main/cvs: security upgrade to 1.12.12

Most distros uses 1.12.13 (https://repology.org/project/cvs/versions) but according to Gentoo it is usable, so following Gentoo (https://bugs.gentoo.org/124733) 1.12.12 is the way forward.

CVEs:
* CVE-2010-3846 - https://bugzilla.redhat.com/show_bug.cgi?id=642146
* CVE-2012-0804 - https://security-tracker.debian.org/tracker/CVE-2012-0804
* CVE-2017-12836 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

1 files changed, 38 insertions, 0 deletions

diff --git a/main/cvs/CVE-2017-12836.patch b/main/cvs/CVE-2017-12836.patch
new file mode 100644
index 0000000000..b20a88b667
--- /dev/null
+++ b/main/cvs/CVE-2017-12836.patch
@@ -0,0 +1,38 @@
+Subject: [PATCH] Fix CVE-2017-12836
+From: Thorsten Glaser <tg@mirbsd.de>
+
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -53,9 +53,10 @@
+     char *cvs_server = (root->cvs_server != NULL
+ 			? root->cvs_server : getenv ("CVS_SERVER"));
+     int i = 0;
+-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+-    char *rsh_argv[10];
++    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
++       "--", "host", "cvs", "-R", "server", and NULL.
++       We leave some room to grow. */
++    char *rsh_argv[16];
+ 
+     if (!cvs_rsh)
+ 	/* People sometimes suggest or assume that this should default
+@@ -97,6 +98,9 @@
+ 	rsh_argv[i++] = root->username;
+     }
+ 
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
++
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     rsh_argv[i++] = "server";
+@@ -171,6 +175,8 @@
+ 	    *p++ = root->username;
+ 	}
+ 
++	*p++ = "--";
++
+ 	*p++ = root->hostname;
+ 	*p++ = command;
+ 	*p++ = NULL;