main/cvs: security upgrade to 1.12.12

Most distros uses 1.12.13 (https://repology.org/project/cvs/versions) but according to Gentoo it is usable, so following Gentoo (https://bugs.gentoo.org/124733) 1.12.12 is the way forward.

CVEs:
* CVE-2010-3846 - https://bugzilla.redhat.com/show_bug.cgi?id=642146
* CVE-2012-0804 - https://security-tracker.debian.org/tracker/CVE-2012-0804
* CVE-2017-12836 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

16 files changed, 708 insertions, 53 deletions

diff --git a/main/cvs/APKBUILD b/main/cvs/APKBUILD
index b11d7ac61eb..c2537d6ed89 100644
--- a/main/cvs/APKBUILD
+++ b/main/cvs/APKBUILD
@@ -1,33 +1,45 @@
 # Contributor: Michael Mason <ms13sp@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=cvs
-pkgver=1.11.23
+pkgver=1.12.12
 pkgrel=0
 pkgdesc="Concurrent Versions System"
-url="http://www.nongnu.org/cvs/"
+url="https://www.nongnu.org/cvs/"
 arch="all"
 license="GPL-2.0-or-later"
-depends=""
+options="!check" # Tests fail - src/lib/test-getdate.sh
 makedepends="zlib-dev"
-install=
 subpackages="$pkgname-doc"
-source="https://ftp.gnu.org/non-gnu/cvs/source/stable/$pkgver/$pkgname-$pkgver.tar.gz
-	cvs-musl.patch
+source="https://ftp.gnu.org/non-gnu/cvs/source/feature/$pkgver/cvs-$pkgver.tar.gz
+	cvs-1.12.12-cvsbug-tmpfix.patch
+	cvs-1.12.12-openat.patch
+	cvs-1.12.12-block-requests.patch
+	cvs-1.12.12-install-sh.patch
+	cvs-1.12.12-hash-nameclash.patch
+	cvs-1.12.12-getdelim.patch
+	cvs-1.12.12-rcs2log-coreutils.patch
+	cvs-1.12.12-mktime-x32.patch
+	cvs-1.12.12-fix-massive-leak.patch
+	cvs-1.12.12-mktime-configure.patch
+	cvs-1.12.12-CVE-2012-0804.patch
+	cvs-1.12.12-format-security.patch
+	cvs-1.12.12-musl.patch
+	CVE-2017-12836.patch
 	"
+builddir="$srcdir/$pkgname-$pkgver"
 
-_builddir="$srcdir"/$pkgname-$pkgver
+# secfixes:
+#   1.12.12-r0:
+#     - CVE-2010-3846
+#     - CVE-2012-0804
+#     - CVE-2017-12836
 prepare() {
-	local i
-	cd "$_builddir"
-	for i in $source; do
-		case $i in
-		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
-		esac
-	done
+	default_prepare
+	update_config_sub
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -36,19 +48,32 @@ build() {
 		--mandir=/usr/share/man \
 		--infodir=/usr/share/info \
 		--with-external-zlib \
-		--with-tmpdir=/tmp \
-		|| return 1
-	make || return 1
+		--with-tmpdir=/tmp
+	make
+}
+
+check() {
+	cd "$builddir"
+	make check
 }
 
 package() {
-	cd "$_builddir"
-	make -j1 DESTDIR="$pkgdir" install
+	cd "$builddir"
+	make DESTDIR="$pkgdir" install
 }
 
-md5sums="bf185eb51b5918330a04671c3f3cccde  cvs-1.11.23.tar.gz
-3b51f4b2b94b83666f9e105038222cd8  cvs-musl.patch"
-sha256sums="0ad692e3c22e4b33274a53ad22a194deb3024ec833b9e87ad7968d9b0b58cdcf  cvs-1.11.23.tar.gz
-b5b687e9c5349fbb15e82ca1f99d9227432f6be29a55b7ca22bd9b1c8b6f08d5  cvs-musl.patch"
-sha512sums="e486df1d2aaf13605b9abc8ea5e8e2261dd015483cef82a9489919646f0d5d52a7bf4385f4fdb5f845a9c2287184153a0d456510089f1e2609957ba48ad9f96a  cvs-1.11.23.tar.gz
-7de04d5ec797430f8405b00e271d9edb5dffa3be855fc1e1dc35b134d981418c969486da668a78e1da88a4dba57952bfa14ffafbe3ff3ffc081de9cc908cf245  cvs-musl.patch"
