aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTBK <tbk@jjtc.eu>2020-02-25 21:51:16 +0100
committerLeo <thinkabit.ukim@gmail.com>2020-02-25 20:16:27 -0300
commitea612159fb42a3276203bef5c374da467d8b049b (patch)
treec6d144356ed67e75c38c7b6b57954fa8e9121c76
parentb30dfc39bf73986c9e85cb54f9e09f28cd5b942f (diff)
downloadaports-ea612159fb42a3276203bef5c374da467d8b049b.tar.gz
aports-ea612159fb42a3276203bef5c374da467d8b049b.tar.bz2
aports-ea612159fb42a3276203bef5c374da467d8b049b.tar.xz
main/cvs: security upgrade to 1.12.12
Most distros uses 1.12.13 (https://repology.org/project/cvs/versions) but according to Gentoo it is usable, so following Gentoo (https://bugs.gentoo.org/124733) 1.12.12 is the way forward. CVEs: * CVE-2010-3846 - https://bugzilla.redhat.com/show_bug.cgi?id=642146 * CVE-2012-0804 - https://security-tracker.debian.org/tracker/CVE-2012-0804 * CVE-2017-12836 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10
-rw-r--r--main/cvs/APKBUILD73
-rw-r--r--main/cvs/CVE-2017-12836.patch38
-rw-r--r--main/cvs/cvs-1.12.12-CVE-2012-0804.patch30
-rw-r--r--main/cvs/cvs-1.12.12-block-requests.patch140
-rw-r--r--main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch22
-rw-r--r--main/cvs/cvs-1.12.12-fix-massive-leak.patch52
-rw-r--r--main/cvs/cvs-1.12.12-format-security.patch22
-rw-r--r--main/cvs/cvs-1.12.12-getdelim.patch21
-rw-r--r--main/cvs/cvs-1.12.12-hash-nameclash.patch42
-rw-r--r--main/cvs/cvs-1.12.12-install-sh.patch12
-rw-r--r--main/cvs/cvs-1.12.12-mktime-configure.patch201
-rw-r--r--main/cvs/cvs-1.12.12-mktime-x32.patch29
-rw-r--r--main/cvs/cvs-1.12.12-musl.patch13
-rw-r--r--main/cvs/cvs-1.12.12-openat.patch21
-rw-r--r--main/cvs/cvs-1.12.12-rcs2log-coreutils.patch14
-rw-r--r--main/cvs/cvs-musl.patch27
16 files changed, 704 insertions, 53 deletions
diff --git a/main/cvs/APKBUILD b/main/cvs/APKBUILD
index b11d7ac61e..633f98b061 100644
--- a/main/cvs/APKBUILD
+++ b/main/cvs/APKBUILD
@@ -1,33 +1,43 @@
# Contributor: Michael Mason <ms13sp@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=cvs
-pkgver=1.11.23
+pkgver=1.12.12
pkgrel=0
pkgdesc="Concurrent Versions System"
-url="http://www.nongnu.org/cvs/"
+url="https://www.nongnu.org/cvs/"
arch="all"
license="GPL-2.0-or-later"
-depends=""
+options="!check" # Tests fail - src/lib/test-getdate.sh
makedepends="zlib-dev"
-install=
subpackages="$pkgname-doc"
-source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz
- cvs-musl.patch
+source="https://ftp.gnu.org/non-gnu/cvs/source/feature/$pkgver/cvs-$pkgver.tar.gz
+ cvs-1.12.12-cvsbug-tmpfix.patch
+ cvs-1.12.12-openat.patch
+ cvs-1.12.12-block-requests.patch
+ cvs-1.12.12-install-sh.patch
+ cvs-1.12.12-hash-nameclash.patch
+ cvs-1.12.12-getdelim.patch
+ cvs-1.12.12-rcs2log-coreutils.patch
+ cvs-1.12.12-mktime-x32.patch
+ cvs-1.12.12-fix-massive-leak.patch
+ cvs-1.12.12-mktime-configure.patch
+ cvs-1.12.12-CVE-2012-0804.patch
+ cvs-1.12.12-format-security.patch
+ cvs-1.12.12-musl.patch
+ CVE-2017-12836.patch
"
-_builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+# 1.12.12-r0:
+# - CVE-2010-3846
+# - CVE-2012-0804
+# - CVE-2017-12836
prepare() {
- local i
- cd "$_builddir"
- for i in $source; do
- case $i in
- *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
- esac
- done
+ default_prepare
+ update_config_sub
}
build() {
- cd "$_builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
@@ -36,19 +46,30 @@ build() {
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--with-external-zlib \
- --with-tmpdir=/tmp \
- || return 1
- make || return 1
+ --with-tmpdir=/tmp
+ make
+}
+
+check() {
+ make check
}
package() {
- cd "$_builddir"
