Bug#859014: unblock: cvs/2:1.12.13+real-22
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package cvs
This package addresses the bug #858769 which was reported
as potentially security-relevant. Debdiff:
diff -u cvs-1.12.13+real/configure.in cvs-1.12.13+real/configure.in
--- cvs-1.12.13+real/configure.in
+++ cvs-1.12.13+real/configure.in
@@ -17,7 +17,7 @@
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.])
-AC_INIT([Concurrent Versions System (CVS)],[1.12.13-MirDebian-21],
+AC_INIT([Concurrent Versions System (CVS)],[1.12.13-MirDebian-22],
[bug-cvs@nongnu.org],[cvs])
AC_CONFIG_SRCDIR(src/cvs.h)
AC_CONFIG_AUX_DIR(build-aux)
diff -u cvs-1.12.13+real/debian/NEWS cvs-1.12.13+real/debian/NEWS
--- cvs-1.12.13+real/debian/NEWS
+++ cvs-1.12.13+real/debian/NEWS
@@ -1,3 +1,34 @@
+cvs (2:1.12.13+real-22) unstable; urgency=low
+
+ Newly created repositories (from “cvs init”) now rely on
+ CVSUMASK for the permissions of the “history” and “val-tags”
+ files instead of creating them as world-writable.
+
+ Newly created repositories contain a LogHistory configuration
+ setting to only record write operations in the “history” file.
+
+ If you are used to the previous behaviour, you can restore it
+ by altering (or removing, in which case the (commented-out)
+ default of logging everything will be used) the LogHistory
+ configuration setting and changing the permissions on the
+ “history” and “val-tags” files so that every user can write
+ into them.
+
+ If you did not deliberately open your repository to all users
+ on your system, you might wish to change all existing repos
+ to this behaviour. To do this, check out the CVSROOT module,
+ edit the “config” file adding “LogHistory=TMAR”, check that
+ change in, release the CVSROOT module, and chmod the “history”
+ and “val-tags” files to either 0664 (if all users in the same
+ group should be able to commit) or 0644 (if only you wish to
+ commit), possibly 0660 or 0600 is non-committers should also
+ be denied reading.
+
+ Contact me (mirabilos) in #cvs on irc.freenode.net if you have
+ any questions about this change or require further support.
+
+ -- Thorsten Glaser <tg@mirbsd.de> Tue, 28 Mar 2017 19:54:01 +0200
+
cvs (2:1.12.13+real-7) unstable; urgency=high
rcs2log no longer lives in the PATH, the contributed script
diff -u cvs-1.12.13+real/debian/changelog cvs-1.12.13+real/debian/changelog
--- cvs-1.12.13+real/debian/changelog
+++ cvs-1.12.13+real/debian/changelog
@@ -1,3 +1,14 @@
+cvs (2:1.12.13+real-22) unstable; urgency=low
+
+ * cvs init: Change default history logging configuration
+ to only log write operations by adding “LogHistory=TMAR”
+ * Testsuite: Alter to cope with this explicit option
+ * cvs init: Rely on CVSUMASK for history and val-tags files
+ in newly created repositories (Closes: #858769)
+ * Add a NEWS.Debian entry verbosely documenting this change
+
+ -- Thorsten Glaser <tg@mirbsd.de> Tue, 28 Mar 2017 20:01:39 +0200
+
cvs (2:1.12.13+real-21) unstable; urgency=medium
[ Sylvain Beucler ]
diff -u cvs-1.12.13+real/debian/copyright cvs-1.12.13+real/debian/copyright
--- cvs-1.12.13+real/debian/copyright
+++ cvs-1.12.13+real/debian/copyright
@@ -61,7 +61,7 @@
Parts and the packaging are covered by the following GPL-compatible licence:
-# Copyright © 2005, 2008, 2011
+# Copyright © 2005, 2008, 2011, 2017
# mirabilos <m@mirbsd.org>
#
# Provided that these terms and disclaimer and all copyright notices
diff -u cvs-1.12.13+real/doc/cvs.texinfo cvs-1.12.13+real/doc/cvs.texinfo
--- cvs-1.12.13+real/doc/cvs.texinfo
+++ cvs-1.12.13+real/doc/cvs.texinfo
@@ -1989,6 +1989,18 @@
@code{cvs init} will enable history logging; if you
don't want that, remove the history file after running
@code{cvs init}. @xref{history file}.
