Created attachment 190853 [details] devel/cvs: Import inofficial patch to fix CVE-2017-12836 The attached patch adds an inofficial patch to fix CVE-2017-12836 based on a patch by Thorsten Glaser: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10 The patched file had to be changed and in the first chunk the size of rsh_argv has been extended to 16 to match Debian's upstream version.
A commit references this bug: Author: riggs Date: Sat Feb 24 08:54:57 UTC 2018 New revision: 462776 URL: https://svnweb.freebsd.org/changeset/ports/462776 Log: Fix ssh injection vulnerability from CVE-2017-12836 Details: - Adopt patch from debian, documented in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10 PR: 226088 Submitted by: fk@fabiankeil.de MFH: 2018Q1 Security: CVE-2017-12836 Changes: head/devel/cvs/Makefile head/devel/cvs/files/patch-src-client.c
A commit references this bug: Author: riggs Date: Sat Feb 24 08:57:21 UTC 2018 New revision: 462777 URL: https://svnweb.freebsd.org/changeset/ports/462777 Log: MFH: r462776 Fix ssh injection vulnerability from CVE-2017-12836 Details: - Adopt patch from debian, documented in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10 PR: 226088 Submitted by: fk@fabiankeil.de Security: CVE-2017-12836 Approved by: ports-secteam (riggs) Changes: _U branches/2018Q1/ branches/2018Q1/devel/cvs/Makefile branches/2018Q1/devel/cvs/files/patch-src-client.c
A commit references this bug: Author: riggs Date: Sat Feb 24 09:14:44 UTC 2018 New revision: 462782 URL: https://svnweb.freebsd.org/changeset/ports/462782 Log: Document ssh injection vulnerability in devel/cvs PR: 226088 Reported by: fk@fabiankeil.de Security: CVE-2017-12836 Changes: head/security/vuxml/vuln.xml