forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dev-vcs/cvs: Fix command injection (CVE-2017-12836).
Patch taken from MirBSD (excluding comment-only changes that didn't apply cleanly). See bug #627498. Package-Manager: Portage-2.3.8, Repoman-2.3.3
- Loading branch information
Showing
2 changed files
with
123 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
# Copyright 1999-2017 Gentoo Foundation | ||
# Distributed under the terms of the GNU General Public License v2 | ||
|
||
EAPI=6 | ||
|
||
inherit pam toolchain-funcs | ||
|
||
DESCRIPTION="Concurrent Versions System - source code revision control tools" | ||
HOMEPAGE="http://cvs.nongnu.org/" | ||
|
||
SRC_URI="mirror://gnu/non-gnu/cvs/source/feature/${PV}/${P}.tar.bz2 | ||
doc? ( mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.html.tar.bz2 | ||
mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.pdf | ||
mirror://gnu/non-gnu/cvs/source/feature/${PV}/cederqvist-${PV}.ps )" | ||
|
||
LICENSE="GPL-2 LGPL-2" | ||
SLOT="0" | ||
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" | ||
|
||
IUSE="crypt doc kerberos nls pam server" | ||
RESTRICT="test" | ||
|
||
DEPEND=">=sys-libs/zlib-1.1.4 | ||
kerberos? ( virtual/krb5 ) | ||
pam? ( virtual/pam )" | ||
RDEPEND="${DEPEND}" | ||
|
||
src_unpack() { | ||
unpack ${P}.tar.bz2 | ||
use doc && unpack cederqvist-${PV}.html.tar.bz2 | ||
} | ||
|
||
PATCHES=( | ||
"${FILESDIR}"/${P}-cvsbug-tmpfix.patch | ||
"${FILESDIR}"/${P}-openat.patch | ||
"${FILESDIR}"/${P}-block-requests.patch | ||
"${FILESDIR}"/${P}-cvs-gnulib-vasnprintf.patch | ||
"${FILESDIR}"/${P}-install-sh.patch | ||
"${FILESDIR}"/${P}-hash-nameclash.patch # for AIX | ||
"${FILESDIR}"/${P}-getdelim.patch # 314791 | ||
"${FILESDIR}"/${PN}-1.12.12-rcs2log-coreutils.patch # 144114 | ||
"${FILESDIR}"/${P}-mktime-x32.patch # 395641 | ||
"${FILESDIR}"/${P}-fix-massive-leak.patch | ||
"${FILESDIR}"/${P}-mktime-configure.patch #220040 #570208 | ||
"${FILESDIR}"/${P}-CVE-2012-0804.patch | ||
"${FILESDIR}"/${P}-format-security.patch | ||
"${FILESDIR}"/${P}-musl.patch | ||
"${FILESDIR}"/${P}-CVE-2017-12836-commandinjection.patch | ||
) | ||
DOCS=( BUGS ChangeLog{,.zoo} DEVEL-CVS FAQ HACKING MINOR-BUGS NEWS \ | ||
PROJECTS README TESTS TODO ) | ||
|
||
src_prepare() { | ||
default | ||
|
||
sed -i "/^AR/s/ar/$(tc-getAR)/" diff/Makefile.in lib/Makefile.in || die | ||
} | ||
|
||
src_configure() { | ||
if tc-is-cross-compiler ; then | ||
# Sane defaults when cross-compiling (as these tests want to | ||
# try and execute code). | ||
export cvs_cv_func_printf_ptr="yes" | ||
fi | ||
econf \ | ||
--with-external-zlib \ | ||
--with-tmpdir=${EPREFIX%/}/tmp \ | ||
$(use_enable crypt encryption) \ | ||
$(use_with kerberos gssapi) \ | ||
$(use_enable nls) \ | ||
$(use_enable pam) \ | ||
$(use_enable server) | ||
} | ||
|
||
src_install() { | ||
# Not installed into emacs site-lisp because it clobbers the normal C | ||
# indentations. | ||
DOCS+=( cvs-format.el ) | ||
|
||
if use doc; then | ||
DOCS+=( "${DISTDIR}"/cederqvist-${PV}.{pdf,ps} ) | ||
HTML_DOCS=( ../cederqvist-${PV}.html/. ) | ||
fi | ||
|
||
default | ||
|
||
use doc && dosym cvs.html /usr/share/doc/${PF}/html/index.html | ||
|
||
if use server; then | ||
newdoc "${FILESDIR}"/cvs-1.12.12-cvs-custom.c cvs-custom.c | ||
insinto /etc/xinetd.d | ||
newins "${FILESDIR}"/cvspserver.xinetd.d cvspserver | ||
newenvd "${FILESDIR}"/01-cvs-env.d 01cvs | ||
fi | ||
|
||
newpamd "${FILESDIR}"/cvs.pam-include-1.12.12 cvs | ||
} | ||
|
||
pkg_postinst() { | ||
use server || elog "If you want any CVS server functionality, you MUST emerge with USE=server!" | ||
} |
22 changes: 22 additions & 0 deletions
22
dev-vcs/cvs/files/cvs-1.12.12-CVE-2017-12836-commandinjection.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
diff -Naurp a/src/rsh-client.c b/src/rsh-client.c | ||
--- a/src/rsh-client.c 2005-03-15 18:45:10.000000000 +0100 | ||
+++ b/src/rsh-client.c 2017-08-26 17:43:23.228060155 +0200 | ||
@@ -97,6 +97,9 @@ start_rsh_server (cvsroot_t *root, struc | ||
rsh_argv[i++] = root->username; | ||
} | ||
|
||
+ /* Only non-option arguments from here. (CVE-2017-12836) */ | ||
+ rsh_argv[i++] = "--"; | ||
+ | ||
rsh_argv[i++] = root->hostname; | ||
rsh_argv[i++] = cvs_server; | ||
rsh_argv[i++] = "server"; | ||
@@ -171,6 +174,8 @@ start_rsh_server (cvsroot_t *root, struc | ||
*p++ = root->username; | ||
} | ||
|
||
+ *p++ = "--"; | ||
+ | ||
*p++ = root->hostname; | ||
*p++ = command; | ||
*p++ = NULL; |