+sha512sums="36cae30bbd075773d260fd8d0170335d37ba4b6dd09056465290df5c14cd7c39a18931d70761d98e2bd989798b013e372603e94c252b4062c56c3ab53251a1fb  cvs-1.12.12.tar.gz
+29014631f5595dbf51a47032a19a23e545190dd8d40d77a71d363cee07a9ae38263b67db52a512436a9a7b37a7f5ff4daafa4a0a9f3c29bcfeb71ecff74408b7  cvs-1.12.12-cvsbug-tmpfix.patch
+b0a7abc785169705d2f0668a8af706f93ee3eba3d050d555689577962283e54f6bd186e662b64c65f926cf72dff76a37259181338707d641ee0f20591ba62805  cvs-1.12.12-openat.patch
+541545ffc64c4f2303b7e8f6cae2cdff0437452e4bcf94b2149d51e43710096e17f024c1a8ed32433560ea51ecef2aba2f3e6bfaef8fa9e4ad2f2436649884d1  cvs-1.12.12-block-requests.patch
+7e468d41c1eb23c0a62b605e6e48cffc004e8f386a87a9696dd73b36702c74aad529f5cba7280dee1100027b6e1e907adad257cc446ca3ad734fa40d47e4ff72  cvs-1.12.12-install-sh.patch
+dcd612dcc4b008c0fbabd74bcc179e69ebaed31a9f6622127061194a8ed99549502fbc0bffc75cc87aed26f7fe46215da81438c3a797e2179ed3da8e0b5ebdbb  cvs-1.12.12-hash-nameclash.patch
+181b5daa6e103218e3fc1629a0b5f74daad613cdbe530655eff32479e4b9f32d067e60a82107efdbb129f917ee0626d274fb65555c66d907c997bf01fa262bdb  cvs-1.12.12-getdelim.patch
+73c3506fa670b00ac52363efa2a2fa34203108d3dc112400e52f78eb7d83967cf49b11280d6c27a461f79a9c38317b41b26dd1f67d10229dbcb6c2ad9d43b521  cvs-1.12.12-rcs2log-coreutils.patch
+4a58c0f94de8e19c2de1930b7e5e04816e79a86885c89b792616a4c43f6e12aef271005ae59ae0d5788a910ba97735ccdf35f0ef5faafc2e3c50a9858b8f6216  cvs-1.12.12-mktime-x32.patch
+c4c9026e971f3da49cefce102b57bc681427a708ec8caa185df1234fd2a95090c8dc8cbf84374a762fdef7002d658cd4b52450429664cb3a1bfbda63d31c78a7  cvs-1.12.12-fix-massive-leak.patch
+10b29450d5d0a6a02d92812b919edbba2b86f2217aa54896b44358edb2eb8d8d6111b5c5db39faa50ef1f9a86ed1ee190332629f33402ad8cd8082b77547f486  cvs-1.12.12-mktime-configure.patch
+4f86f75f59caf4ef7e83964ec2d9c93575ccdcb031b1a6a1774a2a80ab7d6f278b3d27c4ab9270b91edf457a0195d702e3bd20da17c167b3f204fd9d8980b720  cvs-1.12.12-CVE-2012-0804.patch
+34f16defa5ab03ca2efcdea27269a37e27510d235bc4efd7a91871c2ae32fe9b922a51f3b87bcfec988964f8ae50d4649d7876937e25352836d5274ce88eea13  cvs-1.12.12-format-security.patch
+1c14b89dccee3130cc4ff881b7204f01dd8e14d1767e21d30b879df17a368a0f6bc7d3945872f8a6adcf47e34c3e48b9f2c0c0c90cccbf10fa935690a57f5e20  cvs-1.12.12-musl.patch
+1daf3d26acabe5e1f46331595f95f62a3bc7ffd28dfb063cfc8c9eec3f13f67ad32ba236ea4ff5f3180a10996ac5c902473d4a34226f9706f3b008b0c55491ea  CVE-2017-12836.patch"
diff --git a/main/cvs/CVE-2017-12836.patch b/main/cvs/CVE-2017-12836.patch
new file mode 100644
index 00000000000..b20a88b6672
--- /dev/null
+++ b/main/cvs/CVE-2017-12836.patch
@@ -0,0 +1,38 @@
+Subject: [PATCH] Fix CVE-2017-12836
+From: Thorsten Glaser <tg@mirbsd.de>
+
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -53,9 +53,10 @@
+     char *cvs_server = (root->cvs_server != NULL
+ 			? root->cvs_server : getenv ("CVS_SERVER"));
+     int i = 0;
+-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+-    char *rsh_argv[10];
++    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
++       "--", "host", "cvs", "-R", "server", and NULL.