+Since MirBSD CVS 1.12.13-MirOS-0AB7.8, MirPorts-19 or
+Debian cvs 2:1.12.13+real-22, only write operations
+will be logged by default; to change this, make the
+history file world-writable (but beware of the associated
+security risk) and remove the stock @samp{LogHistory}
+line in the @file{CVSROOT/config} file (@pxref{config})
+to use the (commented-out) default or put your own there.
+Note that these versions also create the @file{val-tags}
+file writable (@pxref{CVSUMASK}), not world-writable like
+prior versions, so users who wish to commit must, with a
+default @code{CVSUMASK} of 002, be in the same group as
+the repository.
@node Backing up
@section Backing up a repository
@@ -14901,7 +14913,9 @@
Default of @samp{TOEFWUPCGMAR} (or simply @samp{all}) will log
all transactions. Any subset of the default is
legal. (For example, to only log transactions that modify the
-@file{*,v} files, use @samp{LogHistory=TMAR}.) To disable history logging
+@file{*,v} files, use @samp{LogHistory=TMAR} which is nowadays
+set by @code{cvs init} by default.)
+To disable history logging
completely, use @samp{LogHistory=}.
@cindex MaxCommentLeaderLength, in CVSROOT/config
@@ -15128,6 +15142,7 @@
read-only NFS repositories.
@item $CVSUMASK
+@anchor{CVSUMASK}
Controls permissions of files in the repository. See
@ref{File permissions}.
diff -u cvs-1.12.13+real/src/mkmodules.c cvs-1.12.13+real/src/mkmodules.c
--- cvs-1.12.13+real/src/mkmodules.c
+++ cvs-1.12.13+real/src/mkmodules.c
@@ -526,6 +526,7 @@
"# Set 'LogHistory' to 'all' or '" ALL_HISTORY_REC_TYPES "' to log all transactions to the\n",
"# history file, or a subset as needed (ie 'TMAR' logs all write operations)\n",
"#LogHistory=" ALL_HISTORY_REC_TYPES "\n",
+ "LogHistory=TMAR\n",
"\n",
"# Set 'RereadLogAfterVerify' to 'always' (the default) to allow the verifymsg\n",
"# script to change the log message. Set it to 'stat' to force CVS to verify\n",
@@ -1263,11 +1264,6 @@
fp = xfopen (info, "w");
if (fclose (fp) < 0)
error (1, errno, "cannot close %s", info);
-
- /* Make the new history file world-writeable, since every CVS
- user will need to be able to write to it. We use chmod()
- because xchmod() is too shy. */
- chmod (info, 0666);
}
/* Make an empty val-tags file to prevent problems creating it later. */
@@ -1281,11 +1277,6 @@
fp = xfopen (info, "w");
if (fclose (fp) < 0)
error (1, errno, "cannot close %s", info);
-
- /* Make the new val-tags file world-writeable, since every CVS
- user will need to be able to write to it. We use chmod()
- because xchmod() is too shy. */
- chmod (info, 0666);
}
free (info);
diff -u cvs-1.12.13+real/src/sanity.sh cvs-1.12.13+real/src/sanity.sh
--- cvs-1.12.13+real/src/sanity.sh
+++ cvs-1.12.13+real/src/sanity.sh
@@ -2647,7 +2647,9 @@
cd wnt
dotest init-1a "$testcvs -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
cd CVSROOT
-sed -e's/^#UserAdminOptions=/UserAdminOptions=/' <config >tmpconfig
+sed -e 's/^#UserAdminOptions=/UserAdminOptions=/' \
+ -e '/^LogHistory/d' \
+ <config >tmpconfig
mv tmpconfig config
dotest init-1b "$testcvs -q ci -m allow-cvs-admin" "" \
".*/CVSROOT/config,v <-- config
@@ -2842,7 +2844,9 @@
cd wnt
dotest init-2a "$testcvs -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
cd CVSROOT
-sed -e's/^#UserAdminOptions=/UserAdminOptions=/' <config >tmpconfig
+sed -e 's/^#UserAdminOptions=/UserAdminOptions=/' \
+ -e '/^LogHistory/d' \
