Bug 226088

Summary: devel/cvs: Import inofficial patch to fix CVE-2017-12836
Product: Ports & Packages Reporter: Fabian Keil <fk>
Component: Individual Port(s)Assignee: Thomas Zander <riggs>
Status: Closed FIXED    
Severity: Affects Some People CC: riggs
Priority: --- Keywords: patch, patch-ready
Version: LatestFlags: riggs: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
devel/cvs: Import inofficial patch to fix CVE-2017-12836 none

Description Fabian Keil 2018-02-21 09:55:29 UTC
Created attachment 190853 [details]
devel/cvs: Import inofficial patch to fix CVE-2017-12836

The attached patch adds an inofficial patch to fix CVE-2017-12836
based on a patch by Thorsten Glaser:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

The patched file had to be changed and in the first
chunk the size of rsh_argv has been extended to 16
to match Debian's upstream version.
Comment 1 commit-hook freebsd_committer 2018-02-24 08:55:57 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 24 08:54:57 UTC 2018
New revision: 462776
URL: https://svnweb.freebsd.org/changeset/ports/462776

Log:
  Fix ssh injection vulnerability from CVE-2017-12836

  Details:
  - Adopt patch from debian, documented in
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

  PR:		226088
  Submitted by:	fk@fabiankeil.de
  MFH:		2018Q1
  Security:	CVE-2017-12836

Changes:
  head/devel/cvs/Makefile
  head/devel/cvs/files/patch-src-client.c
Comment 2 commit-hook freebsd_committer 2018-02-24 08:58:01 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 24 08:57:21 UTC 2018
New revision: 462777
URL: https://svnweb.freebsd.org/changeset/ports/462777

Log:
  MFH: r462776

  Fix ssh injection vulnerability from CVE-2017-12836

  Details:
  - Adopt patch from debian, documented in
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

  PR:		226088
  Submitted by:	fk@fabiankeil.de
  Security:	CVE-2017-12836

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/devel/cvs/Makefile
  branches/2018Q1/devel/cvs/files/patch-src-client.c
Comment 3 commit-hook freebsd_committer 2018-02-24 09:15:20 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 24 09:14:44 UTC 2018
New revision: 462782
URL: https://svnweb.freebsd.org/changeset/ports/462782

Log:
  Document ssh injection vulnerability in devel/cvs

  PR:		226088
  Reported by:	fk@fabiankeil.de
  Security:	CVE-2017-12836

Changes:
  head/security/vuxml/vuln.xml