dev-vcs/cvs: security fix, QA fix and musl compilation fix

* add patch for CVE-2012-0804 (#402593) * respect AR (#440270) * fix format-security (#520508) * fix compilation with musl libc * modernize ebuild Gentoo-Bug: https://bugs.gentoo.org/402593 Gentoo-Bug: https://bugs.gentoo.org/440270 Gentoo-Bug: https://bugs.gentoo.org/520508
author: Felix Janda <felix.janda@posteo.de> 2016-10-21 20:17:27 -0400
committer: Felix Janda <felix.janda@posteo.de> 2016-10-22 20:05:16 -0400
commit: a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f (patch)
tree: 30ffa23f68f10619cad6de668316065c879d9b0f /dev-vcs
parent: dev-vcs/qgit: x86 stable (diff)
download: gentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.tar.gz
gentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.tar.bz2
gentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.zip
8 files changed, 178 insertions, 9 deletions
diff --git a/dev-vcs/cvs/cvs-1.12.12-r11.ebuild b/dev-vcs/cvs/cvs-1.12.12-r11.ebuild
new file mode 100644
index 000000000000..860cd3f7db43
--- /dev/null
+++ b/dev-vcs/cvs/cvs-1.12.12-r11.ebuild
@@ -0,0 +1,104 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit pam toolchain-funcs
+
+DESCRIPTION="Concurrent Versions System - source code revision control tools"
+HOMEPAGE="http://cvs.nongnu.org/"
+
+SRC_URI="mirror://gnu/non-gnu/cvs/source/feature/${PV}/${P}.tar.bz2
+	doc? ( mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.html.tar.bz2
+		mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.pdf
+		mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.ps )"
+
+LICENSE="GPL-2 LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64
+	~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
+	~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint
+	~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+
+IUSE="crypt doc kerberos nls pam server"
+RESTRICT="test"
+
+DEPEND=">=sys-libs/zlib-1.1.4
+	kerberos? ( virtual/krb5 )
+	pam? ( virtual/pam )"
+RDEPEND="${DEPEND}"
+
+src_unpack() {
+	unpack ${P}.tar.bz2
+	use doc && unpack cederqvist-${PV}.html.tar.bz2
+}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-cvsbug-tmpfix.patch
+	"${FILESDIR}"/${P}-openat.patch
+	"${FILESDIR}"/${P}-block-requests.patch
+	"${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch
+	"${FILESDIR}"/${P}-install-sh.patch
+	"${FILESDIR}"/${P}-hash-nameclash.patch # for AIX
+	"${FILESDIR}"/${P}-getdelim.patch # 314791
+	"${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114
+	"${FILESDIR}"/${P}-mktime-x32.patch # 395641
+	"${FILESDIR}"/${P}-fix-massive-leak.patch
+	"${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208
+	"${FILESDIR}"/${P}-CVE-2012-0804.patch
+	"${FILESDIR}"/${P}-format-security.patch
+	"${FILESDIR}"/${P}-musl.patch
+	)
+DOCS=( BUGS ChangeLog{,.zoo} DEVEL-CVS FAQ HACKING MINOR-BUGS NEWS \
+	PROJECTS README TESTS TODO )
+
+src_prepare() {
+	default
+
+	sed -i "/^AR/s/ar/$(tc-getAR)/" diff/Makefile.in lib/Makefile.in || die
+}
+
+src_configure() {
+	if tc-is-cross-compiler ; then
+		# Sane defaults when cross-compiling (as these tests want to
+		# try and execute code).
+		export cvs_cv_func_printf_ptr="yes"
+	fi
+	econf \
+		--with-external-zlib \
+		--with-tmpdir=${EPREFIX%/}/tmp \
+		$(use_enable crypt encryption) \
+		$(use_with kerberos gssapi) \