- make -j1 DESTDIR="$pkgdir" install
+ make DESTDIR="$pkgdir" install
}
-md5sums="bf185eb51b5918330a04671c3f3cccde cvs-1.11.23.tar.gz
-3b51f4b2b94b83666f9e105038222cd8 cvs-musl.patch"
-sha256sums="0ad692e3c22e4b33274a53ad22a194deb3024ec833b9e87ad7968d9b0b58cdcf cvs-1.11.23.tar.gz
-b5b687e9c5349fbb15e82ca1f99d9227432f6be29a55b7ca22bd9b1c8b6f08d5 cvs-musl.patch"
-sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a cvs-1.11.23.tar.gz
-7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245 cvs-musl.patch"
+sha512sums="36cae30bbd075773d260fd8d0170335d37ba4b6dd09056465290df5c14cd7c39a18931d70761d98e2bd989798b013e372603e94c252b4062c56c3ab53251a1fb cvs-1.12.12.tar.gz
+29014631f5595dbf51a47032a19a23e545190dd8d40d77a71d363cee07a9ae38263b67db52a512436a9a7b37a7f5ff4daafa4a0a9f3c29bcfeb71ecff74408b7 cvs-1.12.12-cvsbug-tmpfix.patch
+b0a7abc785169705d2f0668a8af706f93ee3eba3d050d555689577962283e54f6bd186e662b64c65f926cf72dff76a37259181338707d641ee0f20591ba62805 cvs-1.12.12-openat.patch
+541545ffc64c4f2303b7e8f6cae2cdff0437452e4bcf94b2149d51e43710096e17f024c1a8ed32433560ea51ecef2aba2f3e6bfaef8fa9e4ad2f2436649884d1 cvs-1.12.12-block-requests.patch
+7e468d41c1eb23c0a62b605e6e48cffc004e8f386a87a9696dd73b36702c74aad529f5cba7280dee1100027b6e1e907adad257cc446ca3ad734fa40d47e4ff72 cvs-1.12.12-install-sh.patch
+dcd612dcc4b008c0fbabd74bcc179e69ebaed31a9f6622127061194a8ed99549502fbc0bffc75cc87aed26f7fe46215da81438c3a797e2179ed3da8e0b5ebdbb cvs-1.12.12-hash-nameclash.patch
+181b5daa6e103218e3fc1629a0b5f74daad613cdbe530655eff32479e4b9f32d067e60a82107efdbb129f917ee0626d274fb65555c66d907c997bf01fa262bdb cvs-1.12.12-getdelim.patch
+73c3506fa670b00ac52363efa2a2fa34203108d3dc112400e52f78eb7d83967cf49b11280d6c27a461f79a9c38317b41b26dd1f67d10229dbcb6c2ad9d43b521 cvs-1.12.12-rcs2log-coreutils.patch
+4a58c0f94de8e19c2de1930b7e5e04816e79a86885c89b792616a4c43f6e12aef271005ae59ae0d5788a910ba97735ccdf35f0ef5faafc2e3c50a9858b8f6216 cvs-1.12.12-mktime-x32.patch
+c4c9026e971f3da49cefce102b57bc681427a708ec8caa185df1234fd2a95090c8dc8cbf84374a762fdef7002d658cd4b52450429664cb3a1bfbda63d31c78a7 cvs-1.12.12-fix-massive-leak.patch
+10b29450d5d0a6a02d92812b919edbba2b86f2217aa54896b44358edb2eb8d8d6111b5c5db39faa50ef1f9a86ed1ee190332629f33402ad8cd8082b77547f486 cvs-1.12.12-mktime-configure.patch
+4f86f75f59caf4ef7e83964ec2d9c93575ccdcb031b1a6a1774a2a80ab7d6f278b3d27c4ab9270b91edf457a0195d702e3bd20da17c167b3f204fd9d8980b720 cvs-1.12.12-CVE-2012-0804.patch
+34f16defa5ab03ca2efcdea27269a37e27510d235bc4efd7a91871c2ae32fe9b922a51f3b87bcfec988964f8ae50d4649d7876937e25352836d5274ce88eea13 cvs-1.12.12-format-security.patch
+1c14b89dccee3130cc4ff881b7204f01dd8e14d1767e21d30b879df17a368a0f6bc7d3945872f8a6adcf47e34c3e48b9f2c0c0c90cccbf10fa935690a57f5e20 cvs-1.12.12-musl.patch
+1daf3d26acabe5e1f46331595f95f62a3bc7ffd28dfb063cfc8c9eec3f13f67ad32ba236ea4ff5f3180a10996ac5c902473d4a34226f9706f3b008b0c55491ea CVE-2017-12836.patch"
diff --git a/main/cvs/CVE-2017-12836.patch b/main/cvs/CVE-2017-12836.patch
new file mode 100644
index 0000000000..b20a88b667
--- /dev/null
+++ b/main/cvs/CVE-2017-12836.patch
@@ -0,0 +1,38 @@
+Subject: [PATCH] Fix CVE-2017-12836
+From: Thorsten Glaser <tg@mirbsd.de>
+
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -53,9 +53,10 @@
+ char *cvs_server = (root->cvs_server != NULL
+ ? root->cvs_server : getenv ("CVS_SERVER"));
+ int i = 0;
+- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+- "cmd (w/ args)", and NULL. We leave some room to grow. */
+- char *rsh_argv[10];
++ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
++ "--", "host", "cvs", "-R", "server", and NULL.
