void-packages/srcpkgs/cvs/patches/CVE-2012-0804.patch

[CVE-2012-0804] Fix proxy response parser

If proxy sends overlong HTTP vesion string, the string will be copied
to unallocatd space (write_buf) causing heap overflow.

This patch fixes it by ignoring the HTTP version string and checking
the response line has been parsed correctly.

See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more
details.

--- a/src/client.c
+++ b/src/client.c
@@ -3558,9 +3558,9 @@ connect_to_pserver (cvsroot_t *root, str
          * code.
          */
 	read_line_via (from_server, to_server, &read_buf);
-	sscanf (read_buf, "%s %d", write_buf, &codenum);
+	count = sscanf (read_buf, "%*s %d", &codenum);
 
-	if ((codenum / 100) != 2)
+	if (count != 1 || (codenum / 100) != 2)
 	    error (1, 0, "proxy server %s:%d does not support http tunnelling",
 		   root->proxy_hostname, proxy_port_number);
 	free (read_buf);
cvs: import patches from Gentoo While we are at it, fix build with newer gcc 2024-05-05 12:52:35 +02:00			`[CVE-2012-0804] Fix proxy response parser`

			`If proxy sends overlong HTTP vesion string, the string will be copied`
			`to unallocatd space (write_buf) causing heap overflow.`

			`This patch fixes it by ignoring the HTTP version string and checking`
			`the response line has been parsed correctly.`

			`See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more`
			`details.`

			`--- a/src/client.c`
			`+++ b/src/client.c`
			`@@ -3558,9 +3558,9 @@ connect_to_pserver (cvsroot_t *root, str`
			`* code.`
			`*/`
			`read_line_via (from_server, to_server, &read_buf);`
			`- sscanf (read_buf, "%s %d", write_buf, &codenum);`
			`+ count = sscanf (read_buf, "%*s %d", &codenum);`

			`- if ((codenum / 100) != 2)`
			`+ if (count != 1 \|\| (codenum / 100) != 2)`
			`error (1, 0, "proxy server %s:%d does not support http tunnelling",`
			`root->proxy_hostname, proxy_port_number);`
			`free (read_buf);`