aboutsummaryrefslogtreecommitdiffstats
path: root/main/cvs/CVE-2017-12836.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/cvs/CVE-2017-12836.patch')
-rw-r--r--main/cvs/CVE-2017-12836.patch38
1 files changed, 38 insertions, 0 deletions
diff --git a/main/cvs/CVE-2017-12836.patch b/main/cvs/CVE-2017-12836.patch
new file mode 100644
index 0000000000..b20a88b667
--- /dev/null
+++ b/main/cvs/CVE-2017-12836.patch
@@ -0,0 +1,38 @@
+Subject: [PATCH] Fix CVE-2017-12836
+From: Thorsten Glaser <tg@mirbsd.de>
+
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -53,9 +53,10 @@
+ char *cvs_server = (root->cvs_server != NULL
+ ? root->cvs_server : getenv ("CVS_SERVER"));
+ int i = 0;
+- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+- "cmd (w/ args)", and NULL. We leave some room to grow. */
+- char *rsh_argv[10];
++ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
++ "--", "host", "cvs", "-R", "server", and NULL.
++ We leave some room to grow. */
++ char *rsh_argv[16];
+
+ if (!cvs_rsh)
+ /* People sometimes suggest or assume that this should default
+@@ -97,6 +98,9 @@
+ rsh_argv[i++] = root->username;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
++
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+ rsh_argv[i++] = "server";
+@@ -171,6 +175,8 @@
+ *p++ = root->username;
+ }
+
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;