[cvs] Fix CVE-2012-0804

Mon Feb 6 16:20:43 UTC 2012

commit 4a78c66c2067176a837e6994ba2524b92b4ed5d6
Author: Petr Písař <ppisar at redhat.com>
Date:   Tue Jan 17 18:06:23 2012 +0100

    Fix CVE-2012-0804

 cvs-1.11.23-Fix-proxy-response-parser.patch |   36 +++++++++++++++++++++++++++
 cvs.spec                                    |    8 +++++-
 2 files changed, 43 insertions(+), 1 deletions(-)
---

diff --git a/cvs-1.11.23-Fix-proxy-response-parser.patch b/cvs-1.11.23-Fix-proxy-response-parser.patch
new file mode 100644
index 0000000..437e245
--- /dev/null
+++ b/cvs-1.11.23-Fix-proxy-response-parser.patch
@@ -0,0 +1,36 @@
+From 73d49d17ce8db58e090f82719f7c9aad7340cbac Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Tue, 17 Jan 2012 17:55:00 +0100
+Subject: [PATCH] Fix proxy response parser
+
+If proxy sends overlong HTTP vesion string, the string will be copied
+to unallocatd space (write_buf) causing heap overflow.
+
+This patch fixes it by ignoring the HTTP version string and checking
+the response line has been parsed correctly.
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
+details.
+---
+ src/client.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index d0abd41..80872be 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -3878,9 +3878,9 @@ proxy_connect (root, port_number)
+     
+     /* Wait for HTTP status code, bail out if you don't get back a 2xx code.*/
+     count = read_line (&read_buf);
+-    sscanf (read_buf, "%s %d", write_buf, &codenum);
++    count = sscanf (read_buf, "%*s %d", &codenum);
+     
+-    if ((codenum / 100) != 2)
++    if (count != 1 || (codenum / 100) != 2)
+ 	error (1, 0, "proxy server %s:%d does not support http tunnelling",
+ 	       root->proxy_hostname, root->proxy_port);
+     free (read_buf);
+-- 
+1.7.7.5
+
diff --git a/cvs.spec b/cvs.spec
index 2ebb07d..d4cc254 100644
--- a/cvs.spec
+++ b/cvs.spec
@@ -5,7 +5,7 @@
 
 Name: cvs
 Version: 1.11.23
-Release: 24%{?dist}
+Release: 25%{?dist}
 Summary: Concurrent Versions System
 Group: Development/Tools
 URL: http://cvs.nongnu.org/
@@ -63,6 +63,8 @@ Patch25: cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
 Patch26: cvs-1.11.23-Back-port-KeywordExpand-configuration-keyword.patch
 # bug #722972
 Patch27: cvs-1.11.23-Pass-server-IP-address-instead-of-hostname-to-GSSAPI.patch
+# CVE-2012-0804, bug #787683
+Patch28: cvs-1.11.23-Fix-proxy-response-parser.patch
 
 %description
 CVS (Concurrent Versions System) is a version control system that can
@@ -147,6 +149,7 @@ pages in PDF.
 %patch25 -p1 -b .set_pam_rhost
 %patch26 -p1 -b .keywordexpand
 %patch27 -p1 -b .gssapi_dns
+%patch28 -p1 -b .proxy_response_parser
 
 # Apply a patch to the generated files, OR
 # run autoreconf and require autoconf >= 2.58, automake >= 1.7.9
@@ -253,6 +256,9 @@ fi
 
 
 %changelog
+* Mon Feb 06 2012 Petr Pisar <ppisar at redhat.com> - 1.11.23-25
+- Fix CVE-2012-0804 (bug #787683)
+
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.11.23-24
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 