++ We leave some room to grow. */
++ char *rsh_argv[16];
+
+ if (!cvs_rsh)
+ /* People sometimes suggest or assume that this should default
+@@ -97,6 +98,9 @@
+ rsh_argv[i++] = root->username;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
++
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+ rsh_argv[i++] = "server";
+@@ -171,6 +175,8 @@
+ *p++ = root->username;
+ }
+
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;
diff --git a/main/cvs/cvs-1.12.12-CVE-2012-0804.patch b/main/cvs/cvs-1.12.12-CVE-2012-0804.patch
new file mode 100644
index 0000000000..107c3ea122
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-CVE-2012-0804.patch
@@ -0,0 +1,30 @@
+[CVE-2012-0804] Fix proxy response parser
+
+If proxy sends overlong HTTP vesion string, the string will be copied
+to unallocatd space (write_buf) causing heap overflow.
+
+This patch fixes it by ignoring the HTTP version string and checking
+the response line has been parsed correctly.
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
+details.
+
+Index: src/client.c
+===================================================================
+RCS file: /sources/cvs/ccvs/src/client.c,v
+retrieving revision 1.483
+diff -u -r1.483 client.c
+--- a/src/client.c 18 Nov 2008 22:59:02 -0000 1.483
++++ b/src/client.c 26 Jan 2012 16:32:25 -0000
+@@ -4339,9 +4339,9 @@
+ * code.
+ */
+ read_line_via (from_server, to_server, &read_buf);
+- sscanf (read_buf, "%s %d", write_buf, &codenum);
++ count = sscanf (read_buf, "%*s %d", &codenum);
+
+- if ((codenum / 100) != 2)
++ if (count != 1 || (codenum / 100) != 2)
+ error (1, 0, "proxy server %s:%d does not support http tunnelling",
+ root->proxy_hostname, proxy_port_number);
+ free (read_buf);
diff --git a/main/cvs/cvs-1.12.12-block-requests.patch b/main/cvs/cvs-1.12.12-block-requests.patch
new file mode 100644
index 0000000000..9c9b49db8f
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-block-requests.patch
@@ -0,0 +1,140 @@
+Author: Robin H. Johnson <robbat2@gentoo.org>
+Date: 2006-08-09
+
+This patch allows a CVS server to deny usage of specific commands, based on
+input in the environment.
+
+Just set the CVS_BLOCK_REQUESTS env var with all of the commands you want,
+seperated by spaces. Eg:
+CVS_BLOCK_REQUESTS="Gzip-stream gzip-file-contents"
+would block ALL usage of compression.
+
+Please see the array 'struct request requests[]' in src/server.c for a full
+list of commands.
+
+Please note that if you block any commands marked as RQ_ESSENTIAL, CVS clients
+may fail! (This includes 'ci'!).
+
+See the companion cvs-custom.c for a wrapper that can enforce the environment variable for pserver setups.
+
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+
+diff -Nuar --exclude '*~' -U 10 cvs-1.12.12.orig/src/server.c cvs-1.12.12/src/server.c
+--- cvs-1.12.12.orig/src/server.c 2005-04-14 14:13:29.000000000 +0000
++++ cvs-1.12.12/src/server.c 2006-08-09 01:40:44.000000000 +0000
+@@ -5836,43 +5836,90 @@
+ #undef REQ_LINE
+ };
+ #endif /* SERVER_SUPPORT or CLIENT_SUPPORT */
+
+
+
+ #ifdef SERVER_SUPPORT
+ /*
+ * This server request is not ignored by the secondary.
