diff options
author | 2017-08-26 17:51:54 +0200 | |
---|---|---|
committer | 2017-08-26 17:51:54 +0200 | |
commit | 9aae21baa940cba64b9ca3b26a5cdf69e88fdf2b (patch) | |
tree | 641ca619b6a0a850432e9967104c53014793d023 /dev-vcs/cvs | |
parent | media-video/mkclean: bump to 0.8.10 (diff) | |
download | gentoo-9aae21baa940cba64b9ca3b26a5cdf69e88fdf2b.tar.gz gentoo-9aae21baa940cba64b9ca3b26a5cdf69e88fdf2b.tar.bz2 gentoo-9aae21baa940cba64b9ca3b26a5cdf69e88fdf2b.zip |
dev-vcs/cvs: Fix command injection (CVE-2017-12836).
Patch taken from MirBSD (excluding comment-only changes that
didn't apply cleanly). See bug #627498.
Package-Manager: Portage-2.3.8, Repoman-2.3.3
Diffstat (limited to 'dev-vcs/cvs')
-rw-r--r-- | dev-vcs/cvs/cvs-1.12.12-r12.ebuild | 101 | ||||
-rw-r--r-- | dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch | 22 |
2 files changed, 123 insertions, 0 deletions
diff --git a/dev-vcs/cvs/cvs-1.12.12-r12.ebuild b/dev-vcs/cvs/cvs-1.12.12-r12.ebuild new file mode 100644 index 000000000000..4f603809d51b --- /dev/null +++ b/dev-vcs/cvs/cvs-1.12.12-r12.ebuild @@ -0,0 +1,101 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit pam toolchain-funcs + +DESCRIPTION="Concurrent Versions System - source code revision control tools" +HOMEPAGE="http://cvs.nongnu.org/" + +SRC_URI="mirror://gnu/non-gnu/cvs/source/feature/${PV}/${P}.tar.bz2 + doc? ( mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.html.tar.bz2 + mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.pdf + mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.ps )" + +LICENSE="GPL-2 LGPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + +IUSE="crypt doc kerberos nls pam server" +RESTRICT="test" + +DEPEND=">=sys-libs/zlib-1.1.4 + kerberos? ( virtual/krb5 ) + pam? ( virtual/pam )" +RDEPEND="${DEPEND}" + +src_unpack() { + unpack ${P}.tar.bz2 + use doc && unpack cederqvist-${PV}.html.tar.bz2 +} + +PATCHES=( + "${FILESDIR}"/${P}-cvsbug-tmpfix.patch + "${FILESDIR}"/${P}-openat.patch + "${FILESDIR}"/${P}-block-requests.patch + "${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch + "${FILESDIR}"/${P}-install-sh.patch + "${FILESDIR}"/${P}-hash-nameclash.patch # for AIX + "${FILESDIR}"/${P}-getdelim.patch # 314791 + "${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114 + "${FILESDIR}"/${P}-mktime-x32.patch # 395641 + "${FILESDIR}"/${P}-fix-massive-leak.patch + "${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208 + "${FILESDIR}"/${P}-CVE-2012-0804.patch + "${FILESDIR}"/${P}-format-security.patch + "${FILESDIR}"/${P}-musl.patch + "${FILESDIR}"/${P}-CVE-2017-12836-commandinjection.patch + ) +DOCS=( BUGS ChangeLog{,.zoo} DEVEL-CVS FAQ HACKING MINOR-BUGS NEWS \ + PROJECTS README TESTS TODO ) + +src_prepare() { + default + + sed -i "/^AR/s/ar/$(tc-getAR)/" diff/Makefile.in lib/Makefile.in || die +} + +src_configure() { + if tc-is-cross-compiler ; then + # Sane defaults when cross-compiling (as these tests want to + # try and execute code). + export cvs_cv_func_printf_ptr="yes" + fi + econf \ + --with-external-zlib \ + --with-tmpdir=${EPREFIX%/}/tmp \ + $(use_enable crypt encryption) \ + $(use_with kerberos gssapi) \ + $(use_enable nls) \ + $(use_enable pam) \ + $(use_enable server) +} + +src_install() { + # Not installed into emacs site-lisp because it clobbers the normal C + # indentations. + DOCS+=( cvs-format.el ) + + if use doc; then + DOCS+=( "${DISTDIR}"/cederqvist-${PV}.{pdf,ps} ) + HTML_DOCS=( ../cederqvist-${PV}.html/. ) + fi + + default + + use doc && dosym cvs.html /usr/share/doc/${PF}/html/index.html + + if use server; then + newdoc "${FILESDIR}"/cvs-1.12.12-cvs-custom.c cvs-custom.c + insinto /etc/xinetd.d + newins "${FILESDIR}"/cvspserver.xinetd.d cvspserver + newenvd "${FILESDIR}"/01-cvs-env.d 01cvs + fi + + newpamd "${FILESDIR}"/cvs.pam-include-1.12.12 cvs +} + +pkg_postinst() { + use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!" +} diff --git a/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch new file mode 100644 index 000000000000..87b1fdc9584c --- /dev/null +++ b/dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch @@ -0,0 +1,22 @@ +diff -Naurp a/src/rsh-client.c b/src/rsh-client.c +--- a/src/rsh-client.c 2005-03-15 18:45:10.000000000 +0100 ++++ b/src/rsh-client.c 2017-08-26 17:43:23.228060155 +0200 +@@ -97,6 +97,9 @@ start_rsh_server (cvsroot_t *root, struc + rsh_argv[i++] = root->username; + } + ++ /* Only non-option arguments from here. (CVE-2017-12836) */ ++ rsh_argv[i++] = "--"; ++ + rsh_argv[i++] = root->hostname; + rsh_argv[i++] = cvs_server; + rsh_argv[i++] = "server"; +@@ -171,6 +174,8 @@ start_rsh_server (cvsroot_t *root, struc + *p++ = root->username; + } + ++ *p++ = "--"; ++ + *p++ = root->hostname; + *p++ = command; + *p++ = NULL; |