++       We leave some room to grow. */
++    char *rsh_argv[16];
+ 
+     if (!cvs_rsh)
+ 	/* People sometimes suggest or assume that this should default
+@@ -97,6 +98,9 @@
+ 	rsh_argv[i++] = root->username;
+     }
+ 
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
++
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     rsh_argv[i++] = "server";
+@@ -171,6 +175,8 @@
+ 	    *p++ = root->username;
+ 	}
+ 
++	*p++ = "--";
++
+ 	*p++ = root->hostname;
+ 	*p++ = command;
+ 	*p++ = NULL;
diff --git a/main/cvs/cvs-1.12.12-CVE-2012-0804.patch b/main/cvs/cvs-1.12.12-CVE-2012-0804.patch
new file mode 100644
index 00000000000..107c3ea1220
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-CVE-2012-0804.patch
@@ -0,0 +1,30 @@
+[CVE-2012-0804] Fix proxy response parser
+
+If proxy sends overlong HTTP vesion string, the string will be copied
+to unallocatd space (write_buf) causing heap overflow.
+
+This patch fixes it by ignoring the HTTP version string and checking
+the response line has been parsed correctly.
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
+details.
+
+Index: src/client.c
+===================================================================
+RCS file: /sources/cvs/ccvs/src/client.c,v
+retrieving revision 1.483
+diff -u -r1.483 client.c
+--- a/src/client.c	18 Nov 2008 22:59:02 -0000	1.483
++++ b/src/client.c	26 Jan 2012 16:32:25 -0000
+@@ -4339,9 +4339,9 @@
+          * code.
+          */
+ 	read_line_via (from_server, to_server, &read_buf);
+-	sscanf (read_buf, "%s %d", write_buf, &codenum);
++	count = sscanf (read_buf, "%*s %d", &codenum);
+ 
+-	if ((codenum / 100) != 2)
++	if (count != 1 || (codenum / 100) != 2)
+ 	    error (1, 0, "proxy server %s:%d does not support http tunnelling",
+ 		   root->proxy_hostname, proxy_port_number);
+ 	free (read_buf);
diff --git a/main/cvs/cvs-1.12.12-block-requests.patch b/main/cvs/cvs-1.12.12-block-requests.patch
new file mode 100644
index 00000000000..9c9b49db8f6
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-block-requests.patch
@@ -0,0 +1,140 @@
+Author: Robin H. Johnson <robbat2@gentoo.org>
+Date: 2006-08-09
+
+This patch allows a CVS server to deny usage of specific commands, based on
+input in the environment.
+
+Just set the CVS_BLOCK_REQUESTS env var with all of the commands you want,
+seperated by spaces. Eg:
+CVS_BLOCK_REQUESTS="Gzip-stream gzip-file-contents"
+would block ALL usage of compression.
+
+Please see the array 'struct request requests[]' in src/server.c for a full
+list of commands.
+
+Please note that if you block any commands marked as RQ_ESSENTIAL, CVS clients
+may fail! (This includes 'ci'!).
+
+See the companion cvs-custom.c for a wrapper that can enforce the environment variable for pserver setups.
+
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+
+diff -Nuar --exclude '*~' -U 10 cvs-1.12.12.orig/src/server.c cvs-1.12.12/src/server.c
+--- cvs-1.12.12.orig/src/server.c	2005-04-14 14:13:29.000000000 +0000
++++ cvs-1.12.12/src/server.c	2006-08-09 01:40:44.000000000 +0000
+@@ -5836,43 +5836,90 @@
+ #undef REQ_LINE
+ };
+ #endif /* SERVER_SUPPORT or CLIENT_SUPPORT */
+ 
+ 
+ 
+ #ifdef SERVER_SUPPORT
+ /*
+  * This server request is not ignored by the secondary.
+  */
++
++/* Hack by Robin H. Johnson <robbat2@gentoo.org>.
++ * Allow the server ENV to specify what request types are to be ignored.
++ */
++
++static char blocked_requests[BUFSIZ] = " ";
++
++static void build_blocked_requests() {
++	char *tmp = getenv("CVS_BLOCK_REQUESTS");
++
++	if (tmp != NULL && strlen(tmp) > 0) {
++		// move to our custom buffer
++		strncat(blocked_requests, tmp, sizeof(blocked_requests)-strlen(blocked_requests));
++		//add a space on the end as well for searching
++		strncat(blocked_requests, " ", sizeof(blocked_requests)-strlen(blocked_requests));
++	}
++
++	// now blocked_requests contains the list of every request that we do not
++	// want to serve
++}
++
++// returns 0 if we should serve this request
++// use as if(checker(FOO)) continue;
++static int serve_valid_requests_checker(char *reqname) {
++	char needle[BUFSIZ] = " ";
++	char *tmp;
++
++	if(!blocked_requests || strlen(blocked_requests) < 2)
++		return 0;
++
++	// we want to look for ' 'reqname' '
++	snprintf(needle, sizeof(needle), " %s ", reqname);
++
++	// now do the search
++	tmp = strstr(blocked_requests, needle);
++
++	if (tmp != NULL)
++		return 1;
++
++	return 0;
++	
++}
++
+ static void
+ serve_valid_requests (char *arg)
+ {
+     struct request *rq;
+ 
+     /* Since this is processed in the first pass, don't reprocess it in the
+      * second.
