main/cvs: security upgrade to 1.12.12

Most distros uses 1.12.13 (https://repology.org/project/cvs/versions) but according to Gentoo it is usable, so following Gentoo (https://bugs.gentoo.org/124733) 1.12.12 is the way forward.

CVEs:
* CVE-2010-3846 - https://bugzilla.redhat.com/show_bug.cgi?id=642146
* CVE-2012-0804 - https://security-tracker.debian.org/tracker/CVE-2012-0804
* CVE-2017-12836 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

1 files changed, 21 insertions, 0 deletions

diff --git a/main/cvs/cvs-1.12.12-openat.patch b/main/cvs/cvs-1.12.12-openat.patch
new file mode 100644
index 0000000000..fdb406a45e
--- /dev/null
+++ b/main/cvs/cvs-1.12.12-openat.patch
@@ -0,0 +1,21 @@
+Index: cvs-1.12.12/lib/openat.c
+===================================================================
+--- cvs-1.12.12.orig/lib/openat.c
++++ cvs-1.12.12/lib/openat.c
+@@ -55,9 +55,13 @@ rpl_openat (int fd, char const *filename
+       va_list arg;
+       va_start (arg, flags);
+ 
+-      /* Assume that mode_t is passed compatibly with mode_t's type
+-	 after argument promotion.  */
+-      mode = va_arg (arg, mode_t);
++      /* If mode_t is narrower than int, use the promoted type (int),
++         not mode_t.  Use sizeof to guess whether mode_t is nerrower;
++         we don't know of any practical counterexamples.  */
++      if (sizeof (mode_t) < sizeof (int))
++	mode = va_arg (arg, int);
++      else
++	mode = va_arg (arg, mode_t);
+ 
+       va_end (arg);
+     }