summaryrefslogtreecommitdiff
path: root/system/cvs/CVE-2017-12836.patch
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2019-06-21 23:38:53 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2019-06-21 23:38:53 +0000
commitfd45ed897742614bd2867cb46578557beb820026 (patch)
tree8eaa82bc50ad1a89272b146743ec1544163d48f3 /system/cvs/CVE-2017-12836.patch
parent86d0de126ffdebdb8cee9581ce51c16a6f20b58b (diff)
parent332e0a40fabc1c4047a631273e5d5df46cbf4bb2 (diff)
downloadpackages-fd45ed897742614bd2867cb46578557beb820026.tar.gz
packages-fd45ed897742614bd2867cb46578557beb820026.tar.bz2
packages-fd45ed897742614bd2867cb46578557beb820026.tar.xz
packages-fd45ed897742614bd2867cb46578557beb820026.zip
Merge branch 'cve' into 'master'
CVE bumps: part one See merge request !249
Diffstat (limited to 'system/cvs/CVE-2017-12836.patch')
-rw-r--r--system/cvs/CVE-2017-12836.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch
new file mode 100644
index 000000000..770115a5e
--- /dev/null
+++ b/system/cvs/CVE-2017-12836.patch
@@ -0,0 +1,58 @@
+From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 14 Aug 2017 10:32:25 +0200
+Subject: [PATCH] Fix CVE-2017-12836
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The hostname passed to RSH (ssh) client could be interpreted by
+OpenSSH client as an option and lead to local command execution.
+
+This fix adds no-more-options "--" separator before the hostname
+argument to the RSH client command.
+
+Original patch by Thorsten Glaser <tg@mirbsd.de> from
+<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to
+1.11.23.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/client.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/client.c b/src/client.c
+index 2bef1a0..e87cda9 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server)
+ char *cvs_rsh;
+ char *cvs_server = getenv ("CVS_SERVER");
+ int i = 0;
+- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
++ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
+ "cmd (w/ args)", and NULL. We leave some room to grow. */
+ char *rsh_argv[10];
+
+@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server)
+ rsh_argv[i++] = root->username;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
++
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+ rsh_argv[i++] = "server";
+@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server)
+ *p++ = root->username;
+ }
+
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;
+--
+2.9.5
+