From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-969180-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id C04E21396D0
	for <garchives@archives.gentoo.org>; Sat, 26 Aug 2017 16:03:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0251CE0BE2;
	Sat, 26 Aug 2017 16:03:11 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id CA394E0BE2
	for <gentoo-commits@lists.gentoo.org>; Sat, 26 Aug 2017 16:03:10 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 9BCC5341673
	for <gentoo-commits@lists.gentoo.org>; Sat, 26 Aug 2017 16:03:09 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 01F02836E
	for <gentoo-commits@lists.gentoo.org>; Sat, 26 Aug 2017 16:03:08 +0000 (UTC)
From: "Hanno Boeck" <hanno@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Hanno Boeck" <hanno@gentoo.org>
Message-ID: <1503762714.9aae21baa940cba64b9ca3b26a5cdf69e88fdf2b.hanno@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-vcs/cvs/files/, dev-vcs/cvs/
X-VCS-Repository: repo/gentoo
X-VCS-Files: dev-vcs/cvs/cvs-1.12.12-r12.ebuild dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch
X-VCS-Directories: dev-vcs/cvs/ dev-vcs/cvs/files/
X-VCS-Committer: hanno
X-VCS-Committer-Name: Hanno Boeck
X-VCS-Revision: 9aae21baa940cba64b9ca3b26a5cdf69e88fdf2b
X-VCS-Branch: master
Date: Sat, 26 Aug 2017 16:03:08 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: d2ba6e28-7d1a-4feb-a707-41e5a98b095b
X-Archives-Hash: ba5ec22f107d460a92924d29b2784e54

commit:     9aae21baa940cba64b9ca3b26a5cdf69e88fdf2b
Author:     Hanno <hanno <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 26 15:51:54 2017 +0000
Commit:     Hanno Boeck <hanno <AT> gentoo <DOT> org>
CommitDate: Sat Aug 26 15:51:54 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9aae21ba

dev-vcs/cvs: Fix command injection (CVE-2017-12836).

Patch taken from MirBSD (excluding comment-only changes that
didn't apply cleanly). See bug #627498.

Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-vcs/cvs/cvs-1.12.12-r12.ebuild                 | 101 +++++++++++++++++++++
 ...s-1.12.12-CVE-2017-12836-commandinjection.patch |  22 +++++
 2 files changed, 123 insertions(+)

diff --git a/dev-vcs/cvs/cvs-1.12.12-r12.ebuild b/dev-vcs/cvs/cvs-1.12.12-r12.ebuild
new file mode 100644
index 00000000000..4f603809d51
--- /dev/null
+++ b/dev-vcs/cvs/cvs-1.12.12-r12.ebuild
@@ -0,0 +1,101 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit pam toolchain-funcs
+
+DESCRIPTION="Concurrent Versions System - source code revision control tools"
+HOMEPAGE="http://cvs.nongnu.org/"
+
+SRC_URI="mirror://gnu/non-gnu/cvs/source/feature/${PV}/${P}.tar.bz2
+	doc? ( mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.html.tar.bz2
+		mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.pdf
+		mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.ps )"
+
+LICENSE="GPL-2 LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+
+IUSE="crypt doc kerberos nls pam server"
+RESTRICT="test"
+
+DEPEND=">=sys-libs/zlib-1.1.4
+	kerberos? ( virtual/krb5 )
+	pam? ( virtual/pam )"
+RDEPEND="${DEPEND}"
+
+src_unpack() {
+	unpack ${P}.tar.bz2
+	use doc && unpack cederqvist-${PV}.html.tar.bz2
+}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-cvsbug-tmpfix.patch
+	"${FILESDIR}"/${P}-openat.patch
+	"${FILESDIR}"/${P}-block-requests.patch
+	"${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch
+	"${FILESDIR}"/${P}-install-sh.patch
+	"${FILESDIR}"/${P}-hash-nameclash.patch # for AIX
+	"${FILESDIR}"/${P}-getdelim.patch # 314791
+	"${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114
+	"${FILESDIR}"/${P}-mktime-x32.patch # 395641
+	"${FILESDIR}"/${P}-fix-massive-leak.patch
+	"${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
+	"${FILESDIR}"/${P}-CVE-2012-0804.patch
+	"${FILESDIR}"/${P}-format-security.patch
+	"${FILESDIR}"/${P}-musl.patch
+	"${FILESDIR}"/${P}-CVE-2017-12836-commandinjection.patch
+	)
+DOCS=( BUGS ChangeLog{,.zoo} DEVEL-CVS FAQ HACKING MINOR-BUGS NEWS \
+	PROJECTS README TESTS TODO )
+
+src_prepare() {
+	default
+
+	sed -i "/^AR/s/ar/$(tc-getAR)/" diff/Makefile.in lib/Makefile.in || die
+}
+
+src_configure() {
+	if tc-is-cross-compiler ; then
+		# Sane defaults when cross-compiling (as these tests want to
+		# try and execute code).
+		export cvs_cv_func_printf_ptr="yes"
+	fi
+	econf \
+		--with-external-zlib \
+		--with-tmpdir=${EPREFIX%/}/tmp \
+		$(use_enable crypt encryption) \
+		$(use_with kerberos gssapi) \
+		$(use_enable nls) \
+		$(use_enable pam) \
+		$(use_enable server)
+}
+
+src_install() {
+	# Not installed into emacs site-lisp because it clobbers the normal C
+	# indentations.
+	DOCS+=( cvs-format.el )
+
+	if use doc; then
+		DOCS+=( "${DISTDIR}"/cederqvist-${PV}.{pdf,ps} )
+		HTML_DOCS=( ../cederqvist-${PV}.html/. )
+	fi
+
+	default
+
+	use doc && dosym cvs.html /usr/share/doc/${PF}/html/index.html
+
+	if use server; then
+		newdoc "${FILESDIR}"/cvs-1.12.12-cvs-custom.c cvs-custom.c
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}"/cvspserver.xinetd.d cvspserver
+		newenvd "${FILESDIR}"/01-cvs-env.d 01cvs
+	fi
+
+	newpamd "${FILESDIR}"/cvs.pam-include-1.12.12 cvs
+}
+
+pkg_postinst() {
+	use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
+}

diff --git a/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch
new file mode 100644
index 00000000000..87b1fdc9584
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch
@@ -0,0 +1,22 @@
+diff -Naurp a/src/rsh-client.c b/src/rsh-client.c
+--- a/src/rsh-client.c	2005-03-15 18:45:10.000000000 +0100
++++ b/src/rsh-client.c	2017-08-26 17:43:23.228060155 +0200
+@@ -97,6 +97,9 @@ start_rsh_server (cvsroot_t *root, struc
+ 	rsh_argv[i++] = root->username;
+     }
+ 
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
++
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     rsh_argv[i++] = "server";
+@@ -171,6 +174,8 @@ start_rsh_server (cvsroot_t *root, struc
+ 	    *p++ = root->username;
+ 	}
+ 
++	*p++ = "--";
++
+ 	*p++ = root->hostname;
+ 	*p++ = command;
+ 	*p++ = NULL;