summaryrefslogblamecommitdiff
path: root/system/cvs/CVE-2017-12836.patch
blob: 770115a5e1139c91a9fd25aca8eb5d36fe25422c (plain) (tree)

























































                                                                      
From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 14 Aug 2017 10:32:25 +0200
Subject: [PATCH] Fix CVE-2017-12836
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The hostname passed to RSH (ssh) client could be interpreted by
OpenSSH client as an option and lead to local command execution.

This fix adds no-more-options "--" separator before the hostname
argument to the RSH client command.

Original patch by Thorsten Glaser <tg@mirbsd.de> from
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to
1.11.23.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 src/client.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/client.c b/src/client.c
index 2bef1a0..e87cda9 100644
--- a/src/client.c
+++ b/src/client.c
@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server)
     char *cvs_rsh;
     char *cvs_server = getenv ("CVS_SERVER");
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+    /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
        "cmd (w/ args)", and NULL.  We leave some room to grow. */
     char *rsh_argv[10];
 
@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server)
 	rsh_argv[i++] = root->username;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     rsh_argv[i++] = "server";
@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server)
 	    *p++ = root->username;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;
-- 
2.9.5