+      *
+      * We still print errors since new errors could have been generated in the
+      * second pass.
+      */
+     if (print_pending_error ()
+ #ifdef PROXY_SUPPORT
+ 	|| reprocessing
+ #endif /* PROXY_SUPPORT */
+        )
+ 	return;
++	
++    build_blocked_requests();
+ 
+     buf_output0 (buf_to_net, "Valid-requests");
+     for (rq = requests; rq->name != NULL; rq++)
+     {
+ 	if (rq->func != NULL)
+ 	{
++		if(serve_valid_requests_checker(rq->name)) 
++			continue;
+ 	    buf_append_char (buf_to_net, ' ');
+ 	    buf_output0 (buf_to_net, rq->name);
+ 	}
+     }
+     buf_output0 (buf_to_net, "\nok\n");
+ 
+     /* The client is waiting for the list of valid requests, so we
+        must send the output now.  */
+     buf_flush (buf_to_net, 1);
+ }
+@@ -6353,20 +6400,24 @@
+ 		    cmd += len;
+ 		else if (cmd[len] == ' ')
+ 		    cmd += len + 1;
+ 		else
+ 		    /*
+ 		     * The first len characters match, but it's a different
+ 		     * command.  e.g. the command is "cooperate" but we matched
+ 		     * "co".
+ 		     */
+ 		    continue;
++		// Ignore commands that we are supposed to ignore.
++		if(serve_valid_requests_checker(rq->name))
++				continue;
++
+ 
+ 		if (!(rq->flags & RQ_ROOTLESS)
+ 		    && current_parsed_root == NULL)
+ 		{
+ 		    /* For commands which change the way in which data
+ 		       is sent and received, for example Gzip-stream,
+ 		       this does the wrong thing.  Since the client
+ 		       assumes that everything is being compressed,
+ 		       unconditionally, there is no way to give this
+ 		       error to the client without turning on
diff --git a/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch b/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch
new file mode 100644
index 00000000000..fcd4431e877
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-cvsbug-tmpfix.patch
@@ -0,0 +1,22 @@
+Index: cvs-1.12.12/src/cvsbug.in
+===================================================================
+--- cvs-1.12.12.orig/src/cvsbug.in
++++ cvs-1.12.12/src/cvsbug.in
+@@ -109,14 +109,14 @@ elif [ -f /bin/domainname ]; then
+     /usr/bin/ypcat passwd 2>/dev/null | cat - /etc/passwd | grep "^$LOGNAME:" |
+       cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
+     ORIGINATOR="`cat $TEMP`"
+-    rm -f $TEMP
++    > $TEMP
+   fi
+ fi
+
+ if [ "$ORIGINATOR" = "" ]; then
+   grep "^$LOGNAME:" /etc/passwd | cut -f5 -d':' | sed -e 's/,.*//' > $TEMP
+   ORIGINATOR="`cat $TEMP`"
+-  rm -f $TEMP
++  > $TEMP
+ fi
+
+ if [ -n "$ORGANIZATION" ]; then
+
diff --git a/main/cvs/cvs-1.12.12-fix-massive-leak.patch b/main/cvs/cvs-1.12.12-fix-massive-leak.patch
new file mode 100644
index 00000000000..5366f50855f
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-fix-massive-leak.patch
@@ -0,0 +1,52 @@
+buf_free_data must free data independently
+of send or reseived bytes over network.
+
+Moreover, when buffer is usually freed
+buffer _is_ empty, but has one clean mapped page.
+
+I've observed massive 'cvs server' leaks
+when importing large gentoo-x86 repo with 'cvsps'.
+Leak ate all my 32GBs of RAM and killed process.
+(Leaked around 3 pages per client request).
