Patch vulnerabilities in the CVS client and server:

A malicious CVS server could cause your CVS client to overwrite arbitrary files (CAN-2004-0180). When a CVS client uses the `-p' checkout option, the server could be fooled into checking out files from outside the given $CVSROOT. (This patch is applied in an unorthodox manner so as not to complicate a later vendor import of CVS.)
2004-04-14 16:40:50 +00:00 · 2004-04-14 16:40:50 +00:00 · 07ad9ba93d
commit 07ad9ba93d
parent 376040b33f
3 changed files with 65 additions and 2 deletions
--- a/gnu/usr.bin/cvs/cvs/Makefile
+++ b/gnu/usr.bin/cvs/cvs/Makefile
@ -13,12 +13,12 @@ PROG=	cvs
 MAN=	cvs.1 cvs.5

 SRCS=	add.c admin.c annotate.c buffer.c \
-	checkin.c checkout.c classify.c client.c \
+	checkin.c checkout.c classify.c client_P.c \
 	commit.c create_adm.c cvsrc.c diff.c edit.c entries.c error.c \
 	expand_path.c fileattr.c filesubr.c find_names.c \
 	hardlink.c hash.c history.c \
 	ignore.c import.c lock.c log.c login.c logmsg.c main.c mkmodules.c \
-	modules.c myndbm.c no_diff.c parseinfo.c patch.c prepend_args.c \
+	modules_P.c myndbm.c no_diff.c parseinfo.c patch.c prepend_args.c \
 	rcs.c rcscmds.c \
 	recurse.c release.c remove.c repos.c root.c run.c scramble.c \
 	server.c status.c subr.c tag.c update.c vers_ts.c version.c watch.c \
@ -62,4 +62,12 @@ regress:
 .endif
 .endif

+# XXX Temporary until next CVS import: patch security issues
+.for f in client modules
+CLEANFILES+=	${f}_P.c
+
+${f}_P.c:	${f}.c ${f}.patch
+	patch -t -s -p3 -o ${.TARGET} ${.ALLSRC:M*.c} ${.ALLSRC:M*.patch}
+.endfor
+
 .include <bsd.prog.mk>
--- a/gnu/usr.bin/cvs/cvs/client.patch
+++ b/gnu/usr.bin/cvs/cvs/client.patch
@ -0,0 +1,30 @@
+$FreeBSD$
+Index: contrib/cvs/src/client.c
+===================================================================
+RCS file: /home/ncvs/src/contrib/cvs/src/client.c,v
+retrieving revision 1.10
+diff -c -r1.10 client.c
+*** contrib/cvs/src/client.c	21 Jan 2003 22:01:38 -0000	1.10
+--- contrib/cvs/src/client.c	14 Apr 2004 15:51:51 -0000
+***************
+*** 1054,1059 ****
+--- 1054,1072 ----
+      char *rdirp;
+      int reposdirname_absolute;
+  
+     /* For security reasons, if PATHNAME is absolute or attemps to ascend
+      * outside of the current sanbbox, we abort.  The server should not send us
+      * anything but relative paths which remain inside the sandbox here.
+      * Anything less means a trojan CVS server could create and edit arbitrary
+      * files on the client.
+      */
+     if (isabsolute (pathname) || pathname_levels (pathname) > 0)
+     {
+ 	error (0, 0,
+ 		"Server attempted to update a file via an invalid pathname:");
+ 	error (1, 0, "`%s'.", pathname);
+     }
+ 
+      reposname = NULL;
+      read_line (&reposname);
+      assert (reposname != NULL);
--- a/gnu/usr.bin/cvs/cvs/modules.patch
+++ b/gnu/usr.bin/cvs/cvs/modules.patch
@ -0,0 +1,25 @@
+$FreeBSD$
+Index: contrib/cvs/src/modules.c
+===================================================================
+RCS file: /home/ncvs/src/contrib/cvs/src/modules.c,v
+retrieving revision 1.1.1.9
+diff -c -r1.1.1.9 modules.c
+*** contrib/cvs/src/modules.c	21 Jan 2004 16:27:56 -0000	1.1.1.9
+--- contrib/cvs/src/modules.c	14 Apr 2004 15:54:51 -0000
+***************
+*** 170,175 ****
+--- 170,183 ----
+      if (isabsolute (mname))
+  	error (1, 0, "Absolute module reference invalid: `%s'", mname);
+  
+     /* Similarly for directories that attempt to step above the root of the
+      * repository.
+      */
+     if (pathname_levels (mname) > 0)
+ 	error (1, 0, "up-level in module reference (`..') invalid: `%s'.",
+ 		mname);
+ 
+ 
+      /* if this is a directory to ignore, add it to that list */
+      if (mname[0] == '!' && mname[1] != '\0')
+      {