+		$(use_enable nls) \
+		$(use_enable pam) \
+		$(use_enable server)
+}
+
+src_install() {
+	# Not installed into emacs site-lisp because it clobbers the normal C
+	# indentations.
+	DOCS+=( cvs-format.el )
+
+	if use doc; then
+		DOCS+=( "${DISTDIR}"/cederqvist-${PV}.{pdf,ps} )
+		HTML_DOCS=( ../cederqvist-${PV}.html/. )
+	fi
+
+	default
+
+	use doc && dosym cvs.html /usr/share/doc/${PF}/html/index.html
+
+	if use server; then
+		newdoc "${FILESDIR}"/cvs-1.12.12-cvs-custom.c cvs-custom.c
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}"/cvspserver.xinetd.d cvspserver
+		newenvd "${FILESDIR}"/01-cvs-env.d 01cvs
+	fi
+
+	newpamd "${FILESDIR}"/cvs.pam-include-1.12.12 cvs
+}
+
+pkg_postinst() {
+	use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!"
+}
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch
new file mode 100644
index 000000000000..107c3ea12204
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2012-0804.patch
@@ -0,0 +1,30 @@
+[CVE-2012-0804] Fix proxy response parser
+
+If proxy sends overlong HTTP vesion string, the string will be copied
+to unallocatd space (write_buf) causing heap overflow.
+
+This patch fixes it by ignoring the HTTP version string and checking
+the response line has been parsed correctly.
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
+details.
+
+Index: src/client.c
+===================================================================
+RCS file: /sources/cvs/ccvs/src/client.c,v
+retrieving revision 1.483
+diff -u -r1.483 client.c
+--- a/src/client.c	18 Nov 2008 22:59:02 -0000	1.483
++++ b/src/client.c	26 Jan 2012 16:32:25 -0000
+@@ -4339,9 +4339,9 @@
+          * code.
+          */
+ 	read_line_via (from_server, to_server, &read_buf);
+-	sscanf (read_buf, "%s %d", write_buf, &codenum);
++	count = sscanf (read_buf, "%*s %d", &codenum);
+ 
+-	if ((codenum / 100) != 2)
++	if (count != 1 || (codenum / 100) != 2)
+ 	    error (1, 0, "proxy server %s:%d does not support http tunnelling",
+ 		   root->proxy_hostname, proxy_port_number);
+ 	free (read_buf);
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch b/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch
new file mode 100644
index 000000000000..d710a9020735
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-format-security.patch
@@ -0,0 +1,22 @@
+--- a/diff/diff3.c
++++ b/diff/diff3.c
+@@ -1503,7 +1503,7 @@
+ 	      line = 0;
+ 	      do
+ 		{
+-		  printf_output (line_prefix);
++		  printf_output ("%s", line_prefix);
+ 		  cp = D_RELNUM (ptr, realfile, line);
+ 		  length = D_RELLEN (ptr, realfile, line);
+ 		  write_output (cp, length);
+--- a/src/main.c
++++ b/src/main.c
+@@ -1375,7 +1375,7 @@
+ {
+     (void) fprintf (stderr, *cpp++, program_name, cvs_cmd_name);
+     for (; *cpp; cpp++)
+-	(void) fprintf (stderr, *cpp);
++	(void) fprintf (stderr, "%s", *cpp);
+     exit (EXIT_FAILURE);
+ }
+ 
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch b/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch
index 04eb03ab600d..837d4408ab1f 100644
--- a/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch
+++ b/dev-vcs/cvs/files/cvs-1.12.12-getdelim.patch
@@ -8,8 +8,8 @@ http://bugs.gentoo.org/314791
 Already comitted upstream:
 http://cvs.savannah.gnu.org/viewvc/ccvs/src/myndbm.c?root=cvs&r1=1.38&r2=1.39
 
