From 25d8479f41bf107402dbd0e0c41c43b7bea7e560 Mon Sep 17 00:00:00 2001 From: sibel Date: Wed, 12 Jan 2011 07:52:55 +0100 Subject: cvs, maj 1.11.23-3 --- base/cvs/.md5sum | 2 + base/cvs/Pkgfile | 11 ++- base/cvs/cvs-1.11.23-cve.patch | 167 +++++++++++++++++++++++++++++++++++++ base/cvs/cvs-1.11.23-getline.patch | 34 ++++++++ 4 files changed, 212 insertions(+), 2 deletions(-) create mode 100644 base/cvs/cvs-1.11.23-cve.patch create mode 100644 base/cvs/cvs-1.11.23-getline.patch diff --git a/base/cvs/.md5sum b/base/cvs/.md5sum index 872d13fee..367efa989 100644 --- a/base/cvs/.md5sum +++ b/base/cvs/.md5sum @@ -1 +1,3 @@ +b089d3792c225857f00c3eee33809a16 cvs-1.11.23-cve.patch +943f10d93fbadaea0ac54553dd85c03f cvs-1.11.23-getline.patch 0213ea514e231559d6ff8f80a34117f0 cvs-1.11.23.tar.bz2 diff --git a/base/cvs/Pkgfile b/base/cvs/Pkgfile index bda9d4b16..3e68fd2d7 100644 --- a/base/cvs/Pkgfile +++ b/base/cvs/Pkgfile @@ -6,11 +6,18 @@ name=cvs version=1.11.23 -release=2 -source=(http://nongnu.mirror.ironie.org/releases/$name/source/stable/$version/$name-$version.tar.bz2) +release=3 + +source=(http://nongnu.mirror.ironie.org/releases/$name/source/stable/$version/$name-$version.tar.bz2 + cvs-1.11.23-getline.patch + cvs-1.11.23-cve.patch) build() { cd $name-$version + unset EDITOR VISUAL + patch -Np1 -i ../cvs-1.11.23-getline.patch + patch -Np1 -i ../cvs-1.11.23-cve.patch + ./configure --prefix=/usr make make DESTDIR=$PKG install diff --git a/base/cvs/cvs-1.11.23-cve.patch b/base/cvs/cvs-1.11.23-cve.patch new file mode 100644 index 000000000..e1560cef8 --- /dev/null +++ b/base/cvs/cvs-1.11.23-cve.patch @@ -0,0 +1,167 @@ +From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001 +From: Larry Jones +Date: Thu, 21 Oct 2010 10:08:16 +0200 +Subject: [PATCH] Fix for CVE-2010-3846 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Mallformed RCS revision (delete after the end of input file, or overlayed +deleted regions) screws output file image size computation. This leads to +write attempt after the allocated memory opening hiden memory corruption +driven by CVS server. + +Signed-off-by: Petr Písař +--- + src/rcs.c | 52 +++++++++++++++++++++++++++++----------------------- + 1 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/src/rcs.c b/src/rcs.c +index 7d0d078..2f88f85 100644 +--- a/src/rcs.c ++++ b/src/rcs.c +@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + struct deltafrag *dfhead; + struct deltafrag **dftail; + struct deltafrag *df; +- unsigned long numlines, lastmodline, offset; ++ unsigned long numlines, offset; + struct linevector lines; + int err; + +@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + + /* New temp data structure to hold new org before + copy back into original structure. */ +- lines.nlines = lines.lines_alloced = numlines; ++ lines.lines_alloced = numlines; + lines.vector = xmalloc (numlines * sizeof *lines.vector); + + /* We changed the list order to first to last -- so the + list never gets larger than the size numlines. */ +- lastmodline = 0; ++ lines.nlines = 0; + + /* offset created when adding/removing lines + between new and original structure */ +@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + for (df = dfhead; df != NULL; ) + { + unsigned int ln; +- unsigned long deltaend; ++ unsigned long newpos = df->pos - offset; + +- if (df->pos > orig_lines->nlines) ++ if (newpos < lines.nlines || newpos > numlines) + err = 1; + + /* On error, just free the rest of the list. */ + if (!err) + { +- /* Here we need to get to the line where the next insert will ++ /* Here we need to get to the line where the next change will + begin, which is DF->pos in ORIG_LINES. We will fill up to + DF->pos - OFFSET in LINES with original items. */ +- for (deltaend = df->pos - offset; +- lastmodline < deltaend; +- lastmodline++) ++ while (lines.nlines < newpos) + { + /* we need to copy from the orig structure into new one */ +- lines.vector[lastmodline] = +- orig_lines->vector[lastmodline + offset]; +- lines.vector[lastmodline]->refcount++; ++ lines.vector[lines.nlines] = ++ orig_lines->vector[lines.nlines + offset]; ++ lines.vector[lines.nlines]->refcount++; ++ lines.nlines++; + } + + switch (df->type) +@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + struct line *q; + int nextline_newline; + size_t nextline_len; +- ++ ++ if (newpos + df->nlines > numlines) ++ { ++ err = 1; ++ break; ++ } + textend = df->new_lines + df->len; + nextline_newline = 0; + nextline_text = df->new_lines; +@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + q->has_newline = nextline_newline; + q->refcount = 1; + memcpy (q->text, nextline_text, nextline_len); +- lines.vector[lastmodline++] = q; +- offset--; ++ lines.vector[lines.nlines++] = q; + + nextline_text = (char *)p + 1; + nextline_newline = 0; +@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + q->has_newline = nextline_newline; + q->refcount = 1; + memcpy (q->text, nextline_text, nextline_len); +- lines.vector[lastmodline++] = q; ++ lines.vector[lines.nlines++] = q; + + /* For each line we add the offset between the #'s + decreases. */ +- offset--; ++ offset -= df->nlines; + break; + } + +@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + if (df->pos + df->nlines > orig_lines->nlines) + err = 1; + else if (delvers) ++ { + for (ln = df->pos; ln < df->pos + df->nlines; ++ln) ++ { + if (orig_lines->vector[ln]->refcount > 1) + /* Annotate needs this but, since the original + * vector is disposed of before returning from +@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + * there are multiple references. + */ + orig_lines->vector[ln]->vers = delvers; ++ } ++ } + break; + } + } +@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers) + else + { + /* add the rest of the remaining lines to the data vector */ +- for (; lastmodline < numlines; lastmodline++) ++ while (lines.nlines < numlines) + { + /* we need to copy from the orig structure into new one */ +- lines.vector[lastmodline] = orig_lines->vector[lastmodline ++ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines + + offset]; +- lines.vector[lastmodline]->refcount++; ++ lines.vector[lines.nlines]->refcount++; ++ lines.nlines++; + } + + /* Move the lines vector to the original structure for output, + * first deleting the old. + */ + linevector_free (orig_lines); +- orig_lines->vector = lines.vector; +- orig_lines->lines_alloced = numlines; +- orig_lines->nlines = lines.nlines; ++ *orig_lines = lines; + } + + return !err; +-- +1.7.2.3 + diff --git a/base/cvs/cvs-1.11.23-getline.patch b/base/cvs/cvs-1.11.23-getline.patch new file mode 100644 index 000000000..99942e058 --- /dev/null +++ b/base/cvs/cvs-1.11.23-getline.patch @@ -0,0 +1,34 @@ +--- cvs-1.11.23/lib/getline.c 2005-04-04 22:46:05.000000000 +0200 ++++ cvs-1.11.23/lib/getline.c.old 2008-06-03 19:06:25.000000000 +0200 +@@ -154,7 +154,7 @@ + return ret; + } + +-int ++ssize_t + getline (lineptr, n, stream) + char **lineptr; + size_t *n; +@@ -163,7 +163,7 @@ + return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT); + } + +-int ++ssize_t + getline_safe (lineptr, n, stream, limit) + char **lineptr; + size_t *n; +--- cvs-1.11.23/lib/getline.h 2005-04-04 22:46:05.000000000 +0200 ++++ cvs-1.11.23/lib/getline.h.old 2008-06-03 19:06:27.000000000 +0200 +@@ -11,9 +11,9 @@ + + #define GETLINE_NO_LIMIT -1 + +-int ++ssize_t + getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream)); +-int ++ssize_t + getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream, + int limit)); + int -- cgit v1.2.3-54-g00ecf