From 087b50daeee6b58683282f18faaff0ceb800d246 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Sat, 15 Jan 2011 14:56:07 +0100 Subject: [PATCH] Added cvs-1.11.23 build template. --- .../patches/cvs-1.11.23-cve-2010-3846.patch | 167 ++++++++++++++++++ .../cvs/patches/cvs-1.11.23-getline64.patch | 34 ++++ srcpkgs/cvs/template | 18 ++ 3 files changed, 219 insertions(+) create mode 100644 srcpkgs/cvs/patches/cvs-1.11.23-cve-2010-3846.patch create mode 100644 srcpkgs/cvs/patches/cvs-1.11.23-getline64.patch create mode 100644 srcpkgs/cvs/template diff --git a/srcpkgs/cvs/patches/cvs-1.11.23-cve-2010-3846.patch b/srcpkgs/cvs/patches/cvs-1.11.23-cve-2010-3846.patch new file mode 100644 index 0000000000..e1560cef82 --- /dev/null +++ b/srcpkgs/cvs/patches/cvs-1.11.23-cve-2010-3846.patch @@ -0,0 +1,167 @@ +From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001 +From: Larry Jones +Date: Thu, 21 Oct 2010 10:08:16 +0200 +Subject: [PATCH] Fix for CVE-2010-3846 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Mallformed RCS revision (delete after the end of input file, or overlayed +deleted regions) screws output file image size computation. This leads to +write attempt after the allocated memory opening hiden memory corruption +driven by CVS server. + +Signed-off-by: Petr Písař +--- + src/rcs.c | 52 +++++++++++++++++++++++++++++----------------------- + 1 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/src/rcs.c b/src/rcs.c +index 7d0d078..2f88f85 100644 +--- a/src/rcs.c ++++ b/src/rcs.c +@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + struct deltafrag *dfhead; + struct deltafrag **dftail; + struct deltafrag *df; +- unsigned long numlines, lastmodline, offset; ++ unsigned long numlines, offset; + struct linevector lines; + int err; + +@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + + /* New temp data structure to hold new org before + copy back into original structure. */ +- lines.nlines = lines.lines_alloced = numlines; ++ lines.lines_alloced = numlines; + lines.vector = xmalloc (numlines * sizeof *lines.vector); + + /* We changed the list order to first to last -- so the + list never gets larger than the size numlines. */ +- lastmodline = 0; ++ lines.nlines = 0; + + /* offset created when adding/removing lines + between new and original structure */ +@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + for (df = dfhead; df != NULL; ) + { + unsigned int ln; +- unsigned long deltaend; ++ unsigned long newpos = df->pos - offset; + +- if (df->pos > orig_lines->nlines) ++ if (newpos < lines.nlines || newpos > numlines) + err = 1; + + /* On error, just free the rest of the list. */ + if (!err) + { +- /* Here we need to get to the line where the next insert will ++ /* Here we need to get to the line where the next change will + begin, which is DF->pos in ORIG_LINES. We will fill up to + DF->pos - OFFSET in LINES with original items. */ +- for (deltaend = df->pos - offset; +- lastmodline < deltaend; +- lastmodline++) ++ while (lines.nlines < newpos) + { + /* we need to copy from the orig structure into new one */ +- lines.vector[lastmodline] = +- orig_lines->vector[lastmodline + offset]; +- lines.vector[lastmodline]->refcount++; ++ lines.vector[lines.nlines] = ++ orig_lines->vector[lines.nlines + offset]; ++ lines.vector[lines.nlines]->refcount++; ++ lines.nlines++; + } + + switch (df->type) +@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + struct line *q; + int nextline_newline; + size_t nextline_len; +- ++ ++ if (newpos + df->nlines > numlines) ++ { ++ err = 1; ++ break; ++ } + textend = df->new_lines + df->len; + nextline_newline = 0; + nextline_text = df->new_lines; +@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + q->has_newline = nextline_newline; + q->refcount = 1; + memcpy (q->text, nextline_text, nextline_len); +- lines.vector[lastmodline++] = q; +- offset--; ++ lines.vector[lines.nlines++] = q; + + nextline_text = (char *)p + 1; + nextline_newline = 0; +@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + q->has_newline = nextline_newline; + q->refcount = 1; + memcpy (q->text, nextline_text, nextline_len); +- lines.vector[lastmodline++] = q; ++ lines.vector[lines.nlines++] = q; + + /* For each line we add the offset between the #'s + decreases. */ +- offset--; ++ offset -= df->nlines; + break; + } + +@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + if (df->pos + df->nlines > orig_lines->nlines) + err = 1; + else if (delvers) ++ { + for (ln = df->pos; ln < df->pos + df->nlines; ++ln) ++ { + if (orig_lines->vector[ln]->refcount > 1) + /* Annotate needs this but, since the original + * vector is disposed of before returning from +@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + * there are multiple references. + */ + orig_lines->vector[ln]->vers = delvers; ++ } ++ } + break; + } + } +@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + else + { + /* add the rest of the remaining lines to the data vector */ +- for (; lastmodline < numlines; lastmodline++) ++ while (lines.nlines < numlines) + { + /* we need to copy from the orig structure into new one */ +- lines.vector[lastmodline] = orig_lines->vector[lastmodline ++ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines + + offset]; +- lines.vector[lastmodline]->refcount++; ++ lines.vector[lines.nlines]->refcount++; ++ lines.nlines++; + } + + /* Move the lines vector to the original structure for output, + * first deleting the old. + */ + linevector_free (orig_lines); +- orig_lines->vector = lines.vector; +- orig_lines->lines_alloced = numlines; +- orig_lines->nlines = lines.nlines; ++ *orig_lines = lines; + } + + return !err; +-- +1.7.2.3 + diff --git a/srcpkgs/cvs/patches/cvs-1.11.23-getline64.patch b/srcpkgs/cvs/patches/cvs-1.11.23-getline64.patch new file mode 100644 index 0000000000..99942e0589 --- /dev/null +++ b/srcpkgs/cvs/patches/cvs-1.11.23-getline64.patch @@ -0,0 +1,34 @@ +--- cvs-1.11.23/lib/getline.c 2005-04-04 22:46:05.000000000 +0200 ++++ cvs-1.11.23/lib/getline.c.old 2008-06-03 19:06:25.000000000 +0200 +@@ -154,7 +154,7 @@ + return ret; + } + +-int ++ssize_t + getline (lineptr, n, stream) + char **lineptr; + size_t *n; +@@ -163,7 +163,7 @@ + return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT); + } + +-int ++ssize_t + getline_safe (lineptr, n, stream, limit) + char **lineptr; + size_t *n; +--- cvs-1.11.23/lib/getline.h 2005-04-04 22:46:05.000000000 +0200 ++++ cvs-1.11.23/lib/getline.h.old 2008-06-03 19:06:27.000000000 +0200 +@@ -11,9 +11,9 @@ + + #define GETLINE_NO_LIMIT -1 + +-int ++ssize_t + getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream)); +-int ++ssize_t + getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream, + int limit)); + int diff --git a/srcpkgs/cvs/template b/srcpkgs/cvs/template new file mode 100644 index 0000000000..8a7f73e124 --- /dev/null +++ b/srcpkgs/cvs/template @@ -0,0 +1,18 @@ +# Template file for 'cvs' +pkgname=cvs +version=1.11.23 +patch_args="-Np1" +distfiles="http://ftp.gnu.org/non-gnu/cvs/source/stable/$version/cvs-$version.tar.bz2" +build_style=gnu_configure +short_desc="Concurrent Versions System" +maintainer="Juan RP " +checksum=400f51b59d85116e79b844f2d5dbbad4759442a789b401a94aa5052c3d7a4aa9 +long_desc=" + Sed, the GNU Stream Editor, copies the named files (standard input default) + to the standard output, edited according to a script of commands." + +Add_dependency run glibc +Add_dependency run mit-krb5-libs +Add_dependency build texinfo +Add_dependency build mit-krb5-devel +Add_dependency full openssh-client