+ <config >tmpconfig
mv tmpconfig config
dotest init-2b "$testcvs -q ci -m allow-cvs-admin" "" \
".*/CVSROOT/config,v <-- config
@@ -28890,8 +28894,33 @@
testcvs2="$testcvs -d '$CVSROOT2'"
dotest multiroot-setup-1 "mkdir $CVSROOT1_DIRNAME $CVSROOT2_DIRNAME"
+
dotest multiroot-setup-2 "$testcvs1 init"
+ # remove automatically-created LogHistory to work around the fact
+ # that CVS does not track those per root (and thus warns about
+ # encountering multiple of these entries)
+ mkdir wrkarnd; cd wrkarnd
+ dotest multiroot-setup-2a "$testcvs1 -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
+ cd CVSROOT
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
+ dotest multiroot-setup-2b "$testcvs1 -q ci -m workaround-LogHistory" "" \
+".*/CVSROOT/config,v <-- config
+new revision: 1\.[0-9]*; previous revision: 1\.[0-9]*
+$SPROG commit: Rebuilding administrative file database"
+ cd ../..; rm -r wrkarnd
+
dotest multiroot-setup-3 "$testcvs2 init"
+ mkdir wrkarnd; cd wrkarnd
+ dotest multiroot-setup-3a "$testcvs2 -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
+ cd CVSROOT
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
+ dotest multiroot-setup-3b "$testcvs2 -q ci -m workaround-LogHistory" "" \
+".*/CVSROOT/config,v <-- config
+new revision: 1\.[0-9]*; previous revision: 1\.[0-9]*
+$SPROG commit: Rebuilding administrative file database"
+ cd ../..; rm -r wrkarnd
#
# create some directories in ${CVSROOT1_DIRNAME}
@@ -29995,7 +30024,27 @@
CVSROOT2=`newroot $CVSROOT2_DIRNAME`
dotest multiroot2-1 "${testcvs} -d ${CVSROOT1} init" ""
+ mkdir wrkarnd; cd wrkarnd
+ dotest multiroot2-1a "$testcvs -d ${CVSROOT1} -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
+ cd CVSROOT
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
+ dotest multiroot2-1b "$testcvs -d ${CVSROOT1} -q ci -m workaround-LogHistory" "" \
+".*/CVSROOT/config,v <-- config
+new revision: 1\.[0-9]*; previous revision: 1\.[0-9]*
+$SPROG commit: Rebuilding administrative file database"
+ cd ../..; rm -r wrkarnd
dotest multiroot2-2 "${testcvs} -d ${CVSROOT2} init" ""
+ mkdir wrkarnd; cd wrkarnd
+ dotest multiroot2-2a "$testcvs -d ${CVSROOT2} -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
+ cd CVSROOT
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
+ dotest multiroot2-2b "$testcvs -d ${CVSROOT2} -q ci -m workaround-LogHistory" "" \
+".*/CVSROOT/config,v <-- config
+new revision: 1\.[0-9]*; previous revision: 1\.[0-9]*
+$SPROG commit: Rebuilding administrative file database"
+ cd ../..; rm -r wrkarnd
mkdir imp-dir; cd imp-dir
echo file1 >file1
@@ -30151,12 +30200,32 @@
mkdir 1; cd 1
dotest multiroot3-1 "${testcvs} -d ${CVSROOT1} init" ""
+ mkdir wrkarnd; cd wrkarnd
+ dotest multiroot3-1a "$testcvs -d ${CVSROOT1} -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
+ cd CVSROOT
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
+ dotest multiroot3-1b "$testcvs -d ${CVSROOT1} -q ci -m workaround-LogHistory" "" \
+".*/CVSROOT/config,v <-- config
+new revision: 1\.[0-9]*; previous revision: 1\.[0-9]*
+$SPROG commit: Rebuilding administrative file database"
+ cd ../..; rm -r wrkarnd
dotest multiroot3-2 "${testcvs} -d ${CVSROOT1} -q co -l ." ""
mkdir dir1
dotest multiroot3-3 "${testcvs} add dir1" \
"Directory ${TESTDIR}/root1/dir1 put under version control"
dotest multiroot3-4 "${testcvs} -d ${CVSROOT2} init" ""
rm -r CVS
+ mkdir wrkarnd; cd wrkarnd