+ */
++
++/* Hack by Robin H. Johnson <robbat2@gentoo.org>.
++ * Allow the server ENV to specify what request types are to be ignored.
++ */
++
++static char blocked_requests[BUFSIZ] = " ";
++
++static void build_blocked_requests() {
++ char *tmp = getenv("CVS_BLOCK_REQUESTS");
++
++ if (tmp != NULL && strlen(tmp) > 0) {
++ // move to our custom buffer
++ strncat(blocked_requests, tmp, sizeof(blocked_requests)-strlen(blocked_requests));
++ //add a space on the end as well for searching
++ strncat(blocked_requests, " ", sizeof(blocked_requests)-strlen(blocked_requests));
++ }
++
++ // now blocked_requests contains the list of every request that we do not
++ // want to serve
++}
++
++// returns 0 if we should serve this request
++// use as if(checker(FOO)) continue;
++static int serve_valid_requests_checker(char *reqname) {
++ char needle[BUFSIZ] = " ";
++ char *tmp;
++
++ if(!blocked_requests || strlen(blocked_requests) < 2)
++ return 0;
++
++ // we want to look for ' 'reqname' '
++ snprintf(needle, sizeof(needle), " %s ", reqname);
++
++ // now do the search
++ tmp = strstr(blocked_requests, needle);
++
++ if (tmp != NULL)
++ return 1;
++
++ return 0;
++
++}
++
+ static void
+ serve_valid_requests (char *arg)
+ {
+ struct request *rq;
+
+ /* Since this is processed in the first pass, don't reprocess it in the
+ * second.
+ *
+ * We still print errors since new errors could have been generated in the
+ * second pass.
+ */
+ if (print_pending_error ()
+ #ifdef PROXY_SUPPORT
+ || reprocessing
+ #endif /* PROXY_SUPPORT */
+ )
+ return;
++
++ build_blocked_requests();
+
+ buf_output0 (buf_to_net, "Valid-requests");
+ for (rq = requests; rq->name != NULL; rq++)
+ {
+ if (rq->func != NULL)
+ {
++ if(serve_valid_requests_checker(rq->name))
++ continue;
+ buf_append_char (buf_to_net, ' ');
+ buf_output0 (buf_to_net, rq->name);
+ }
+ }
+ buf_output0 (buf_to_net, "\nok\n");
+
+ /* The client is waiting for the list of valid requests, so we
+ must send the output now. */
+ buf_flush (buf_to_net, 1);
+ }
+@@ -6353,20 +6400,24 @@
+ cmd += len;
+ else if (cmd[len] == ' ')
+ cmd += len + 1;
+ else
+ /*
+ * The first len characters match, but it's a different
+ * command. e.g. the command is "cooperate" but we matched
+ * "co".
+ */
+ continue;
++ // Ignore commands that we are supposed to ignore.
++ if(serve_valid_requests_checker(rq->name))
++ continue;
++
+
+ if (!(rq->flags & RQ_ROOTLESS)
+ && current_parsed_root == NULL)
+ {
+ /* For commands which change the way in which data
+ is sent and received, for example Gzip-stream,
+ this does the wrong thing. Since the client
+ assumes that everything is being compressed,
+ unconditionally, there is no way to give this
+ error to the client without turning on
diff --git a/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch b/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch
new file mode 100644
index 0000000000..fcd4431e87
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch
@@ -0,0 +1,22 @@
+Index: cvs-1.12.12/src/cvsbug.in
+===================================================================
+--- cvs-1.12.12.orig/src/cvsbug.in
++++ cvs-1.12.12/src/cvsbug.in
+@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
+ /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
+ cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
+ ORIGINATOR="`cat $TEMP`"
+- rm -f $TEMP
++ > $TEMP
+ fi
+ fi
+
+ if [ "$ORIGINATOR" = "" ]; then
+ grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
+ ORIGINATOR="`cat $TEMP`"
+- rm -f $TEMP
++ > $TEMP
+ fi
+
+ if [ -n "$ORGANIZATION" ]; then
+
diff --git a/main/cvs/cvs-1.12.12-fix-massive-leak.patch b/main/cvs/cvs-1.12.12-fix-massive-leak.patch
new file mode 100644
index 0000000000..5366f50855
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-fix-massive-leak.patch
@@ -0,0 +1,52 @@
+buf_free_data must free data independently
+of send or reseived bytes over network.
+
+Moreover, when buffer is usually freed
+buffer _is_ empty, but has one clean mapped page.
