main/cvs: security upgrade to 1.12.12

Most distros uses 1.12.13 (https://repology.org/project/cvs/versions) but according to Gentoo it is usable, so following Gentoo (https://bugs.gentoo.org/124733) 1.12.12 is the way forward.

CVEs:
* CVE-2010-3846 - https://bugzilla.redhat.com/show_bug.cgi?id=642146
* CVE-2012-0804 - https://security-tracker.debian.org/tracker/CVE-2012-0804
* CVE-2017-12836 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

1 files changed, 201 insertions, 0 deletions

diff --git a/main/cvs/cvs-1.12.12-mktime-configure.patch b/main/cvs/cvs-1.12.12-mktime-configure.patch
new file mode 100644
index 00000000000..03d7f35601e
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-mktime-configure.patch
@@ -0,0 +1,201 @@
+https://bugs.gentoo.org/220040
+https://bugs.gentoo.org/570208
+
+update mktime check to latest autoconf version which is less buggy
+
+--- a/configure
++++ b/configure
+@@ -5299,26 +6059,25 @@
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+ /* Test program from Paul Eggert and Tony Leneis.  */
+-#if TIME_WITH_SYS_TIME
++#ifdef TIME_WITH_SYS_TIME
+ # include <sys/time.h>
+ # include <time.h>
+ #else
+-# if HAVE_SYS_TIME_H
++# ifdef HAVE_SYS_TIME_H
+ #  include <sys/time.h>
+ # else
+ #  include <time.h>
+ # endif
+ #endif
+ 
+-#if HAVE_STDLIB_H
+-# include <stdlib.h>
+-#endif
++#include <limits.h>
++#include <stdlib.h>
+ 
+-#if HAVE_UNISTD_H
++#ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+ #endif
+ 
+-#if !HAVE_ALARM
++#ifndef HAVE_ALARM
+ # define alarm(X) /* empty */
+ #endif
+ 
+@@ -5335,9 +6094,9 @@
+ };
+ #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
+ 
+-/* Fail if mktime fails to convert a date in the spring-forward gap.
++/* Return 0 if mktime fails to convert a date in the spring-forward gap.
+    Based on a problem report from Andreas Jaeger.  */
+-static void
++static int
+ spring_forward_gap ()
+ {
+   /* glibc (up to about 1998-10-07) failed this test. */
+@@ -5356,29 +6115,27 @@
+   tm.tm_min = 0;
+   tm.tm_sec = 0;
+   tm.tm_isdst = -1;
+-  if (mktime (&tm) == (time_t)-1)
+-    exit (1);
++  return mktime (&tm) != (time_t) -1;
+ }
+ 
+-static void
++static int
+ mktime_test1 (now)
+      time_t now;
+ {
+   struct tm *lt;
+-  if ((lt = localtime (&now)) && mktime (lt) != now)
+-    exit (1);
++  return ! (lt = localtime (&now)) || mktime (lt) == now;
+ }
+ 
+-static void
++static int
+ mktime_test (now)
+      time_t now;
+ {
+-  mktime_test1 (now);
+-  mktime_test1 ((time_t) (time_t_max - now));
+-  mktime_test1 ((time_t) (time_t_min + now));
++  return (mktime_test1 (now)
++	  && mktime_test1 ((time_t) (time_t_max - now))
++	  && mktime_test1 ((time_t) (time_t_min + now)));
+ }
+ 
+-static void
++static int
+ irix_6_4_bug ()
+ {
+   /* Based on code from Ariel Faigon.  */
+@@ -5391,11 +6148,10 @@
+   tm.tm_sec = 0;
+   tm.tm_isdst = -1;
+   mktime (&tm);
+-  if (tm.tm_mon != 2 || tm.tm_mday != 31)
+-    exit (1);
++  return tm.tm_mon == 2 && tm.tm_mday == 31;
+ }
+ 
+-static void
++static int
+ bigtime_test (j)
+      int j;
+ {
+@@ -5417,8 +6173,39 @@
+ 	     && lt->tm_wday == tm.tm_wday
+ 	     && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
+ 		  == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
+-	exit (1);
++	return 0;
+     }
++  return 1;
++}
++
++static int
++year_2050_test ()
++{
++  /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
++     ignoring leap seconds.  */
++  unsigned long int answer = 2527315200UL;
++
++  struct tm tm;
++  time_t t;
++  tm.tm_year = 2050 - 1900;
++  tm.tm_mon = 2 - 1;
++  tm.tm_mday = 1;
++  tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
++  tm.tm_isdst = -1;
++
++  /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
++     instead of "TZ=America/Vancouver" in order to detect the bug even
++     on systems that don't support the Olson extension, or don't have the
++     full zoneinfo tables installed.  */
++  putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
++
++  t = mktime (&tm);
++
++  /* Check that the result is either a failure, or close enough
++     to the correct answer that we can assume the discrepancy is
++     due to leap seconds.  */
++  return (t == (time_t) -1
++	  || (0 < t && answer - 120 <= t && t <= answer + 120));
+ }
+ 
+ int
+@@ -5432,12 +6219,15 @@
+      isn't worth using anyway.  */
+   alarm (60);
+ 
+-  for (time_t_max = 1; 0 < time_t_max; time_t_max *= 2)
+-    continue;
+-  time_t_max--;
+-  if ((time_t) -1 < 0)
+-    for (time_t_min = -1; (time_t) (time_t_min * 2) < 0; time_t_min *= 2)
+-      continue;
++  for (;;)
++    {
++      t = (time_t_max << 1) + 1;
++      if (t <= time_t_max)
++	break;
++      time_t_max = t;
++    }
++  time_t_min = - ((time_t) ~ (time_t) 0 == (time_t) -1) - time_t_max;
++
+   delta = time_t_max / 997; /* a suitable prime number */
+   for (i = 0; i < N_STRINGS; i++)
+     {
+@@ -5445,18 +6235,22 @@
+ 	putenv (tz_strings[i]);
+ 
+       for (t = 0; t <= time_t_max - delta; t += delta)
+-	mktime_test (t);
+-      mktime_test ((time_t) 1);
+-      mktime_test ((time_t) (60 * 60));
+-      mktime_test ((time_t) (60 * 60 * 24));
+-
+-      for (j = 1; 0 < j; j *= 2)
+-	bigtime_test (j);
+-      bigtime_test (j - 1);
++	if (! mktime_test (t))
++	  return 1;
++      if (! (mktime_test ((time_t) 1)
++	     && mktime_test ((time_t) (60 * 60))
++	     && mktime_test ((time_t) (60 * 60 * 24))))
++	return 1;
++
++      for (j = 1; ; j <<= 1)
++	if (! bigtime_test (j))
++	  return 1;
++	else if (INT_MAX / 2 < j)
++	  break;
++      if (! bigtime_test (INT_MAX))
++	return 1;
+     }
+-  irix_6_4_bug ();
+-  spring_forward_gap ();
+-  exit (0);
++  return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
+ }
+ _ACEOF
+ rm -f conftest$ac_exeext