Patch vulnerabilities in the CVS client and server:

  A malicious CVS server could cause your CVS client to overwrite
  arbitrary files (CAN-2004-0180).

  When a CVS client uses the `-p' checkout option, the server could be
  fooled into checking out files from outside the given $CVSROOT.

(This patch is applied in an unorthodox manner so as not to complicate
 a later vendor import of CVS.)

3 files changed, 65 insertions, 2 deletions

diff --git a/gnu/usr.bin/cvs/cvs/Makefile b/gnu/usr.bin/cvs/cvs/Makefile
index 7010f69..2e79c22 100644
--- a/gnu/usr.bin/cvs/cvs/Makefile
+++ b/gnu/usr.bin/cvs/cvs/Makefile
@@ -13,12 +13,12 @@ PROG=	cvs
 MAN=	cvs.1 cvs.5
 
 SRCS=	add.c admin.c annotate.c buffer.c \
-	checkin.c checkout.c classify.c client.c \
+	checkin.c checkout.c classify.c client_P.c \
 	commit.c create_adm.c cvsrc.c diff.c edit.c entries.c error.c \
 	expand_path.c fileattr.c filesubr.c find_names.c \
 	hardlink.c hash.c history.c \
 	ignore.c import.c lock.c log.c login.c logmsg.c main.c mkmodules.c \
-	modules.c myndbm.c no_diff.c parseinfo.c patch.c prepend_args.c \
+	modules_P.c myndbm.c no_diff.c parseinfo.c patch.c prepend_args.c \
 	rcs.c rcscmds.c \
 	recurse.c release.c remove.c repos.c root.c run.c scramble.c \
 	server.c status.c subr.c tag.c update.c vers_ts.c version.c watch.c \
@@ -62,4 +62,12 @@ regress:
 .endif
 .endif
 
+# XXX Temporary until next CVS import: patch security issues
+.for f in client modules
+CLEANFILES+=	${f}_P.c
+
+${f}_P.c:	${f}.c ${f}.patch
+	patch -t -s -p3 -o ${.TARGET} ${.ALLSRC:M*.c} ${.ALLSRC:M*.patch}
+.endfor
+
 .include <bsd.prog.mk>
diff --git a/gnu/usr.bin/cvs/cvs/client.patch b/gnu/usr.bin/cvs/cvs/client.patch
new file mode 100644
index 0000000..c5599c8
--- /dev/null
+++ b/gnu/usr.bin/cvs/cvs/client.patch
@@ -0,0 +1,30 @@
+$FreeBSD$
+Index: contrib/cvs/src/client.c
+===================================================================
+RCS file: /home/ncvs/src/contrib/cvs/src/client.c,v
+retrieving revision 1.10
+diff -c -r1.10 client.c
+*** contrib/cvs/src/client.c	21 Jan 2003 22:01:38 -0000	1.10
+--- contrib/cvs/src/client.c	14 Apr 2004 15:51:51 -0000
+***************
+*** 1054,1059 ****
+--- 1054,1072 ----
+      char *rdirp;
+      int reposdirname_absolute;
+  
++     /* For security reasons, if PATHNAME is absolute or attemps to ascend
++      * outside of the current sanbbox, we abort.  The server should not send us
++      * anything but relative paths which remain inside the sandbox here.
++      * Anything less means a trojan CVS server could create and edit arbitrary
++      * files on the client.
++      */
++     if (isabsolute (pathname) || pathname_levels (pathname) > 0)
++     {
++ 	error (0, 0,
++ 		"Server attempted to update a file via an invalid pathname:");
++ 	error (1, 0, "`%s'.", pathname);
++     }
++ 
+      reposname = NULL;
+      read_line (&reposname);
+      assert (reposname != NULL);
diff --git a/gnu/usr.bin/cvs/cvs/modules.patch b/gnu/usr.bin/cvs/cvs/modules.patch
new file mode 100644
index 0000000..99a34fd
--- /dev/null
+++ b/gnu/usr.bin/cvs/cvs/modules.patch
@@ -0,0 +1,25 @@
+$FreeBSD$
+Index: contrib/cvs/src/modules.c
+===================================================================
+RCS file: /home/ncvs/src/contrib/cvs/src/modules.c,v
+retrieving revision 1.1.1.9
+diff -c -r1.1.1.9 modules.c
+*** contrib/cvs/src/modules.c	21 Jan 2004 16:27:56 -0000	1.1.1.9
+--- contrib/cvs/src/modules.c	14 Apr 2004 15:54:51 -0000
+***************
+*** 170,175 ****
+--- 170,183 ----
+      if (isabsolute (mname))
+  	error (1, 0, "Absolute module reference invalid: `%s'", mname);
+  
++     /* Similarly for directories that attempt to step above the root of the
++      * repository.
++      */
++     if (pathname_levels (mname) > 0)
++ 	error (1, 0, "up-level in module reference (`..') invalid: `%s'.",
++ 		mname);
++ 
++ 
+      /* if this is a directory to ignore, add it to that list */
+      if (mname[0] == '!' && mname[1] != '\0')
+      {