+
+valgrind found the leak easily:
+
+$ valgrind \
+    cvsps \
+           --root :local:$HOME/portage/gentoo-x86.rsync \
+           --fast-export \
+           gentoo-x86/dev-vcs/git-annex 2>l |
+    git fast-import
+
+    ==13504== 1,248 bytes in 52 blocks are still reachable in loss record 41 of 47
+    ==13504==    at 0x4C2C19B: malloc (vg_replace_malloc.c:270)
+    ==13504==    by 0x48A556: xnmalloc_inline (xmalloc.c:40)
+    ==13504==    by 0x48A5B5: xmalloc (xmalloc.c:56)
+    ==13504==    by 0x4855F5: new_memnode (pagealign_alloc.c:91)
+    ==13504==    by 0x48571B: pagealign_alloc (pagealign_alloc.c:151)
+    ==13504==    by 0x485739: pagealign_xalloc (pagealign_alloc.c:182)
+    ==13504==    by 0x408DD7: get_buffer_data (buffer.c:98)
+    ==13504==    by 0x409C0C: buf_input_data (buffer.c:738)
+    ==13504==    by 0x45BB63: do_cvs_command (server.c:3847)
+    ==13504==    by 0x45D39E: serve_co (server.c:4809)
+    ==13504==    by 0x45F845: server (server.c:6438)
+    ==13504==    by 0x438784: main (main.c:1066)
+
+And now it takes constant space (less, than 18MB)
+for 'cvs server' process to convert all gentoo-x86
+by serving more, than 5 000 000 client requests.
+
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+diff --git a/src/buffer.c b/src/buffer.c
+index 3f12513..9a7a559 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -526,7 +526,7 @@ buf_copy_data (struct buffer *buf, struct buffer_data *data,
+ void
+ buf_free_data (struct buffer *buffer)
+ {
+-    if (buf_empty_p (buffer)) return;
++    if (! buffer->data) return;
+     buf_free_datas (buffer->data, buffer->last);
+     buffer->data = buffer->last = NULL;
+ }
diff --git a/main/cvs/cvs-1.12.12-format-security.patch b/main/cvs/cvs-1.12.12-format-security.patch
new file mode 100644
index 00000000000..d710a902073
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-format-security.patch
@@ -0,0 +1,22 @@
+--- a/diff/diff3.c
++++ b/diff/diff3.c
+@@ -1503,7 +1503,7 @@
+ 	      line = 0;
+ 	      do
+ 		{
+-		  printf_output (line_prefix);
++		  printf_output ("%s", line_prefix);
+ 		  cp = D_RELNUM (ptr, realfile, line);
+ 		  length = D_RELLEN (ptr, realfile, line);
+ 		  write_output (cp, length);
+--- a/src/main.c
++++ b/src/main.c
+@@ -1375,7 +1375,7 @@
+ {
+     (void) fprintf (stderr, *cpp++, program_name, cvs_cmd_name);
+     for (; *cpp; cpp++)
+-	(void) fprintf (stderr, *cpp);
++	(void) fprintf (stderr, "%s", *cpp);
+     exit (EXIT_FAILURE);
+ }
+ 
diff --git a/main/cvs/cvs-1.12.12-getdelim.patch b/main/cvs/cvs-1.12.12-getdelim.patch
new file mode 100644
index 00000000000..837d4408ab1
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-getdelim.patch
@@ -0,0 +1,21 @@
+The function getdelim() behaves slightly different on FreeBSD,
+only appending to the *line buffer if line_size is 0.
+
+See: 
+https://savannah.nongnu.org/bugs/?29466
+http://bugs.gentoo.org/314791
+
+Already comitted upstream:
+http://cvs.savannah.gnu.org/viewvc/ccvs/src/myndbm.c?root=cvs&r1=1.38&r2=1.39
+
+--- a/src/myndbm.c.orig
++++ b/src/myndbm.c
+@@ -213,7 +213,7 @@
+ mydbm_load_file (FILE *fp, List *list, char *filename)
+ {
+     char *line = NULL;
+-    size_t line_size;
++    size_t line_size = 0;
+     char *value;
+     size_t value_allocated;
+     char *cp, *vp;
diff --git a/main/cvs/cvs-1.12.12-hash-nameclash.patch b/main/cvs/cvs-1.12.12-hash-nameclash.patch
new file mode 100644
index 00000000000..95fd61e0a51
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-hash-nameclash.patch
@@ -0,0 +1,42 @@
+http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/hash.h?r1=1.14.6.2&r2=1.14.6.3&pathrev=cvs1-11-x-branch
+fixed in cvs-1.11.23, cvs-HEAD after cvs-1.12.13a
+
+--- a/src/hash.h.orig	2005-02-01 22:56:48 +0100
++++ b/src/hash.h	2010-03-10 19:00:11 +0100
+@@ -27,26 +27,26 @@
+ };
+ typedef enum ntype Ntype;
+ 
+-struct node
++struct hashnode
+ {
+     Ntype type;
