Bug 226088 - devel/cvs: Import inofficial patch to fix CVE-2017-12836
Summary: devel/cvs: Import inofficial patch to fix CVE-2017-12836
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Thomas Zander
URL:
Keywords: patch, patch-ready
Depends on:
Blocks:
 
Reported: 2018-02-21 09:55 UTC by Fabian Keil
Modified: 2018-02-24 09:19 UTC (History)
1 user (show)

See Also:
riggs: merge-quarterly+


Attachments
devel/cvs: Import inofficial patch to fix CVE-2017-12836 (2.67 KB, patch)
2018-02-21 09:55 UTC, Fabian Keil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Keil 2018-02-21 09:55:29 UTC
Created attachment 190853 [details]
devel/cvs: Import inofficial patch to fix CVE-2017-12836

The attached patch adds an inofficial patch to fix CVE-2017-12836
based on a patch by Thorsten Glaser:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

The patched file had to be changed and in the first
chunk the size of rsh_argv has been extended to 16
to match Debian's upstream version.
Comment 1 commit-hook freebsd_committer 2018-02-24 08:55:57 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 24 08:54:57 UTC 2018
New revision: 462776
URL: https://svnweb.freebsd.org/changeset/ports/462776

Log:
  Fix ssh injection vulnerability from CVE-2017-12836

  Details:
  - Adopt patch from debian, documented in
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

  PR:		226088
  Submitted by:	fk@fabiankeil.de
  MFH:		2018Q1
  Security:	CVE-2017-12836

Changes:
  head/devel/cvs/Makefile
  head/devel/cvs/files/patch-src-client.c
Comment 2 commit-hook freebsd_committer 2018-02-24 08:58:01 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 24 08:57:21 UTC 2018
New revision: 462777
URL: https://svnweb.freebsd.org/changeset/ports/462777

Log:
  MFH: r462776

  Fix ssh injection vulnerability from CVE-2017-12836

  Details:
  - Adopt patch from debian, documented in
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10

  PR:		226088
  Submitted by:	fk@fabiankeil.de
  Security:	CVE-2017-12836

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/devel/cvs/Makefile
  branches/2018Q1/devel/cvs/files/patch-src-client.c
Comment 3 commit-hook freebsd_committer 2018-02-24 09:15:20 UTC
A commit references this bug:

Author: riggs
Date: Sat Feb 24 09:14:44 UTC 2018
New revision: 462782
URL: https://svnweb.freebsd.org/changeset/ports/462782

Log:
  Document ssh injection vulnerability in devel/cvs

  PR:		226088
  Reported by:	fk@fabiankeil.de
  Security:	CVE-2017-12836

Changes:
  head/security/vuxml/vuln.xml