From 3399020b04cac8adee10274856839f22a092d9e3 Mon Sep 17 00:00:00 2001
From: christos <christos@NetBSD.org>
Date: Wed, 26 Jul 2006 14:16:55 +0000
Subject: [PATCH] Apply the sanctioned fix for the cvs password problem from
 Mark D. Baushke.

---
 gnu/dist/xcvs/src/client.c |  5 ++---
 gnu/dist/xcvs/src/cvs.h    |  1 +
 gnu/dist/xcvs/src/login.c  | 28 +++++++++++++++++++++++-----
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/gnu/dist/xcvs/src/client.c b/gnu/dist/xcvs/src/client.c
index 7f0168b84335..aeb8fa1b5182 100644
--- a/gnu/dist/xcvs/src/client.c
+++ b/gnu/dist/xcvs/src/client.c
@@ -3935,9 +3935,8 @@ auth_server (root, lto_server, lfrom_server, verify_only, do_gssapi)
 	send_to_server(end, 0);
 	send_to_server("\012", 1);
 
-        /* Paranoia. */
-	memset (password, 0, strlen (password));
-	free (password);
+	free_cvs_password (password);
+	password = NULL;
 # else /* ! AUTH_CLIENT_SUPPORT */
 	error (1, 0, "INTERNAL ERROR: This client does not support pserver authentication");
 # endif /* AUTH_CLIENT_SUPPORT */
diff --git a/gnu/dist/xcvs/src/cvs.h b/gnu/dist/xcvs/src/cvs.h
index 27006b46659f..9f885849b583 100644
--- a/gnu/dist/xcvs/src/cvs.h
+++ b/gnu/dist/xcvs/src/cvs.h
@@ -927,6 +927,7 @@ char *descramble PROTO ((char *str));
 
 #ifdef AUTH_CLIENT_SUPPORT
 char *get_cvs_password PROTO((void));
+void free_cvs_password PROTO((char *str));
 int get_cvs_port_number PROTO((const cvsroot_t *root));
 char *normalize_cvsroot PROTO((const cvsroot_t *root));
 #endif /* AUTH_CLIENT_SUPPORT */
diff --git a/gnu/dist/xcvs/src/login.c b/gnu/dist/xcvs/src/login.c
index ac485c437ccf..8bf8c03cd784 100644
--- a/gnu/dist/xcvs/src/login.c
+++ b/gnu/dist/xcvs/src/login.c
@@ -566,18 +566,36 @@ login (argc, argv)
     password_entry_operation (password_entry_add, current_parsed_root,
                               typed_password);
 
-    memset (typed_password, 0, strlen (typed_password));
-    free (typed_password);
-
-    free (cvs_password);
+    free_cvs_password (typed_password);
     free (cvsroot_canonical);
-    cvs_password = NULL;
 
     return 0;
 }
 
 
 
+/* Free the password returned by get_cvs_password() and also free the
+ * saved cvs_password if they are different pointers. Be paranoid
+ * about the in-memory copy of the password and overwrite it with zero
+ * bytes before doing the free().
+ */
+void
+free_cvs_password (char *password)
+{
+    if (password && password != cvs_password)
+    {
+	memset (password, 0, strlen (password));
+	free (password);
+    }
+
+    if (cvs_password)
+    {
+	memset (cvs_password, 0, strlen (cvs_password));
+	free (cvs_password);
+	cvs_password = NULL;
+    }
+}
+
 /* Returns the _scrambled_ password.  The server must descramble
    before hashing and comparing.  If password file not found, or
    password not found in the file, just return NULL. */