summaryrefslogblamecommitdiff
path: root/system/cvs/CVE-2017-12836.patch
blob: d6fc3b035a5b1abae24bda9e98242e978be95ffc (plain) (tree) 
1320a328e ^

ca8a163a1 ^

1320a328e ^

ca8a163a1 ^





1320a328e ^


ca8a163a1 ^









1320a328e ^

ca8a163a1 ^

1320a328e ^





ca8a163a1 ^



1320a328e ^

ca8a163a1 ^

1320a328e ^





1320a328e ^

1

2

3

4
5
6
7
8

9
10

11
12
13
14
15
16
17
18
19

20

21

22
23
24
25
26

27
28
29

30

31

32
33
34
35
36

37

                                   
                                    
 




                                                                    

                                                            








                                                                  
      
 




                                                                


                                
         
 




                              
 
Subject: [PATCH] Fix CVE-2017-12836
From: Thorsten Glaser <tg@mirbsd.de>

--- cvs-1.12.13+real/src/rsh-client.c
+++ cvs-1.12.13+real/src/rsh-client.c
@@ -53,7 +53,8 @@
     char *cvs_server = (root->cvs_server != NULL
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
-    char *rsh_argv[10];
+    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+       "--", "host", "cvs", "-R", "server", and NULL.
+       We leave some room to grow. */
+    char *rsh_argv[16];

@@ -105,6 +106,9 @@
 	rsh_argv[i++] = argvport;
     }

+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -189,6 +193,8 @@
 		*p++ = argvport;
 	}

+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;
generated by cgit v1.2.3-60-g2f50 (git 2.42.0) at 2024-06-29 14:10:42 +0000