Hello community, here is the log from the commit of package cvs for openSUSE:Factory checked in at 2018-10-01 09:03:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cvs (Old) and /work/SRC/openSUSE:Factory/.cvs.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "cvs" Mon Oct 1 09:03:49 2018 rev:34 rq:636903 version:1.12.13 Changes: -------- --- /work/SRC/openSUSE:Factory/cvs/cvs.changes 2018-02-13 10:25:02.654517431 +0100 +++ /work/SRC/openSUSE:Factory/.cvs.new/cvs.changes 2018-10-01 09:03:52.923972356 +0200 @@ -1,0 +2,14 @@ +Wed Sep 19 15:32:59 UTC 2018 - josef.moellers@suse.com + +- Upgrade to 1.12.13 + This version fixes two security vulnerabilities in the zlib + compression libraries (see CERT vulnerabilities advisories + #238678 & #680620 for more info), several issues involving + potential data-loss on heavily loaded systems, some minor + potential crashes, hangs, and several minor annoyances in CVS + client and server behavior. + See also: + https://savannah.nongnu.org/forum/forum.php?forum_id=4046 + http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/NEWS?revision=1.341 + +------------------------------------------------------------------- Old: ---- cvs-1.12.12.tar.bz2 New: ---- cvs-1.12.13.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cvs.spec ++++++ --- /var/tmp/diff_new_pack.B5fPAE/_old 2018-10-01 09:03:53.899971511 +0200 +++ /var/tmp/diff_new_pack.B5fPAE/_new 2018-10-01 09:03:53.903971507 +0200 @@ -17,7 +17,7 @@ Name: cvs -Version: 1.12.12 +Version: 1.12.13 Release: 0 Summary: Concurrent Versions System License: GPL-2.0 @@ -90,7 +90,7 @@ %patch8 -p1 %patch10 %patch11 -p1 -%patch12 +%patch12 -p1 %patch16 %patch17 %patch18 @@ -191,6 +191,7 @@ %{_datadir}/%{name}/contrib/rcslock %{_datadir}/%{name}/contrib/rcs-to-cvs %{_datadir}/%{name}/contrib/README +%{_datadir}/%{name}/contrib/rcs-5.7-commitid.patch %{_datadir}/%{name}/contrib/sandbox_status %{_datadir}/%{name}/contrib/validate_repo %attr(755,root,root) %{_datadir}/%{name}/contrib/sccs2rcs @@ -201,10 +202,7 @@ %files doc %defattr(-,root,root) %dir %{_defaultdocdir}/%{name} -%{_infodir}/cvs.info-*%{ext_info} -%{_infodir}/cvs.info%{ext_info} -%{_infodir}/cvsclient.info-*%{ext_info} -%{_infodir}/cvsclient.info%{ext_info} +%{_infodir}/*.info* %doc %{_datadir}/%{name}/contrib/intro.doc %doc %{_defaultdocdir}/%{name}/OpenSourceDevWithCVS_2E.pdf ++++++ 03cvs-client-exploit-fix.diff ++++++ --- /var/tmp/diff_new_pack.B5fPAE/_old 2018-10-01 09:03:53.927971487 +0200 +++ /var/tmp/diff_new_pack.B5fPAE/_new 2018-10-01 09:03:53.927971487 +0200 @@ -1,8 +1,8 @@ -Index: src/client.c -================================================================================ ---- src/client.c -+++ src/client.c -@@ -767,6 +767,19 @@ +Index: cvs-1.12.13/src/client.c +=================================================================== +--- cvs-1.12.13.orig/src/client.c ++++ cvs-1.12.13/src/client.c +@@ -750,6 +750,19 @@ call_in_directory (const char *pathname, assert (pathname); @@ -12,13 +12,13 @@ + * Anything less means a trojan CVS server could create and edit arbitrary + * files on the client. + */ -+ if (isabsolute (pathname) || pathname_levels (pathname) > 0) ++ if (ISABSOLUTE (pathname) || pathname_levels (pathname) > 0) + { -+ error (0, 0, ++ error (0, 0, + "Server attempted to update a file via an invalid pathname:"); + error (1, 0, "`%s'.", pathname); + } + reposname = NULL; read_line (&reposname); - assert (reposname != NULL); + assert (reposname); ++++++ cvs-1.12.12.tar.bz2 -> cvs-1.12.13.tar.bz2 ++++++ ++++ 157373 lines of diff (skipped) ++++++ cvs-format.patch ++++++ --- /var/tmp/diff_new_pack.B5fPAE/_old 2018-10-01 09:03:56.067969634 +0200 +++ /var/tmp/diff_new_pack.B5fPAE/_new 2018-10-01 09:03:56.071969631 +0200 @@ -1,6 +1,8 @@ ---- cvs-1.12.12/src/cvs.h -+++ cvs-1.12.12/src/cvs.h -@@ -566,7 +566,7 @@ +Index: cvs-1.12.13/src/cvs.h +=================================================================== +--- cvs-1.12.13.orig/src/cvs.h ++++ cvs-1.12.13/src/cvs.h +@@ -585,7 +585,7 @@ void cat_module (int status); void check_entries (char *dir); void close_module (DBM * db); void copy_file (const char *from, const char *to); @@ -9,14 +11,3 @@ int ign_name (char *name); void ign_add (char *ign, int hold); ---- cvs-1.12.12/src/subr.h -+++ cvs-1.12.12/src/subr.h -@@ -69,7 +69,7 @@ - #ifdef SUPPORT_OLD_INFO_FMT_STRINGS - char *format_cmdline (bool oldway, const char *srepos, const char *format, ...); - #else /* SUPPORT_OLD_INFO_FMT_STRINGS */ --char *format_cmdline (const char *format, ...); -+char *format_cmdline (const char *format, ...) __attribute__((__format__(printf,1,2))); - #endif /* SUPPORT_OLD_INFO_FMT_STRINGS */ - - bool isabsolute (const char *filename); ++++++ cvs-gnulib.diff ++++++ --- /var/tmp/diff_new_pack.B5fPAE/_old 2018-10-01 09:03:56.079969623 +0200 +++ /var/tmp/diff_new_pack.B5fPAE/_new 2018-10-01 09:03:56.079969623 +0200 @@ -1,101 +1,6 @@ ---- m4/extensions.m4 -+++ m4/extensions.m4 -@@ -1,26 +1,82 @@ -+# serial 5 -*- Autoconf -*- - # Enable extensions on systems that normally disable them. - --# Copyright (C) 2003 Free Software Foundation, Inc. -+# Copyright (C) 2003, 2006-2008 Free Software Foundation, Inc. - # This file is free software; the Free Software Foundation - # gives unlimited permission to copy and/or distribute it, - # with or without modifications, as long as this notice is preserved. - --# gl_USE_SYSTEM_EXTENSIONS -+# This definition of AC_USE_SYSTEM_EXTENSIONS is stolen from CVS -+# Autoconf. Perhaps we can remove this once we can assume Autoconf -+# 2.62 or later everywhere, but since CVS Autoconf mutates rapidly -+# enough in this area it's likely we'll need to redefine -+# AC_USE_SYSTEM_EXTENSIONS for quite some time. -+ -+# AC_USE_SYSTEM_EXTENSIONS - # ------------------------ - # Enable extensions on systems that normally disable them, - # typically due to