summaryrefslogtreecommitdiff
path: root/system/cvs/CVE-2017-12836.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/cvs/CVE-2017-12836.patch')
-rw-r--r--system/cvs/CVE-2017-12836.patch61
1 files changed, 20 insertions, 41 deletions
diff --git a/system/cvs/CVE-2017-12836.patch b/system/cvs/CVE-2017-12836.patch
index 770115a5e..d6fc3b035 100644
--- a/system/cvs/CVE-2017-12836.patch
+++ b/system/cvs/CVE-2017-12836.patch
@@ -1,58 +1,37 @@
-From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Mon, 14 Aug 2017 10:32:25 +0200
Subject: [PATCH] Fix CVE-2017-12836
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
+From: Thorsten Glaser <tg@mirbsd.de>
-The hostname passed to RSH (ssh) client could be interpreted by
-OpenSSH client as an option and lead to local command execution.
-
-This fix adds no-more-options "--" separator before the hostname
-argument to the RSH client command.
-
-Original patch by Thorsten Glaser <tg@mirbsd.de> from
-<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to
-1.11.23.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- src/client.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/client.c b/src/client.c
-index 2bef1a0..e87cda9 100644
---- a/src/client.c
-+++ b/src/client.c
-@@ -4839,7 +4839,7 @@ start_rsh_server (root, to_server, from_server)
- char *cvs_rsh;
- char *cvs_server = getenv ("CVS_SERVER");
+--- cvs-1.12.13+real/src/rsh-client.c
++++ cvs-1.12.13+real/src/rsh-client.c
+@@ -53,7 +53,8 @@
+ char *cvs_server = (root->cvs_server != NULL
+ ? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
-+ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
- "cmd (w/ args)", and NULL. We leave some room to grow. */
- char *rsh_argv[10];
-
-@@ -4866,6 +4866,9 @@ start_rsh_server (root, to_server, from_server)
- rsh_argv[i++] = root->username;
+- "cmd (w/ args)", and NULL. We leave some room to grow. */
+- char *rsh_argv[10];
++ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
++ "--", "host", "cvs", "-R", "server", and NULL.
++ We leave some room to grow. */
++ char *rsh_argv[16];
+
+@@ -105,6 +106,9 @@
+ rsh_argv[i++] = argvport;
}
-
+
+ /* Only non-option arguments from here. (CVE-2017-12836) */
+ rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
- rsh_argv[i++] = "server";
-@@ -4944,6 +4947,8 @@ start_rsh_server (root, to_server, from_server)
- *p++ = root->username;
+ if (readonlyfs)
+@@ -189,6 +193,8 @@
+ *p++ = argvport;
}
-
+
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
---
-2.9.5