+
+I've observed massive 'cvs server' leaks
+when importing large gentoo-x86 repo with 'cvsps'.
+Leak ate all my 32GBs of RAM and killed process.
+(Leaked around 3 pages per client request).
+
+valgrind found the leak easily:
+
+$ valgrind \
+ cvsps \
+ --root :local:$HOME/portage/gentoo-x86.rsync \
+ --fast-export \
+ gentoo-x86/dev-vcs/git-annex 2>l |
+ git fast-import
+
+ ==13504== 1,248 bytes in 52 blocks are still reachable in loss record 41 of 47
+ ==13504== at 0x4C2C19B: malloc (vg_replace_malloc.c:270)
+ ==13504== by 0x48A556: xnmalloc_inline (xmalloc.c:40)
+ ==13504== by 0x48A5B5: xmalloc (xmalloc.c:56)
+ ==13504== by 0x4855F5: new_memnode (pagealign_alloc.c:91)
+ ==13504== by 0x48571B: pagealign_alloc (pagealign_alloc.c:151)
+ ==13504== by 0x485739: pagealign_xalloc (pagealign_alloc.c:182)
+ ==13504== by 0x408DD7: get_buffer_data (buffer.c:98)
+ ==13504== by 0x409C0C: buf_input_data (buffer.c:738)
+ ==13504== by 0x45BB63: do_cvs_command (server.c:3847)
+ ==13504== by 0x45D39E: serve_co (server.c:4809)
+ ==13504== by 0x45F845: server (server.c:6438)
+ ==13504== by 0x438784: main (main.c:1066)
+
+And now it takes constant space (less, than 18MB)
+for 'cvs server' process to convert all gentoo-x86
+by serving more, than 5 000 000 client requests.
+
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+diff --git a/src/buffer.c b/src/buffer.c
+index 3f12513..9a7a559 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -526,7 +526,7 @@ buf_copy_data (struct buffer *buf, struct buffer_data *data,
+ void
+ buf_free_data (struct buffer *buffer)
+ {
+- if (buf_empty_p (buffer)) return;
++ if (! buffer->data) return;
+ buf_free_datas (buffer->data, buffer->last);
+ buffer->data = buffer->last = NULL;
+ }
diff --git a/main/cvs/cvs-1.12.12-format-security.patch b/main/cvs/cvs-1.12.12-format-security.patch
new file mode 100644
index 0000000000..d710a90207
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-format-security.patch
@@ -0,0 +1,22 @@
+--- a/diff/diff3.c
++++ b/diff/diff3.c
+@@ -1503,7 +1503,7 @@
+ line = 0;
+ do
+ {
+- printf_output (line_prefix);
++ printf_output ("%s", line_prefix);
+ cp = D_RELNUM (ptr, realfile, line);
+ length = D_RELLEN (ptr, realfile, line);
+ write_output (cp, length);
+--- a/src/main.c
++++ b/src/main.c
+@@ -1375,7 +1375,7 @@
+ {
+ (void) fprintf (stderr, *cpp++, program_name, cvs_cmd_name);
+ for (; *cpp; cpp++)
+- (void) fprintf (stderr, *cpp);
++ (void) fprintf (stderr, "%s", *cpp);
+ exit (EXIT_FAILURE);
+ }
+
diff --git a/main/cvs/cvs-1.12.12-getdelim.patch b/main/cvs/cvs-1.12.12-getdelim.patch
new file mode 100644
index 0000000000..837d4408ab
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-getdelim.patch
@@ -0,0 +1,21 @@
+The function getdelim() behaves slightly different on FreeBSD,
+only appending to the *line buffer if line_size is 0.