standards-conformance issues. --AC_DEFUN([gl_USE_SYSTEM_EXTENSIONS], [ -- AC_BEFORE([$0], [AC_COMPILE_IFELSE]) -- AC_BEFORE([$0], [AC_RUN_IFELSE]) -- -- AC_REQUIRE([AC_GNU_SOURCE]) -- AC_REQUIRE([AC_AIX]) -- AC_REQUIRE([AC_MINIX]) -+# Remember that #undef in AH_VERBATIM gets replaced with #define by -+# AC_DEFINE. The goal here is to define all known feature-enabling -+# macros, then, if reports of conflicts are made, disable macros that -+# cause problems on some platforms (such as __EXTENSIONS__). -+AC_DEFUN([AC_USE_SYSTEM_EXTENSIONS], -+[AC_BEFORE([$0], [AC_COMPILE_IFELSE])dnl -+AC_BEFORE([$0], [AC_RUN_IFELSE])dnl -+ -+ AC_CHECK_HEADER([minix/config.h], [MINIX=yes], [MINIX=]) -+ if test "$MINIX" = yes; then -+ AC_DEFINE([_POSIX_SOURCE], [1], -+ [Define to 1 if you need to in order for `stat' and other -+ things to work.]) -+ AC_DEFINE([_POSIX_1_SOURCE], [2], -+ [Define to 2 if the system does not provide POSIX.1 features -+ except with this defined.]) -+ AC_DEFINE([_MINIX], [1], -+ [Define to 1 if on MINIX.]) -+ fi - - AH_VERBATIM([__EXTENSIONS__], --[/* Enable extensions on Solaris. */ -+[/* Enable extensions on AIX 3, Interix. */ -+#ifndef _ALL_SOURCE -+# undef _ALL_SOURCE -+#endif -+/* Enable GNU extensions on systems that have them. */ -+#ifndef _GNU_SOURCE -+# undef _GNU_SOURCE -+#endif -+/* Enable threading extensions on Solaris. */ -+#ifndef _POSIX_PTHREAD_SEMANTICS -+# undef _POSIX_PTHREAD_SEMANTICS -+#endif -+/* Enable extensions on HP NonStop. */ -+#ifndef _TANDEM_SOURCE -+# undef _TANDEM_SOURCE -+#endif -+/* Enable general extensions on Solaris. */ - #ifndef __EXTENSIONS__ - # undef __EXTENSIONS__ --#endif]) -- AC_DEFINE([__EXTENSIONS__]) -+#endif - ]) -+ AC_CACHE_CHECK([whether it is safe to define __EXTENSIONS__], -+ [ac_cv_safe_to_define___extensions__], -+ [AC_COMPILE_IFELSE( -+ [AC_LANG_PROGRAM([[ -+# define __EXTENSIONS__ 1 -+ ]AC_INCLUDES_DEFAULT])], -+ [ac_cv_safe_to_define___extensions__=yes], -+ [ac_cv_safe_to_define___extensions__=no])]) -+ test $ac_cv_safe_to_define___extensions__ = yes && -+ AC_DEFINE([__EXTENSIONS__]) -+ AC_DEFINE([_ALL_SOURCE]) -+ AC_DEFINE([_GNU_SOURCE]) -+ AC_DEFINE([_POSIX_PTHREAD_SEMANTICS]) -+ AC_DEFINE([_TANDEM_SOURCE]) -+])# AC_USE_SYSTEM_EXTENSIONS -+ -+# gl_USE_SYSTEM_EXTENSIONS -+# ------------------------ -+# Enable extensions on systems that normally disable them, -+# typically due to standards-conformance issues. -+AC_DEFUN([gl_USE_SYSTEM_EXTENSIONS], -+ [AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS])]) ---- m4/mktime.m4 +Index: m4/mktime.m4 +=================================================================== +--- m4/mktime.m4.orig +++ m4/mktime.m4 @@ -14,31 +14,30 @@ dnl From Jim Meyering. # -------------- @@ -298,3 +203,106 @@ }]])], [ac_cv_func_working_mktime=yes], [ac_cv_func_working_mktime=no], +Index: m4/extensions.m4 +=================================================================== +--- m4/extensions.m4.orig ++++ m4/extensions.m4 +@@ -1,30 +1,86 @@ ++# serial 5 -*- Autoconf -*- + # Enable extensions on systems that normally disable them. + +-# Copyright (C) 2003 Free Software Foundation, Inc. ++# Copyright (C) 2003, 2006-2008 Free Software Foundation, Inc. + # This file is free software; the Free Software Foundation + # gives unlimited permission to copy and/or distribute it, + # with or without modifications, as long as this notice is preserved. + +-# gl_USE_SYSTEM_EXTENSIONS ++# This definition of AC_USE_SYSTEM_EXTENSIONS is stolen from CVS ++# Autoconf. Perhaps we can remove this once we can assume Autoconf ++# 2.62 or later everywhere, but since CVS Autoconf mutates rapidly ++# enough in this area it's likely we'll need to redefine ++# AC_USE_SYSTEM_EXTENSIONS for quite some time. ++ ++# AC_USE_SYSTEM_EXTENSIONS + # ------------------------ + # Enable extensions on systems that normally disable them, + # typically due to standards-conformance issues. +-AC_DEFUN([gl_USE_SYSTEM_EXTENSIONS], [ +- AC_BEFORE([$0], [AC_COMPILE_IFELSE]) +- AC_BEFORE([$0], [AC_RUN_IFELSE]) +- +- AC_REQUIRE([AC_GNU_SOURCE]) +- AC_REQUIRE([AC_AIX]) +- AC_REQUIRE([AC_MINIX]) ++# Remember that #undef in AH_VERBATIM gets replaced with #define by ++# AC_DEFINE. The goal here is to define all known feature-enabling ++# macros, then, if reports of conflicts are made, disable macros that ++# cause problems on some platforms (such as __EXTENSIONS__). ++AC_DEFUN([AC_USE_SYSTEM_EXTENSIONS], ++[AC_BEFORE([$0], [AC_COMPILE_IFELSE])dnl ++AC_BEFORE([$0], [AC_RUN_IFELSE])dnl ++ ++ AC_CHECK_HEADER([minix/config.h], [MINIX=yes], [MINIX=]) ++ if test "$MINIX" = yes; then ++ AC_DEFINE([_POSIX_SOURCE], [1], ++ [Define to 1 if you need to in order for `stat' and other ++ things to work.]) ++ AC_DEFINE([_POSIX_1_SOURCE], [2], ++ [Define to 2 if the system does not provide POSIX.1 features ++ except with this defined.]) ++ AC_DEFINE([_MINIX], [1], ++ [Define to 1 if on MINIX.]) ++ fi + + AH_VERBATIM([__EXTENSIONS__], +-[/* Enable extensions on Solaris. */ ++[/* Enable extensions on AIX 3, Interix. */ ++#ifndef _ALL_SOURCE ++# undef _ALL_SOURCE ++#endif ++/* Enable GNU extensions on systems that have them. */ ++#ifndef _GNU_SOURCE ++# undef _GNU_SOURCE ++#endif ++/* Enable threading extensions on Solaris. */ ++#ifndef _POSIX_PTHREAD_SEMANTICS ++# undef _POSIX_PTHREAD_SEMANTICS ++#endif ++/* Enable extensions on HP NonStop. */ ++#ifndef _TANDEM_SOURCE ++# undef _TANDEM_SOURCE ++#endif ++/* Enable general extensions on Solaris. */ + #ifndef __EXTENSIONS__ + # undef __EXTENSIONS__ + #endif + #ifndef _POSIX_PTHREAD_SEMANTICS + # undef _POSIX_PTHREAD_SEMANTICS +-#endif]) +- AC_DEFINE([__EXTENSIONS__]) + AC_DEFINE([_POSIX_PTHREAD_SEMANTICS]) ++ #endif + ]) ++ AC_CACHE_CHECK([whether it is safe to define __EXTENSIONS__], ++ [ac_cv_safe_to_define___extensions__], ++ [AC_COMPILE_IFELSE( ++ [AC_LANG_PROGRAM([[ ++# define __EXTENSIONS__ 1 ++ ]AC_INCLUDES_DEFAULT])], ++ [ac_cv_safe_to_define___extensions__=yes], ++ [ac_cv_safe_to_define___extensions__=no])]) ++ test $ac_cv_safe_to_define___extensions__ = yes && ++ AC_DEFINE([__EXTENSIONS__]) ++ AC_DEFINE([_ALL_SOURCE]) ++ AC_DEFINE([_GNU_SOURCE]) ++ AC_DEFINE([_POSIX_PTHREAD_SEMANTICS]) ++ AC_DEFINE([_TANDEM_SOURCE]) ++])# AC_USE_SYSTEM_EXTENSIONS ++ ++# gl_USE_SYSTEM_EXTENSIONS ++# ------------------------ ++# Enable extensions on systems that normally disable them, ++# typically due to standards-conformance issues. ++AC_DEFUN([gl_USE_SYSTEM_EXTENSIONS], ++ [AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS])]) ++++++ cvs-useless-asnprintf.diff ++++++ --- /var/tmp/diff_new_pack.B5fPAE/_old 2018-10-01 09:03:56.107969600 +0200 +++ /var/tmp/diff_new_pack.B5fPAE/_new 2018-10-01 09:03:56.111969596 +0200 @@ -1,16 +1,20 @@ ---- m4/gnulib.m4 -+++ m4/gnulib.m4 -@@ -80,7 +80,6 @@ - gl_TIMESPEC +Index: m4/gnulib-comp.m4 +=================================================================== +--- m4/gnulib-comp.m4.orig ++++ m4/gnulib-comp.m4 +@@ -102,7 +102,6 @@ AC_DEFUN([gl_INIT], gl_FUNC_TZSET_CLOBBER + gl_UNISTD_SAFER gl_FUNC_GLIBC_UNLOCKED_IO - gl_FUNC_VASNPRINTF gl_FUNC_VASPRINTF gl_XALLOC gl_XGETCWD ---- src/error.c +Index: src/error.c +=================================================================== +--- src/error.c.orig +++ src/error.c -@@ -111,24 +111,14 @@ +@@ -111,28 +111,17 @@ error (int status, int errnum, const cha int save_errno = errno; /* Various buffers we attempt to use to generate the error message. */ @@ -23,6 +27,10 @@ - char *cmdbuf; - char *emptybuf = ""; - + static const char *last_message = NULL; + static int last_status; + static int last_errnum; +- - /* Initialize these to avoid a lot of special case error handling. */ - buf = statbuf; - buf2 = statbuf2; @@ -30,14 +38,14 @@ + char *cmdbuf = 0; /* Expand the message the user passed us. */ - va_start (args, message); - length = sizeof (statbuf); + va_start (args, message); - buf = vasnprintf (statbuf, &length, message, args); + length = vasprintf (&buf, message, args); va_end (args); if (!buf) goto memerror; -@@ -141,21 +131,19 @@ +@@ -145,21 +134,19 @@ error (int status, int errnum, const cha */ if (cvs_cmd_name) { @@ -65,8 +73,8 @@ + errnum ? ": " : "", errnum ? strerror (errnum) : ""); if (!buf2) goto memerror; - /* Send the final message to the client or log it. */ -@@ -166,9 +154,9 @@ + /* Send the final message to the client or log it. +@@ -183,9 +170,9 @@ error (int status, int errnum, const cha exit (EXIT_FAILURE); /* Free anything we may have allocated. */ @@ -79,9 +87,11 @@ /* Restore errno per our charter. */ errno = save_errno; ---- src/subr.c +Index: src/subr.c +=================================================================== +--- src/subr.c.orig +++ src/subr.c -@@ -1881,8 +1881,8 @@ +@@ -1819,8 +1819,8 @@ Xasnprintf (char *resultbuf, size_t *len char *result; va_start (args, format);