Add latest officially released version of CVS. The 1.11 branch is the only that actually behaves on most Prefix platforms, all other versions are masked. For this reason, only Prefix keywords have been added, as it is mainly intended for them. Bug #313799

Package-Manager: portage-2.2.01.17865-prefix/cvs/Darwin powerpc

2 files changed, 203 insertions, 0 deletions

diff --git a/dev-vcs/cvs/files/cvs-1.11.23-CVE-2010-3846.patch b/dev-vcs/cvs/files/cvs-1.11.23-CVE-2010-3846.patch
new file mode 100644
index 000000000000..e1560cef82e7
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.11.23-CVE-2010-3846.patch
@@ -0,0 +1,167 @@
+From b122edcb68ff05bb6eb22f6e50423e7f1050841b Mon Sep 17 00:00:00 2001
+From: Larry Jones <lawrence.jones@siemens.com>
+Date: Thu, 21 Oct 2010 10:08:16 +0200
+Subject: [PATCH] Fix for CVE-2010-3846
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Mallformed RCS revision (delete after the end of input file, or overlayed
+deleted regions) screws output file image size computation. This leads to
+write attempt after the allocated memory opening hiden memory corruption
+driven by CVS server.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/rcs.c |   52 +++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 29 insertions(+), 23 deletions(-)
+
+diff --git a/src/rcs.c b/src/rcs.c
+index 7d0d078..2f88f85 100644
+--- a/src/rcs.c
++++ b/src/rcs.c
+@@ -7128,7 +7128,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+     struct deltafrag *dfhead;
+     struct deltafrag **dftail;
+     struct deltafrag *df;
+-    unsigned long numlines, lastmodline, offset;
++    unsigned long numlines, offset;
+     struct linevector lines;
+     int err;
+ 
+@@ -7202,12 +7202,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 
+     /* New temp data structure to hold new org before
+        copy back into original structure. */
+-    lines.nlines = lines.lines_alloced = numlines;
++    lines.lines_alloced = numlines;
+     lines.vector = xmalloc (numlines * sizeof *lines.vector);
+ 
+     /* We changed the list order to first to last -- so the
+        list never gets larger than the size numlines. */
+-    lastmodline = 0; 
++    lines.nlines = 0; 
+ 
+     /* offset created when adding/removing lines
+        between new and original structure */
+@@ -7216,25 +7216,24 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+     for (df = dfhead; df != NULL; )
+     {
+ 	unsigned int ln;
+-	unsigned long deltaend;
++	unsigned long newpos = df->pos - offset;
+ 
+-	if (df->pos > orig_lines->nlines)
++	if (newpos < lines.nlines || newpos > numlines)
+ 	    err = 1;
+ 
+ 	/* On error, just free the rest of the list.  */
+ 	if (!err)
+ 	{
+-	    /* Here we need to get to the line where the next insert will
++	    /* Here we need to get to the line where the next change will
+ 	       begin, which is DF->pos in ORIG_LINES.  We will fill up to
+ 	       DF->pos - OFFSET in LINES with original items.  */
+-	    for (deltaend = df->pos - offset;
+-		 lastmodline < deltaend;
+-		 lastmodline++)
++	    while (lines.nlines < newpos)
+ 	    {
+ 		/* we need to copy from the orig structure into new one */
+-		lines.vector[lastmodline] =
+-			orig_lines->vector[lastmodline + offset];
+-		lines.vector[lastmodline]->refcount++;
++		lines.vector[lines.nlines] =
++			orig_lines->vector[lines.nlines + offset];
++		lines.vector[lines.nlines]->refcount++;
++		lines.nlines++;
+ 	    }
+ 
+ 	    switch (df->type)
+@@ -7246,7 +7245,12 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 		    struct line *q;
+ 		    int nextline_newline;
+ 		    size_t nextline_len;
+-		
++
++		    if (newpos + df->nlines > numlines)