+
+See:
+https://savannah.nongnu.org/bugs/?29466
+http://bugs.gentoo.org/314791
+
+Already comitted upstream:
+http://cvs.savannah.gnu.org/viewvc/ccvs/src/myndbm.c?root=cvs&r1=1.38&r2=1.39
+
+--- a/src/myndbm.c.orig
++++ b/src/myndbm.c
+@@ -213,7 +213,7 @@
+ mydbm_load_file (FILE *fp, List *list, char *filename)
+ {
+ char *line = NULL;
+- size_t line_size;
++ size_t line_size = 0;
+ char *value;
+ size_t value_allocated;
+ char *cp, *vp;
diff --git a/main/cvs/cvs-1.12.12-hash-nameclash.patch b/main/cvs/cvs-1.12.12-hash-nameclash.patch
new file mode 100644
index 0000000000..95fd61e0a5
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-hash-nameclash.patch
@@ -0,0 +1,42 @@
+http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/hash.h?r1=1.14.6.2&r2=1.14.6.3&pathrev=cvs1-11-x-branch
+fixed in cvs-1.11.23, cvs-HEAD after cvs-1.12.13a
+
+--- a/src/hash.h.orig 2005-02-01 22:56:48 +0100
++++ b/src/hash.h 2010-03-10 19:00:11 +0100
+@@ -27,26 +27,26 @@
+ };
+ typedef enum ntype Ntype;
+
+-struct node
++struct hashnode
+ {
+ Ntype type;
+- struct node *next;
+- struct node *prev;
+- struct node *hashnext;
+- struct node *hashprev;
++ struct hashnode *next;
++ struct hashnode *prev;
++ struct hashnode *hashnext;
++ struct hashnode *hashprev;
+ char *key;
+ void *data;
+- void (*delproc) (struct node *);
++ void (*delproc) (struct hashnode *);
+ };
+-typedef struct node Node;
++typedef struct hashnode Node;
+
+-struct list
++struct hashlist
+ {
+ Node *list;
+ Node *hasharray[HASHSIZE];
+- struct list *next;
++ struct hashlist *next;
+ };
+-typedef struct list List;
++typedef struct hashlist List;
+
+ List *getlist (void);
+ Node *findnode (List * list, const char *key);
diff --git a/main/cvs/cvs-1.12.12-install-sh.patch b/main/cvs/cvs-1.12.12-install-sh.patch
new file mode 100644
index 0000000000..825c0ee6f1
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-install-sh.patch
@@ -0,0 +1,12 @@
+diff -ur a/build-aux/install-sh b/build-aux/install-sh
+--- a/build-aux/install-sh 2006-03-25 20:04:46 +0000
++++ b/build-aux/install-sh 2007-09-14 10:53:29 +0100
+@@ -246,7 +246,7 @@
+ fi
+
+ if test -n "$dir_arg"; then
+- $doit $mkdircmd "$dst" \
++ { test -d "$dst" || $doit $mkdircmd -p "$dst"; } \
+ && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \
+ && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \
+ && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \
diff --git a/main/cvs/cvs-1.12.12-mktime-configure.patch b/main/cvs/cvs-1.12.12-mktime-configure.patch
new file mode 100644
index 0000000000..03d7f35601
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-configure.patch
@@ -0,0 +1,201 @@
+https://bugs.gentoo.org/220040
+https://bugs.gentoo.org/570208
+
+update mktime check to latest autoconf version which is less buggy
+
+--- a/configure
++++ b/configure
+@@ -5299,26 +6059,25 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h. */
+ /* Test program from Paul Eggert and Tony Leneis. */
+-#if TIME_WITH_SYS_TIME
++#ifdef TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>
+ #else
+-# if HAVE_SYS_TIME_H
++# ifdef HAVE_SYS_TIME_H
+ # include <sys/time.h>
+ # else
+ # include <time.h>
+ # endif
+ #endif
+
+-#if HAVE_STDLIB_H
+-# include <stdlib.h>
+-#endif
++#include <limits.h>
++#include <stdlib.h>
+
+-#if HAVE_UNISTD_H
++#ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+ #endif
+
+-#if !HAVE_ALARM
++#ifndef HAVE_ALARM
+ # define alarm(X) /* empty */
+ #endif
+
+@@ -5335,9 +6094,9 @@
+ };
+ #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
+
+-/* Fail if mktime fails to convert a date in the spring-forward gap.
++/* Return 0 if mktime fails to convert a date in the spring-forward gap.