+-    struct node *next;
+-    struct node *prev;
+-    struct node *hashnext;
+-    struct node *hashprev;
++    struct hashnode *next;
++    struct hashnode *prev;
++    struct hashnode *hashnext;
++    struct hashnode *hashprev;
+     char *key;
+     void *data;
+-    void (*delproc) (struct node *);
++    void (*delproc) (struct hashnode *);
+ };
+-typedef struct node Node;
++typedef struct hashnode Node;
+ 
+-struct list
++struct hashlist
+ {
+     Node *list;
+     Node *hasharray[HASHSIZE];
+-    struct list *next;
++    struct hashlist *next;
+ };
+-typedef struct list List;
++typedef struct hashlist List;
+ 
+ List *getlist (void);
+ Node *findnode (List * list, const char *key);
diff --git a/main/cvs/cvs-1.12.12-install-sh.patch b/main/cvs/cvs-1.12.12-install-sh.patch
new file mode 100644
index 00000000000..825c0ee6f1c
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-install-sh.patch
@@ -0,0 +1,12 @@
+diff -ur a/build-aux/install-sh b/build-aux/install-sh
+--- a/build-aux/install-sh	2006-03-25 20:04:46 +0000
++++ b/build-aux/install-sh	2007-09-14 10:53:29 +0100
+@@ -246,7 +246,7 @@
+   fi
+ 
+   if test -n "$dir_arg"; then
+-    $doit $mkdircmd "$dst" \
++    { test -d "$dst" || $doit $mkdircmd -p "$dst"; } \
+       && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \
+       && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \
+       && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \
diff --git a/main/cvs/cvs-1.12.12-mktime-configure.patch b/main/cvs/cvs-1.12.12-mktime-configure.patch
new file mode 100644
index 00000000000..03d7f35601e
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-configure.patch
@@ -0,0 +1,201 @@
+https://bugs.gentoo.org/220040
+https://bugs.gentoo.org/570208
+
+update mktime check to latest autoconf version which is less buggy
+
+--- a/configure
++++ b/configure
+@@ -5299,26 +6059,25 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+ /* Test program from Paul Eggert and Tony Leneis.  */
+-#if TIME_WITH_SYS_TIME
++#ifdef TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>
+ #else
+-# if HAVE_SYS_TIME_H
++# ifdef HAVE_SYS_TIME_H
+ #  include <sys/time.h>
+ # else
+ #  include <time.h>
+ # endif
+ #endif
+ 
+-#if HAVE_STDLIB_H
+-# include <stdlib.h>
+-#endif
++#include <limits.h>
++#include <stdlib.h>
+ 
+-#if HAVE_UNISTD_H
++#ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+ #endif
+ 
+-#if !HAVE_ALARM
++#ifndef HAVE_ALARM
+ # define alarm(X) /* empty */
+ #endif
+ 
+@@ -5335,9 +6094,9 @@
+ };
+ #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
+ 
+-/* Fail if mktime fails to convert a date in the spring-forward gap.
++/* Return 0 if mktime fails to convert a date in the spring-forward gap.
+    Based on a problem report from Andreas Jaeger.  */
+-static void
++static int
+ spring_forward_gap ()
+ {
+   /* glibc (up to about 1998-10-07) failed this test. */
+@@ -5356,29 +6115,27 @@
+   tm.tm_min = 0;
+   tm.tm_sec = 0;
+   tm.tm_isdst = -1;
+-  if (mktime (&tm) == (time_t)-1)
+-    exit (1);
++  return mktime (&tm) != (time_t) -1;
+ }
+ 
+-static void
++static int
+ mktime_test1 (now)
+      time_t now;
+ {
+   struct tm *lt;
+-  if ((lt = localtime (&now)) && mktime (lt) != now)
+-    exit (1);
++  return ! (lt = localtime (&now)) || mktime (lt) == now;
+ }
+ 
+-static void
++static int
+ mktime_test (now)
+      time_t now;
+ {
+-  mktime_test1 (now);
+-  mktime_test1 ((time_t) (time_t_max - now));
+-  mktime_test1 ((time_t) (time_t_min + now));
++  return (mktime_test1 (now)
++	  && mktime_test1 ((time_t) (time_t_max - now))
++	  && mktime_test1 ((time_t) (time_t_min + now)));
+ }
+ 
+-static void
++static int
+ irix_6_4_bug ()
+ {
+   /* Based on code from Ariel Faigon.  */
+@@ -5391,11 +6148,10 @@
+   tm.tm_sec = 0;
+   tm.tm_isdst = -1;
+   mktime (&tm);
+-  if (tm.tm_mon != 2 || tm.tm_mday != 31)
+-    exit (1);
++  return tm.tm_mon == 2 && tm.tm_mday == 31;