+ dotest multiroot3-4a "$testcvs -d ${CVSROOT2} -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
+ cd CVSROOT
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
+ dotest multiroot3-4b "$testcvs -d ${CVSROOT2} -q ci -m workaround-LogHistory" "" \
+".*/CVSROOT/config,v <-- config
+new revision: 1\.[0-9]*; previous revision: 1\.[0-9]*
+$SPROG commit: Rebuilding administrative file database"
+ cd ../..; rm -r wrkarnd
dotest multiroot3-5 "${testcvs} -d ${CVSROOT2} -q co -l ." ""
mkdir dir2
@@ -30277,6 +30346,16 @@
mkdir 1; cd 1
dotest multiroot4-1 "${testcvs} -d ${CVSROOT1} init" ""
+ mkdir wrkarnd; cd wrkarnd
+ dotest multiroot4-1a "$testcvs -d ${CVSROOT1} -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
+ cd CVSROOT
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
+ dotest multiroot4-1b "$testcvs -d ${CVSROOT1} -q ci -m workaround-LogHistory" "" \
+".*/CVSROOT/config,v <-- config
+new revision: 1\.[0-9]*; previous revision: 1\.[0-9]*
+$SPROG commit: Rebuilding administrative file database"
+ cd ../..; rm -r wrkarnd
dotest multiroot4-2 "${testcvs} -d ${CVSROOT1} -q co -l ." ""
mkdir dircom
dotest multiroot4-3 "${testcvs} add dircom" \
@@ -30292,6 +30371,16 @@
cd ../..
mkdir 2; cd 2
dotest multiroot4-6 "${testcvs} -d ${CVSROOT2} init" ""
+ mkdir wrkarnd; cd wrkarnd
+ dotest multiroot4-6a "$testcvs -d ${CVSROOT2} -q co CVSROOT" "[UP] CVSROOT${DOTSTAR}"
+ cd CVSROOT
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
+ dotest multiroot4-6b "$testcvs -d ${CVSROOT2} -q ci -m workaround-LogHistory" "" \
+".*/CVSROOT/config,v <-- config
+new revision: 1\.[0-9]*; previous revision: 1\.[0-9]*
+$SPROG commit: Rebuilding administrative file database"
+ cd ../..; rm -r wrkarnd
dotest multiroot4-7 "${testcvs} -d ${CVSROOT2} -q co -l ." ""
mkdir dircom
dotest multiroot4-8 "${testcvs} add dircom" \
@@ -32014,6 +32103,10 @@
ALL (cat >/dev/null; echo %R) >$TESTDIR/referrer
ALL $RSYNC -gopr --delete $PRIMARY_CVSROOT_DIRNAME/ $SECONDARY_CVSROOT_DIRNAME
EOF
+ # remove automatically-created LogHistory to work around the fact
+ # that we see both writeproxy and primary config here
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
cat >>config <<EOF
PrimaryServer=$PRIMARY_CVSROOT
EOF
@@ -32224,6 +32317,10 @@
cat >>loginfo <<EOF
ALL $RSYNC -gopr --delete $PRIMARY_CVSROOT_DIRNAME/ $SECONDARY_CVSROOT_DIRNAME
EOF
+ # remove automatically-created LogHistory to work around the fact
+ # that we see both writeproxy and primary config here
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
cat >>config <<EOF
PrimaryServer=$PRIMARY_CVSROOT
EOF
@@ -32501,6 +32598,10 @@
cat >>loginfo <<EOF
ALL echo Referrer=%R; cat >/dev/null
EOF
+ # remove automatically-created LogHistory to work around the fact
+ # that we see both writeproxy and primary config here
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
cat >>config <<EOF
PrimaryServer=$PRIMARY_CVSROOT
EOF
@@ -32602,6 +32703,10 @@
cat >>loginfo <<EOF
ALL echo Referrer=%R; cat >/dev/null
EOF
+ # remove automatically-created LogHistory to work around the fact
+ # that we see both writeproxy and primary config here
+ sed -e '/^LogHistory/d' <config >tmpconfig
+ mv tmpconfig config
cat >>config <<EOF
PrimaryServer=$PRIMARY_CVSROOT
EOF
unblock cvs/2:1.12.13+real-22
-- System Information:
Debian Release: 9.0
APT prefers unreleased
APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Reply to: