-libs/zlib-1.1.4"
-
-src_prepare() {
-	epatch "${FILESDIR}"/${P}-CVE-2010-3846.patch
-	epatch "${FILESDIR}"/${P}-getline64.patch
-
-	# remove a useless binary
-	einfo "Removing a compiled binary"
-	find "${S}" -type f -name getdate -exec rm \{\} \;
-}
-
-src_configure() {
-	[[ ${CHOST} == *-interix* ]] && export ac_cv_header_inttypes_h=no
-
-	econf --with-tmpdir=/tmp --without-gssapi || die
-}
-
-src_install() {
-	einstall || die
-
-	insinto /etc/xinetd.d
-	newins "${FILESDIR}"/cvspserver.xinetd.d cvspserver || die "newins failed"
-
-	dodoc BUGS ChangeLog* DEVEL* FAQ HACKING \
-		MINOR* NEWS PROJECTS README* TESTS TODO
-
-	if use emacs; then
-		insinto /usr/share/emacs/site-lisp
-		doins cvs-format.el || die "doins failed"
-	fi
-
-	if use doc; then
-		dodoc "${DISTDIR}"/cederqvist-${PV}.pdf
-		dodoc "${DISTDIR}"/cederqvist-${PV}.ps
-		tar xjf "${DISTDIR}"/cederqvist-${PV}.html.tar.bz2
-		dohtml -r cederqvist-${PV}.html/*
-		cd "${ED}"/usr/share/doc/${PF}/html/
-		ln -s cvs.html index.html
-	fi
-}

diff --git a/dev-vcs/cvs/files/cvs-1.11.23-CVE-2010-3846.patch b/dev-vcs/cvs/files/cvs-1.11.23-CVE-2010-3846.patch
deleted file mode 100644
index e1560ce..0000000
--- a/dev-vcs/cvs/files/cvs-1.11.23-CVE-2010-3846.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001
-From: Larry Jones <lawrence.jones@siemens.com>
-Date: Thu, 21 Oct 2010 10:08:16 +0200
-Subject: [PATCH] Fix for CVE-2010-3846
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Mallformed RCS revision (delete after the end of input file, or overlayed
-deleted regions) screws output file image size computation. This leads to
-write attempt after the allocated memory opening hiden memory corruption
-driven by CVS server.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- src/rcs.c |   52 +++++++++++++++++++++++++++++-----------------------
- 1 files changed, 29 insertions(+), 23 deletions(-)
-
-diff --git a/src/rcs.c b/src/rcs.c
-index 7d0d078..2f88f85 100644
---- a/src/rcs.c
-+++ b/src/rcs.c
-@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
-     struct deltafrag *dfhead;
-     struct deltafrag **dftail;
-     struct deltafrag *df;
--    unsigned long numlines, lastmodline, offset;
-+    unsigned long numlines, offset;
-     struct linevector lines;
-     int err;
- 
-@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 
-     /* New temp data structure to hold new org before
-        copy back into original structure. */
--    lines.nlines = lines.lines_alloced = numlines;
-+    lines.lines_alloced = numlines;
-     lines.vector = xmalloc (numlines * sizeof *lines.vector);
- 
-     /* We changed the list order to first to last -- so the
-        list never gets larger than the size numlines. */
--    lastmodline = 0; 
-+    lines.nlines = 0; 
- 
-     /* offset created when adding/removing lines
-        between new and original structure */
-@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
-     for (df = dfhead; df != NULL; )
-     {
- 	unsigned int ln;
--	unsigned long deltaend;
-+	unsigned long newpos = df->pos - offset;
- 
--	if (df->pos > orig_lines->nlines)
-+	if (newpos < lines.nlines || newpos > numlines)
- 	    err = 1;
- 
- 	/* On error, just free the rest of the list.  */
- 	if (!err)
- 	{
--	    /* Here we need to get to the line where the next insert will
-+	    /* Here we need to get to the line where the next change will
- 	       begin, which is DF->pos in ORIG_LINES.  We will fill up to
- 	       DF->pos - OFFSET in LINES with original items.  */
--	    for (deltaend = df->pos - offset;
--		 lastmodline < deltaend;
--		 lastmodline++)
-+	    while (lines.nlines < newpos)
- 	    {
- 		/* we need to copy from the orig structure into new one */
--		lines.vector[lastmodline] =
--			orig_lines->vector[lastmodline + offset];
--		lines.vector[lastmodline]->refcount++;
-+		lines.vector[lines.nlines] =
-+			orig_lines->vector[lines.nlines + offset];
-+		lines.vector[lines.nlines]->refcount++;
-+		lines.nlines++;
- 	    }
- 
- 	    switch (df->type)
-@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 		    struct line *q;
- 		    int nextline_newline;
- 		    size_t nextline_len;
--		
-+
-+		    if (newpos + df->nlines > numlines)
-+		    {
-+			err = 1;
-+			break;
-+		    }
- 		    textend = df->new_lines + df->len;
- 		    nextline_newline = 0;
- 		    nextline_text = df->new_lines;
-@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 			    q->has_newline = nextline_newline;
- 			    q->refcount = 1;
- 			    memcpy (q->text, nextline_text, nextline_len);
--			    lines.vector[lastmodline++] = q;
--			    offset--;
-+			    lines.vector[lines.nlines++] = q;
- 		    
- 			    nextline_text = (char *)p + 1;
- 			    nextline_newline = 0;
-@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 		    q->has_newline = nextline_newline;
- 		    q->refcount = 1;
- 		    memcpy (q->text, nextline_text, nextline_len);
--		    lines.vector[lastmodline++] = q;
-+		    lines.vector[lines.nlines++] = q;
- 
- 		    /* For each line we add the offset between the #'s
- 		       decreases. */
--		    offset--;
-+		    offset -= df->nlines;
- 		    break;
- 		}
- 
-@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 		    if (df->pos + df->nlines > orig_lines->nlines)
- 			err = 1;
- 		    else if (delvers)
-+		    {
- 			for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
-+			{
- 			    if (orig_lines->vector[ln]->refcount > 1)
- 				/* Annotate needs this but, since the original
- 				 * vector is disposed of before returning from
-@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
- 				 * there are multiple references.
- 				 */
- 				orig_lines->vector[ln]->vers = delvers;
-+			}
-+		    }
- 		    break;
- 	    }
- 	}
-@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
-     else
-     {
- 	/* add the rest of the remaining lines to the data vector */
--	for (; lastmodline < numlines; lastmodline++)
-+	while (lines.nlines < numlines)
- 	{
- 	    /* we need to copy from the orig structure into new one */
--	    lines.vector[lastmodline] = orig_lines->vector[lastmodline
-+	    lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
- 							   + offset];
--	    lines.vector[lastmodline]->refcount++;
-+	    lines.vector[lines.nlines]->refcount++;
-+	    lines.nlines++;
- 	}
- 
- 	/* Move the lines vector to the original structure for output,
- 	 * first deleting the old.
- 	 */
- 	linevector_free (orig_lines);
--	orig_lines->vector = lines.vector;
--	orig_lines->lines_alloced = numlines;
--	orig_lines->nlines = lines.nlines;
-+	*orig_lines = lines;
-     }
- 
-     return !err;
--- 
-1.7.2.3
-

diff --git a/dev-vcs/cvs/files/cvs-1.11.23-getline64.patch b/dev-vcs/cvs/files/cvs-1.11.23-getline64.patch
deleted file mode 100644
index f93fca4..0000000
--- a/dev-vcs/cvs/files/cvs-1.11.23-getline64.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-http://pkgs.fedoraproject.org/gitweb/?p=cvs.git;a=blob;f=cvs-1.11.23-getline64.patch;h=99942e0589e4ff26e87a927c1a54662954876e64;hb=HEAD
-
---- cvs-1.11.23/lib/getline.c
-+++ cvs-1.11.23/lib/getline.c
-@@ -154,7 +154,7 @@
-   return ret;
- }
- 
--int
-+ssize_t
- getline (lineptr, n, stream)
-      char **lineptr;
-      size_t *n;
-@@ -163,7 +163,7 @@
-   return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT);
- }
- 
--int
-+ssize_t
- getline_safe (lineptr, n, stream, limit)
-      char **lineptr;
-      size_t *n;
---- cvs-1.11.23/lib/getline.h
-+++ cvs-1.11.23/lib/getline.h
-@@ -11,9 +11,9 @@
- 
- #define GETLINE_NO_LIMIT -1
- 
--int
-+ssize_t
-   getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream));
--int
-+ssize_t
-   getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream,
-                          int limit));
- int

[gentoo-commits] repo/gentoo:master commit in: dev-vcs/cvs/files/, dev-vcs/cvs/

[Hanno Boeck]

commit:     9aae21baa940cba64b9ca3b26a5cdf69e88fdf2b
Author:     Hanno <hanno <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 26 15:51:54 2017 +0000
Commit:     Hanno Boeck <hanno <AT> gentoo <DOT> org>
CommitDate: Sat Aug 26 15:51:54 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9aae21ba

dev-vcs/cvs: Fix command injection (CVE-2017-12836).

Patch taken from MirBSD (excluding comment-only changes that
didn't apply cleanly). See bug #627498.

Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-vcs/cvs/cvs-1.12.12-r12.ebuild                 | 101 +++++++++++++++++++++
 ...s-1.12.12-CVE-2017-12836-commandinjection.patch |  22 +++++
 2 files changed, 123 insertions(+)

diff --git a/dev-vcs/cvs/cvs-1.12.12-r12.ebuild b/dev-vcs/cvs/cvs-1.12.12-r12.ebuild
new file mode 100644
index 00000000000..4f603809d51
--- /dev/null
+++ b/dev-vcs/cvs/cvs-1.12.12-r12.ebuild
@@ -0,0 +1,101 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit pam toolchain-funcs
+
+DESCRIPTION="Concurrent Versions System - source code revision control tools"
+HOMEPAGE="http://cvs.nongnu.org/"
+
+SRC_URI="mirror://gnu/non-gnu/cvs/source/feature/${PV}/${P}.tar.bz2
+	doc? ( mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.html.tar.bz2
+		mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.pdf
+		mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.ps )"
+
+LICENSE="GPL-2 LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+
+IUSE="crypt doc kerberos nls pam server"
+RESTRICT="test"
+
+DEPEND=">=sys-libs/zlib-1.1.4
+	kerberos? ( virtual/krb5 )
+	pam? ( virtual/pam )"
+RDEPEND="${DEPEND}"
+
+src_unpack() {
+	unpack ${P}.tar.bz2
+	use doc && unpack cederqvist-${PV}.html.tar.bz2
+}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-cvsbug-tmpfix.patch
+	"${FILESDIR}"/${P}-openat.patch
+	"${FILESDIR}"/${P}-block-requests.patch
+	"${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch
+	"${FILESDIR}"/${P}-install-sh.patch
+	"${FILESDIR}"/${P}-hash-nameclash.patch # for AIX
+	"${FILESDIR}"/${P}-getdelim.patch # 314791
+	"${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114
+	"${FILESDIR}"/${P}-mktime-x32.patch # 395641
+	"${FILESDIR}"/${P}-fix-massive-leak.patch
+	"${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
+	"${FILESDIR}"/${P}-CVE-2012-0804.patch
+	"${FILESDIR}"/${P}-format-security.patch
+	"${FILESDIR}"/${P}-musl.patch
+	"${FILESDIR}"/${P}-CVE-2017-12836-commandinjection.patch
+	)
+DOCS=( BUGS ChangeLog{,.zoo} DEVEL-CVS FAQ HACKING MINOR-BUGS NEWS \
+	PROJECTS README TESTS TODO )
+
+src_prepare() {
+	default
+
+	sed -i "/^AR/s/ar/$(tc-getAR)/" diff/Makefile.in lib/Makefile.in || die
+}
+
+src_configure() {
+	if tc-is-cross-compiler ; then
+		# Sane defaults when cross-compiling (as these tests want to
+		# try and execute code).
+		export cvs_cv_func_printf_ptr="yes"
+	fi
+	econf \
+		--with-external-zlib \
+		--with-tmpdir=${EPREFIX%/}/tmp \
+		$(use_enable crypt encryption) \
+		$(use_with kerberos gssapi) \
+		$(use_enable nls) \
+		$(use_enable pam) \
+		$(use_enable server)
+}
+
+src_install() {
+	# Not installed into emacs site-lisp because it clobbers the normal C
+	# indentations.
+	DOCS+=( cvs-format.el )
+
+	if use doc; then
+		DOCS+=( "${DISTDIR}"/cederqvist-${PV}.{pdf,ps} )
+		HTML_DOCS=( ../cederqvist-${PV}.html/. )
+	fi
+
+	default
+
+	use doc && dosym cvs.html /usr/share/doc/${PF}/html/index.html
+
+	if use server; then
+		newdoc "${FILESDIR}"/cvs-1.12.12-cvs-custom.c cvs-custom.c
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}"/cvspserver.xinetd.d cvspserver
+		newenvd "${FILESDIR}"/01-cvs-env.d 01cvs
+	fi
+
+	newpamd "${FILESDIR}"/cvs.pam-include-1.12.12 cvs
+}
+
+pkg_postinst() {
+	use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
+}

diff --git a/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch
new file mode 100644
index 00000000000..87b1fdc9584
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch
@@ -0,0 +1,22 @@
+diff -Naurp a/src/rsh-client.c b/src/rsh-client.c
+--- a/src/rsh-client.c	2005-03-15 18:45:10.000000000 +0100
++++ b/src/rsh-client.c	2017-08-26 17:43:23.228060155 +0200
+@@ -97,6 +97,9 @@ start_rsh_server (cvsroot_t *root, struc
+ 	rsh_argv[i++] = root->username;
+     }
+ 
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
++
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     rsh_argv[i++] = "server";
+@@ -171,6 +174,8 @@ start_rsh_server (cvsroot_t *root, struc
+ 	    *p++ = root->username;
+ 	}
+ 
++	*p++ = "--";
++
+ 	*p++ = root->hostname;
+ 	*p++ = command;
+ 	*p++ = NULL;