Added
Link Here
|
0 |
- |
1 |
From 9c448da8bb5f592ddcd2d980d01d81305f920f78 Mon Sep 17 00:00:00 2001 |
|
|
2 |
From: Fabian Keil <fk@fabiankeil.de> |
3 |
Date: Mon, 21 Aug 2017 10:49:05 +0200 |
4 |
Subject: [PATCH] Add fix for CVE-2017-12836 |
5 |
|
6 |
Based on a patch by Thorsten Glaser: |
7 |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10 |
8 |
|
9 |
The patched file had to be changed and in the first |
10 |
chunk the size of rsh_argv has been extended to 16 |
11 |
to match Debian's upstream version. |
12 |
--- |
13 |
cvs/src/client.c | 12 +++++++++--- |
14 |
1 file changed, 9 insertions(+), 3 deletions(-) |
15 |
|
16 |
diff --git cvs/src/client.c cvs/src/client.c |
17 |
index c9fe170..09771ce 100644 |
18 |
--- src/client.c |
19 |
+++ src/client.c |
20 |
@@ -4736,9 +4736,10 @@ start_rsh_server (root, to_server, from_server) |
21 |
char *cvs_rsh; |
22 |
char *cvs_server = getenv ("CVS_SERVER"); |
23 |
int i = 0; |
24 |
- /* This needs to fit "rsh", "-b", "-l", "USER", "host", |
25 |
- "cmd (w/ args)", and NULL. We leave some room to grow. */ |
26 |
- char *rsh_argv[10]; |
27 |
+ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, |
28 |
+ "--", "host", "cvs", "-R", "server", and NULL. |
29 |
+ We leave some room to grow. */ |
30 |
+ char *rsh_argv[16]; |
31 |
|
32 |
if (root->method == extssh_method) |
33 |
cvs_rsh = env_cvs_ssh ? env_cvs_ssh : SSH_DFLT; |
34 |
@@ -4763,6 +4764,9 @@ start_rsh_server (root, to_server, from_server) |
35 |
rsh_argv[i++] = root->username; |
36 |
} |
37 |
|
38 |
+ /* Only non-option arguments from here. (CVE-2017-12836) */ |
39 |
+ rsh_argv[i++] = "--"; |
40 |
+ |
41 |
rsh_argv[i++] = root->hostname; |
42 |
rsh_argv[i++] = cvs_server; |
43 |
rsh_argv[i++] = "server"; |
44 |
@@ -4841,6 +4845,8 @@ start_rsh_server (root, to_server, from_server) |
45 |
*p++ = root->username; |
46 |
} |
47 |
|
48 |
+ *p++ = "--"; |
49 |
+ |
50 |
*p++ = root->hostname; |
51 |
*p++ = command; |
52 |
*p++ = NULL; |
53 |
-- |
54 |
2.14.1 |
55 |
|