PR/34030: Takehiko NOZAKI: Allways allocate the cvs password returned

in the get_cvs_password() function to simplify the code and avoid leaks.

gnu/dist/xcvs/src/client.c

@@ -3936,11 +3936,8 @@ auth_server (root, lto_server, lfrom_server, verify_only, do_gssapi)
 	send_to_server("\012", 1);
 
         /* Paranoia. */
-	if (no_passwd)
-	{
-	    memset (password, 0, strlen (password));
-	    free (password);
-	}
+	memset (password, 0, strlen (password));
+	free (password);
 # else /* ! AUTH_CLIENT_SUPPORT */
 	error (1, 0, "INTERNAL ERROR: This client does not support pserver authentication");
 # endif /* AUTH_CLIENT_SUPPORT */

gnu/dist/xcvs/src/login.c

@@ -569,7 +569,6 @@ login (argc, argv)
     memset (typed_password, 0, strlen (typed_password));
     free (typed_password);
 
-    memset (cvs_password, 0, strlen (cvs_password));
     free (cvs_password);
     free (cvsroot_canonical);
     cvs_password = NULL;
@@ -592,7 +591,7 @@ get_cvs_password ()
        context, then assume they have supplied the correct, scrambled
        password. */
     if (cvs_password)
-	return cvs_password;
+	return xstrdup (cvs_password);
 
     if (getenv ("CVS_PASSWORD") != NULL)
     {