+ }
+ 
+-static void
++static int
+ bigtime_test (j)
+      int j;
+ {
+@@ -5417,8 +6173,39 @@
+ 	     && lt->tm_wday == tm.tm_wday
+ 	     && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
+ 		  == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
+-	exit (1);
++	return 0;
+     }
++  return 1;
++}
++
++static int
++year_2050_test ()
++{
++  /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
++     ignoring leap seconds.  */
++  unsigned long int answer = 2527315200UL;
++
++  struct tm tm;
++  time_t t;
++  tm.tm_year = 2050 - 1900;
++  tm.tm_mon = 2 - 1;
++  tm.tm_mday = 1;
++  tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
++  tm.tm_isdst = -1;
++
++  /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
++     instead of "TZ=America/Vancouver" in order to detect the bug even
++     on systems that don't support the Olson extension, or don't have the
++     full zoneinfo tables installed.  */
++  putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
++
++  t = mktime (&tm);
++
++  /* Check that the result is either a failure, or close enough
++     to the correct answer that we can assume the discrepancy is
++     due to leap seconds.  */
++  return (t == (time_t) -1
++	  || (0 < t && answer - 120 <= t && t <= answer + 120));
+ }
+ 
+ int
+@@ -5432,12 +6219,15 @@
+      isn't worth using anyway.  */
+   alarm (60);
+ 
+-  for (time_t_max = 1; 0 < time_t_max; time_t_max *= 2)
+-    continue;
+-  time_t_max--;
+-  if ((time_t) -1 < 0)
+-    for (time_t_min = -1; (time_t) (time_t_min * 2) < 0; time_t_min *= 2)
+-      continue;
++  for (;;)
++    {
++      t = (time_t_max << 1) + 1;
++      if (t <= time_t_max)
++	break;
++      time_t_max = t;
++    }
++  time_t_min = - ((time_t) ~ (time_t) 0 == (time_t) -1) - time_t_max;
++
+   delta = time_t_max / 997; /* a suitable prime number */
+   for (i = 0; i < N_STRINGS; i++)
+     {
+@@ -5445,18 +6235,22 @@
+ 	putenv (tz_strings[i]);
+ 
+       for (t = 0; t <= time_t_max - delta; t += delta)
+-	mktime_test (t);
+-      mktime_test ((time_t) 1);
+-      mktime_test ((time_t) (60 * 60));
+-      mktime_test ((time_t) (60 * 60 * 24));
+-
+-      for (j = 1; 0 < j; j *= 2)
+-	bigtime_test (j);
+-      bigtime_test (j - 1);
++	if (! mktime_test (t))
++	  return 1;
++      if (! (mktime_test ((time_t) 1)
++	     && mktime_test ((time_t) (60 * 60))
++	     && mktime_test ((time_t) (60 * 60 * 24))))
++	return 1;
++
++      for (j = 1; ; j <<= 1)
++	if (! bigtime_test (j))
++	  return 1;
++	else if (INT_MAX / 2 < j)
++	  break;
++      if (! bigtime_test (INT_MAX))
++	return 1;
+     }
+-  irix_6_4_bug ();
+-  spring_forward_gap ();
+-  exit (0);
++  return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
+ }
+ _ACEOF
+ rm -f conftest$ac_exeext
diff --git a/main/cvs/cvs-1.12.12-mktime-x32.patch b/main/cvs/cvs-1.12.12-mktime-x32.patch
new file mode 100644
index 00000000000..948fa4d7144
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-x32.patch
@@ -0,0 +1,29 @@
+back port changes from upstream gnulib to make this work on x32
+
+https://bugs.gentoo.org/395641
+
+--- cvs-1.12.12/lib/mktime.c
++++ cvs-1.12.12/lib/mktime.c
+@@ -115,6 +115,13 @@
+ #define TM_YEAR_BASE 1900
+ verify (base_year_is_a_multiple_of_100, TM_YEAR_BASE % 100 == 0);
+ 
++#if INT_MAX <= LONG_MAX / 2
++typedef long int long_int;
++#else
++typedef long long int long_int;
++#endif
++verify (long_int_is_wide_enough, INT_MAX == INT_MAX * (long_int) 2 / 2);
++
+ /* Return 1 if YEAR + TM_YEAR_BASE is a leap year.  */
+ static inline int
+ leapyear (long int year)
+@@ -167,8 +174,6 @@
+ 	    int year0, int yday0, int hour0, int min0, int sec0)
+ {
+   verify (C99_integer_division, -1 / 2 == 0);
+-  verify (long_int_year_and_yday_are_wide_enough,
+-	  INT_MAX <= LONG_MAX / 2 || TIME_T_MAX <= UINT_MAX);
+ 
+   /* Compute intervening leap days correctly even if year is negative.