+ Based on a problem report from Andreas Jaeger. */
+-static void
++static int
+ spring_forward_gap ()
+ {
+ /* glibc (up to about 1998-10-07) failed this test. */
+@@ -5356,29 +6115,27 @@
+ tm.tm_min = 0;
+ tm.tm_sec = 0;
+ tm.tm_isdst = -1;
+- if (mktime (&tm) == (time_t)-1)
+- exit (1);
++ return mktime (&tm) != (time_t) -1;
+ }
+
+-static void
++static int
+ mktime_test1 (now)
+ time_t now;
+ {
+ struct tm *lt;
+- if ((lt = localtime (&now)) && mktime (lt) != now)
+- exit (1);
++ return ! (lt = localtime (&now)) || mktime (lt) == now;
+ }
+
+-static void
++static int
+ mktime_test (now)
+ time_t now;
+ {
+- mktime_test1 (now);
+- mktime_test1 ((time_t) (time_t_max - now));
+- mktime_test1 ((time_t) (time_t_min + now));
++ return (mktime_test1 (now)
++ && mktime_test1 ((time_t) (time_t_max - now))
++ && mktime_test1 ((time_t) (time_t_min + now)));
+ }
+
+-static void
++static int
+ irix_6_4_bug ()
+ {
+ /* Based on code from Ariel Faigon. */
+@@ -5391,11 +6148,10 @@
+ tm.tm_sec = 0;
+ tm.tm_isdst = -1;
+ mktime (&tm);
+- if (tm.tm_mon != 2 || tm.tm_mday != 31)
+- exit (1);
++ return tm.tm_mon == 2 && tm.tm_mday == 31;
+ }
+
+-static void
++static int
+ bigtime_test (j)
+ int j;
+ {
+@@ -5417,8 +6173,39 @@
+ && lt->tm_wday == tm.tm_wday
+ && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
+ == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
+- exit (1);
++ return 0;
+ }
++ return 1;
++}
++
++static int
++year_2050_test ()
++{
++ /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
++ ignoring leap seconds. */
++ unsigned long int answer = 2527315200UL;
++
++ struct tm tm;
++ time_t t;
++ tm.tm_year = 2050 - 1900;
++ tm.tm_mon = 2 - 1;
++ tm.tm_mday = 1;
++ tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
++ tm.tm_isdst = -1;
++
++ /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
++ instead of "TZ=America/Vancouver" in order to detect the bug even
++ on systems that don't support the Olson extension, or don't have the
++ full zoneinfo tables installed. */
++ putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
++
++ t = mktime (&tm);
++
++ /* Check that the result is either a failure, or close enough
++ to the correct answer that we can assume the discrepancy is
++ due to leap seconds. */
++ return (t == (time_t) -1
++ || (0 < t && answer - 120 <= t && t <= answer + 120));
+ }
+
+ int
+@@ -5432,12 +6219,15 @@
+ isn't worth using anyway. */
+ alarm (60);
+
+- for (time_t_max = 1; 0 < time_t_max; time_t_max *= 2)
+- continue;
+- time_t_max--;
+- if ((time_t) -1 < 0)
+- for (time_t_min = -1; (time_t) (time_t_min * 2) < 0; time_t_min *= 2)
+- continue;
++ for (;;)
++ {
++ t = (time_t_max << 1) + 1;
++ if (t <= time_t_max)
++ break;
++ time_t_max = t;
++ }
++ time_t_min = - ((time_t) ~ (time_t) 0 == (time_t) -1) - time_t_max;
++
+ delta = time_t_max / 997; /* a suitable prime number */
+ for (i = 0; i < N_STRINGS; i++)
+ {
+@@ -5445,18 +6235,22 @@
+ putenv (tz_strings[i]);
+
+ for (t = 0; t <= time_t_max - delta; t += delta)
+- mktime_test (t);
+- mktime_test ((time_t) 1);
+- mktime_test ((time_t) (60 * 60));
+- mktime_test ((time_t) (60 * 60 * 24));
+-
+- for (j = 1; 0 < j; j *= 2)
+- bigtime_test (j);
+- bigtime_test (j - 1);
++ if (! mktime_test (t))
++ return 1;
++ if (! (mktime_test ((time_t) 1)
++ && mktime_test ((time_t) (60 * 60))
++ && mktime_test ((time_t) (60 * 60 * 24))))
++ return 1;
++
++ for (j = 1; ; j <<= 1)
++ if (! bigtime_test (j))
++ return 1;
++ else if (INT_MAX / 2 < j)
++ break;
++ if (! bigtime_test (INT_MAX))
++ return 1;
+ }
+- irix_6_4_bug ();
+- spring_forward_gap ();
+- exit (0);
++ return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
+ }
+ _ACEOF
+ rm -f conftest$ac_exeext
diff --git a/main/cvs/cvs-1.12.12-mktime-x32.patch b/main/cvs/cvs-1.12.12-mktime-x32.patch
new file mode 100644
index 0000000000..948fa4d714
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-x32.patch
@@ -0,0 +1,29 @@
+back port changes from upstream gnulib to make this work on x32
+
+https://bugs.gentoo.org/395641
+
+--- cvs-1.12.12/lib/mktime.c
++++ cvs-1.12.12/lib/mktime.c
+@@ -115,6 +115,13 @@
+ #define TM_YEAR_BASE 1900
+ verify (base_year_is_a_multiple_of_100, TM_YEAR_BASE % 100 == 0);
+
++#if INT_MAX <= LONG_MAX / 2
++typedef long int long_int;
++#else
++typedef long long int long_int;
++#endif
++verify (long_int_is_wide_enough, INT_MAX == INT_MAX * (long_int) 2 / 2);
++
+ /* Return 1 if YEAR + TM_YEAR_BASE is a leap year. */
+ static inline int
+ leapyear (long int year)
+@@ -167,8 +174,6 @@
+ int year0, int yday0, int hour0, int min0, int sec0)
+ {
+ verify (C99_integer_division, -1 / 2 == 0);
+- verify (long_int_year_and_yday_are_wide_enough,
+- INT_MAX <= LONG_MAX / 2 || TIME_T_MAX <= UINT_MAX);
+
+ /* Compute intervening leap days correctly even if year is negative.