++		    {
++			err = 1;
++			break;
++		    }
+ 		    textend = df->new_lines + df->len;
+ 		    nextline_newline = 0;
+ 		    nextline_text = df->new_lines;
+@@ -7271,8 +7275,7 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 			    q->has_newline = nextline_newline;
+ 			    q->refcount = 1;
+ 			    memcpy (q->text, nextline_text, nextline_len);
+-			    lines.vector[lastmodline++] = q;
+-			    offset--;
++			    lines.vector[lines.nlines++] = q;
+ 		    
+ 			    nextline_text = (char *)p + 1;
+ 			    nextline_newline = 0;
+@@ -7286,11 +7289,11 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 		    q->has_newline = nextline_newline;
+ 		    q->refcount = 1;
+ 		    memcpy (q->text, nextline_text, nextline_len);
+-		    lines.vector[lastmodline++] = q;
++		    lines.vector[lines.nlines++] = q;
+ 
+ 		    /* For each line we add the offset between the #'s
+ 		       decreases. */
+-		    offset--;
++		    offset -= df->nlines;
+ 		    break;
+ 		}
+ 
+@@ -7301,7 +7304,9 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 		    if (df->pos + df->nlines > orig_lines->nlines)
+ 			err = 1;
+ 		    else if (delvers)
++		    {
+ 			for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
++			{
+ 			    if (orig_lines->vector[ln]->refcount > 1)
+ 				/* Annotate needs this but, since the original
+ 				 * vector is disposed of before returning from
+@@ -7309,6 +7314,8 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+ 				 * there are multiple references.
+ 				 */
+ 				orig_lines->vector[ln]->vers = delvers;
++			}
++		    }
+ 		    break;
+ 	    }
+ 	}
+@@ -7328,21 +7335,20 @@ apply_rcs_changes (orig_lines, diffbuf, difflen, name, addvers, delvers)
+     else
+     {
+ 	/* add the rest of the remaining lines to the data vector */
+-	for (; lastmodline < numlines; lastmodline++)
++	while (lines.nlines < numlines)
+ 	{
+ 	    /* we need to copy from the orig structure into new one */
+-	    lines.vector[lastmodline] = orig_lines->vector[lastmodline
++	    lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
+ 							   + offset];
+-	    lines.vector[lastmodline]->refcount++;
++	    lines.vector[lines.nlines]->refcount++;
++	    lines.nlines++;
+ 	}
+ 
+ 	/* Move the lines vector to the original structure for output,
+ 	 * first deleting the old.
+ 	 */
+ 	linevector_free (orig_lines);
+-	orig_lines->vector = lines.vector;
+-	orig_lines->lines_alloced = numlines;
+-	orig_lines->nlines = lines.nlines;
++	*orig_lines = lines;
+     }
+ 
+     return !err;
+-- 
+1.7.2.3
+
diff --git a/dev-vcs/cvs/files/cvs-1.11.23-getline64.patch b/dev-vcs/cvs/files/cvs-1.11.23-getline64.patch
new file mode 100644
index 000000000000..f93fca465444
--- /dev/null
+++ b/dev-vcs/cvs/files/cvs-1.11.23-getline64.patch
@@ -0,0 +1,36 @@
+http://pkgs.fedoraproject.org/gitweb/?p=cvs.git;a=blob;f=cvs-1.11.23-getline64.patch;h=99942e0589e4ff26e87a927c1a54662954876e64;hb=HEAD
+
+--- cvs-1.11.23/lib/getline.c
++++ cvs-1.11.23/lib/getline.c
+@@ -154,7 +154,7 @@
+   return ret;
+ }
+ 
+-int
++ssize_t
+ getline (lineptr, n, stream)
+      char **lineptr;
+      size_t *n;
+@@ -163,7 +163,7 @@
+   return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT);
+ }
+ 
+-int
++ssize_t
+ getline_safe (lineptr, n, stream, limit)
+      char **lineptr;
+      size_t *n;
+--- cvs-1.11.23/lib/getline.h
++++ cvs-1.11.23/lib/getline.h
+@@ -11,9 +11,9 @@
+ 
+ #define GETLINE_NO_LIMIT -1
+ 
+-int
++ssize_t
+   getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream));
+-int
++ssize_t
+   getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream,
+                          int limit));
+ int