+      Take care to avoid integer overflow here.  */
diff --git a/main/cvs/cvs-1.12.12-musl.patch b/main/cvs/cvs-1.12.12-musl.patch
new file mode 100644
index 00000000000..e426cf55fcc
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-musl.patch
@@ -0,0 +1,13 @@
+http://gcc.gnu.org/ml/gcc/2003-04/msg00518.html
+
+--- a/lib/regex.c
++++ b/lib/regex.c
+@@ -8184,7 +8184,7 @@
+       if (msg_size > errbuf_size)
+         {
+ #if defined HAVE_MEMPCPY || defined _LIBC
+-	  *((char *) __mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
++	  *((char *) mempcpy (errbuf, msg, errbuf_size - 1)) = '\0';
+ #else
+           memcpy (errbuf, msg, errbuf_size - 1);
+           errbuf[errbuf_size - 1] = 0;
diff --git a/main/cvs/cvs-1.12.12-openat.patch b/main/cvs/cvs-1.12.12-openat.patch
new file mode 100644
index 00000000000..fdb406a45e4
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-openat.patch
@@ -0,0 +1,21 @@
+Index: cvs-1.12.12/lib/openat.c
+===================================================================
+--- cvs-1.12.12.orig/lib/openat.c
++++ cvs-1.12.12/lib/openat.c
+@@ -55,9 +55,13 @@ rpl_openat (int fd, char const *filename
+       va_list arg;
+       va_start (arg, flags);
+ 
+-      /* Assume that mode_t is passed compatibly with mode_t's type
+-	 after argument promotion.  */
+-      mode = va_arg (arg, mode_t);
++      /* If mode_t is narrower than int, use the promoted type (int),
++         not mode_t.  Use sizeof to guess whether mode_t is nerrower;
++         we don't know of any practical counterexamples.  */
++      if (sizeof (mode_t) < sizeof (int))
++	mode = va_arg (arg, int);
++      else
++	mode = va_arg (arg, mode_t);
+ 
+       va_end (arg);
+     }
diff --git a/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch b/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch
new file mode 100644
index 00000000000..7dda3f0f172
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-rcs2log-coreutils.patch
@@ -0,0 +1,14 @@
+X-Gentoo-bug: 144114
+
+diff -Nuar cvs-1.12.12.orig/contrib/rcs2log.sh cvs-1.12.12/contrib/rcs2log.sh
+--- cvs-1.12.12.orig/contrib/rcs2log.sh	2003-02-25 21:32:51.000000000 +0000
++++ cvs-1.12.12/contrib/rcs2log.sh	2010-12-06 21:14:33.831532212 +0000
+@@ -620,7 +620,7 @@
+ # Sort the log entries, first by date+time (in reverse order),
+ # then by author, then by log entry, and finally by file name and revision
+ # (just in case).
+-sort -t"$SOH" +2 -4r +4 +0 |
++sort -t"$SOH" -k 3,4r -k 5 -k 1,2 |
+ 
+ # Finally, reformat the sorted log entries.
+ $AWK -F"$SOH" '
diff --git a/main/cvs/cvs-musl.patch b/main/cvs/cvs-musl.patch
deleted file mode 100644
index 313377dbdd5..00000000000
--- a/main/cvs/cvs-musl.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- cvs-1.11.23.org/lib/getline.h	2013-09-16 18:28:13.026099577 +0000
-+++ cvs-1.11.23/lib/getline.h	2013-09-16 18:44:33.356064387 +0000
-@@ -12,8 +12,6 @@
- #define GETLINE_NO_LIMIT -1
- 
- int
--  getline __PROTO ((char **_lineptr, size_t *_n, FILE *_stream));
--int
-   getline_safe __PROTO ((char **_lineptr, size_t *_n, FILE *_stream,
-                          int limit));
- int
---- cvs-1.11.23.org/lib/getline.c	2013-09-16 18:28:13.021099577 +0000
-+++ cvs-1.11.23/lib/getline.c	2013-09-16 18:45:14.463062911 +0000
-@@ -154,12 +154,7 @@
-   return ret;
- }
- 
--int
--getline (lineptr, n, stream)
--     char **lineptr;
--     size_t *n;
--     FILE *stream;
--{
-+ssize_t getline(char ** lineptr, size_t * n, FILE *stream) {
-   return getstr (lineptr, n, stream, '\n', 0, GETLINE_NO_LIMIT);
- }
-