---- src/myndbm.c.orig
-+++ src/myndbm.c
+--- a/src/myndbm.c.orig
++++ b/src/myndbm.c
 @@ -213,7 +213,7 @@
  mydbm_load_file (FILE *fp, List *list, char *filename)
  {
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch b/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch
index 0a33eea873ff..95fd61e0a51a 100644
--- a/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch
+++ b/dev-vcs/cvs/files/cvs-1.12.12-hash-nameclash.patch
@@ -1,8 +1,8 @@
 http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/hash.h?r1=1.14.6.2&r2=1.14.6.3&pathrev=cvs1-11-x-branch
 fixed in cvs-1.11.23, cvs-HEAD after cvs-1.12.13a
 
---- src/hash.h.orig	2005-02-01 22:56:48 +0100
-+++ src/hash.h	2010-03-10 19:00:11 +0100
+--- a/src/hash.h.orig	2005-02-01 22:56:48 +0100
++++ b/src/hash.h	2010-03-10 19:00:11 +0100
 @@ -27,26 +27,26 @@
  };
  typedef enum ntype Ntype;
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch b/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch
index 1a9c47b68ba8..03d7f35601e2 100644
--- a/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch
+++ b/dev-vcs/cvs/files/cvs-1.12.12-mktime-configure.patch
@@ -3,8 +3,8 @@ https://bugs.gentoo.org/570208
 
 update mktime check to latest autoconf version which is less buggy
 
---- configure
-+++ configure
+--- a/configure
++++ b/configure
 @@ -5299,26 +6059,25 @@
  cat >>conftest.$ac_ext <<_ACEOF
  /* end confdefs.h.  */
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-musl.patch b/dev-vcs/cvs/files/cvs-1.12.12-musl.patch
new file mode 100644
index 000000000000..e426cf55fcc7
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.12.12-musl.patch
@@ -0,0 +1,13 @@
+http://gcc.gnu.org/ml/gcc/2003-04/msg00518.html
+
+--- a/lib/regex.c
++++ b/lib/regex.c
+@@ -8184,7 +8184,7 @@
+       if (msg_size > errbuf_size)
+         {
+ #if defined HAVE_MEMPCPY || defined _LIBC
+-	  *((char *) __mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
++	  *((char *) mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
+ #else
+           memcpy (errbuf, msg, errbuf_size - 1);
+           errbuf[errbuf_size - 1] = 0;
diff --git a/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch b/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch
index 0fb4c6c6d73d..7dda3f0f1724 100644
--- a/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch
+++ b/dev-vcs/cvs/files/cvs-1.12.12-rcs2log-coreutils.patch
@@ -1,8 +1,8 @@
 X-Gentoo-bug: 144114
 
-diff -Nuar cvs-1.12.12.orig//contrib/rcs2log.sh cvs-1.12.12//contrib/rcs2log.sh
---- cvs-1.12.12.orig//contrib/rcs2log.sh	2003-02-25 21:32:51.000000000 +0000
-+++ cvs-1.12.12//contrib/rcs2log.sh	2010-12-06 21:14:33.831532212 +0000
+diff -Nuar cvs-1.12.12.orig/contrib/rcs2log.sh cvs-1.12.12/contrib/rcs2log.sh
+--- cvs-1.12.12.orig/contrib/rcs2log.sh	2003-02-25 21:32:51.000000000 +0000
++++ cvs-1.12.12/contrib/rcs2log.sh	2010-12-06 21:14:33.831532212 +0000
 @@ -620,7 +620,7 @@
  # Sort the log entries, first by date+time (in reverse order),
  # then by author, then by log entry, and finally by file name and revision
author	Felix Janda <felix.janda@posteo.de>	2016-10-21 20:17:27 -0400
committer	Felix Janda <felix.janda@posteo.de>	2016-10-22 20:05:16 -0400
commit	a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f (patch)
tree	30ffa23f68f10619cad6de668316065c879d9b0f /dev-vcs
parent	dev-vcs/qgit: x86 stable (diff)
download	gentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.tar.gz gentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.tar.bz2 gentoo-a06f6c599f999a9ae9b1e7ca448712ebfb31ad5f.zip