+ Take care to avoid integer overflow here. */
diff --git a/main/cvs/cvs-1.12.12-musl.patch b/main/cvs/cvs-1.12.12-musl.patch
new file mode 100644
index 0000000000..e426cf55fc
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-musl.patch
@@ -0,0 +1,13 @@
+http://gcc.gnu.org/ml/gcc/2003-04/msg00518.html
+
+--- a/lib/regex.c
++++ b/lib/regex.c
+@@ -8184,7 +8184,7 @@
+ if (msg_size > errbuf_size)
+ {
+ #if defined HAVE_MEMPCPY || defined _LIBC
+- *((char *) __mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
++ *((char *) mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
+ #else
+ memcpy (errbuf, msg, errbuf_size - 1);
+ errbuf[errbuf_size - 1] = 0;
diff --git a/main/cvs/cvs-1.12.12-openat.patch b/main/cvs/cvs-1.12.12-openat.patch
new file mode 100644
index 0000000000..fdb406a45e
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-openat.patch
@@ -0,0 +1,21 @@
+Index: cvs-1.12.12/lib/openat.c
+===================================================================
+--- cvs-1.12.12.orig/lib/openat.c
++++ cvs-1.12.12/lib/openat.c
+@@ -55,9 +55,13 @@ rpl_openat (int fd, char const *filename
+ va_list arg;
+ va_start (arg, flags);
+
+- /* Assume that mode_t is passed compatibly with mode_t's type
+- after argument promotion. */
+- mode = va_arg (arg, mode_t);
++ /* If mode_t is narrower than int, use the promoted type (int),
++ not mode_t. Use sizeof to guess whether mode_t is nerrower;
++ we don't know of any practical counterexamples. */
++ if (sizeof (mode_t) < sizeof (int))
++ mode = va_arg (arg, int);
++ else
++ mode = va_arg (arg, mode_t);
+
+ va_end (arg);
+ }
diff --git a/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch b/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch
new file mode 100644
index 0000000000..7dda3f0f17
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch
@@ -0,0 +1,14 @@
+X-Gentoo-bug: 144114
+
+diff -Nuar cvs-1.12.12.orig/contrib/rcs2log.sh cvs-1.12.12/contrib/rcs2log.sh
+--- cvs-1.12.12.orig/contrib/rcs2log.sh 2003-02-25 21:32:51.000000000 +0000
++++ cvs-1.12.12/contrib/rcs2log.sh 2010-12-06 21:14:33.831532212 +0000
+@@ -620,7 +620,7 @@
+ # Sort the log entries, first by date+time (in reverse order),
+ # then by author, then by log entry, and finally by file name and revision
+ # (just in case).
+-sort -t"$SOH" +2 -4r +4 +0 |
++sort -t"$SOH" -k 3,4r -k 5 -k 1,2 |
+
+ # Finally, reformat the sorted log entries.
+ $AWK -F"$SOH" '
diff --git a/main/cvs/cvs-musl.patch b/main/cvs/cvs-musl.patch
deleted file mode 100644
index 313377dbdd..0000000000
--- a/main/cvs/cvs-musl.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- cvs-1.11.23.org/lib/getline.h 2013-09-16 18:28:13.026099577 +0000
-+++ cvs-1.11.23/lib/getline.h 2013-09-16 18:44:33.356064387 +0000
-@@ -12,8 +12,6 @@
- #define GETLINE_NO_LIMIT -1
-
- int
-- getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream));
--int
- getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream,
- int limit));
- int
---- cvs-1.11.23.org/lib/getline.c 2013-09-16 18:28:13.021099577 +0000
-+++ cvs-1.11.23/lib/getline.c 2013-09-16 18:45:14.463062911 +0000
-@@ -154,12 +154,7 @@
- return ret;
- }
-
--int
--getline (lineptr, n, stream)
-- char **lineptr;
-- size_t *n;
-- FILE *stream;
--{
-+ssize_t getline(char ** lineptr, size_t * n, FILE *stream) {
- return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT);
- }
-