diff options
| author | A. Wilcox <awilcox@wilcox-tech.com> | 2019-06-21 23:38:53 +0000 |
|---|---|---|
| committer | A. Wilcox <awilcox@wilcox-tech.com> | 2019-06-21 23:38:53 +0000 |
| commit | fd45ed897742614bd2867cb46578557beb820026 (patch) | |
| tree | 8eaa82bc50ad1a89272b146743ec1544163d48f3 /system/cvs/CVE-2017-12836.patch | |
| parent | 86d0de126ffdebdb8cee9581ce51c16a6f20b58b (diff) | |
| parent | 332e0a40fabc1c4047a631273e5d5df46cbf4bb2 (diff) | |
| download | packages-fd45ed897742614bd2867cb46578557beb820026.tar.gz packages-fd45ed897742614bd2867cb46578557beb820026.tar.bz2 packages-fd45ed897742614bd2867cb46578557beb820026.tar.xz packages-fd45ed897742614bd2867cb46578557beb820026.zip | |
Merge branch 'cve' into 'master'
CVE bumps: part one
See merge request !249
Diffstat (limited to 'system/cvs/CVE-2017-12836.patch')
| -rw-r--r-- | system/cvs/CVE-2017-12836.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch new file mode 100644 index 000000000..770115a5e --- /dev/null +++ b/system/cvs/CVE-2017-12836.patch @@ -0,0 +1,58 @@ +From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Mon, 14 Aug 2017 10:32:25 +0200 +Subject: [PATCH] Fix CVE-2017-12836 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The hostname passed to RSH (ssh) client could be interpreted by +OpenSSH client as an option and lead to local command execution. + +This fix adds no-more-options "--" separator before the hostname +argument to the RSH client command. + +Original patch by Thorsten Glaser <tg@mirbsd.de> from +<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to +1.11.23. + +Signed-off-by: Petr Písař <ppisar@redhat.com> +--- + src/client.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/client.c b/src/client.c +index 2bef1a0..e87cda9 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server) + char *cvs_rsh; + char *cvs_server = getenv ("CVS_SERVER"); + int i = 0; +- /* This needs to fit "rsh", "-b", "-l", "USER", "host", ++ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host", + "cmd (w/ args)", and NULL. We leave some room to grow. */ + char *rsh_argv[10]; + +@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server) + rsh_argv[i++] = root->username; + } + ++ /* Only non-option arguments from here. (CVE-2017-12836) */ ++ rsh_argv[i++] = "--"; ++ + rsh_argv[i++] = root->hostname; + rsh_argv[i++] = cvs_server; + rsh_argv[i++] = "server"; +@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server) + *p++ = root->username; + } + ++ *p++ = "--"; ++ + *p++ = root->hostname; + *p++ = command; + *p++ = NULL; +-- +2.9.5 + |