tags 871810 + patch pending thanks Salvatore Bonaccorso dixit:
>Severity: grave Probably not as severe, the attack vector seems minimal. >[0] https://security-tracker.debian.org/tracker/CVE-2017-12836 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836 >[1] http://www.openwall.com/lists/oss-security/2017/08/11/1 Thanks for the heads-up. I’ve got a working patch, but I’ll also work some more on sanitising username (if possible) and port (not really necessary but still) parsing and test the changes before I’ll upload. For {,{,old}old}stable-security, this should suffice: Index: src/gnu/usr.bin/cvs/src/rsh-client.c diff -up src/gnu/usr.bin/cvs/src/rsh-client.c:1.6 src/gnu/usr.bin/cvs/src/rsh-client.c:1.7 --- src/gnu/usr.bin/cvs/src/rsh-client.c:1.6 Sun Mar 26 15:54:10 2017 +++ src/gnu/usr.bin/cvs/src/rsh-client.c Fri Aug 11 20:41:40 2017 @@ -55,8 +55,9 @@ start_rsh_server (cvsroot_t *root, struc char *cvs_server = (root->cvs_server != NULL ? root->cvs_server : getenv ("CVS_SERVER")); int i = 0; - /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host", - "cmd (w/ args)", and NULL. We leave some room to grow. */ + /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, + "--", "host", "cvs", "-R", "server", and NULL. + We leave some room to grow. */ char *rsh_argv[16]; char argvport[16]; @@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc rsh_argv[i++] = argvport; } + /* Only non-option arguments from here. (CVE-2017-12836) */ + rsh_argv[i++] = "--"; + rsh_argv[i++] = root->hostname; rsh_argv[i++] = cvs_server; if (readonlyfs) @@ -191,6 +195,8 @@ start_rsh_server (cvsroot_t *root, struc *p++ = argvport; } + *p++ = "--"; + *p++ = root->hostname; *p++ = command; *p++ = NULL; Thanks, //mirabilos -- 13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs 13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you 13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺ 16:06⎜<Draget:#cvs> Thank god I found you =) 20:03│«bioe007:#cvs» mira2k: ty 17:14⎜<ldiain:#cvs> Thanks big help you are :-) <bioe007> mira|nwt: ty again 18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o 18:36⎜«ThunderChicken:#cvs» mirabilos FTW! 23:03⎜«mithraic:#cvs» aaah. thanks 18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-) 18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that 21:57⎜<bhuey:#cvs> yeah, I really appreciate help 18:50⎜«grndlvl:#cvs» thankyou 18:50⎜«grndlvl:#cvs» worked perfectly 20:50⎜<paolo:#cvs> i see. mirabilos, thnks for your support 00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx 18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD. 18:59⎜«arcfide:#cvs» Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help. 21:33⎜«CardinalFang:#cvs» Ugh. Okay. Sorry for the dumb question. Thank you 21:34⎜<centosian:#cvs> mirabilos: whoa that's sweet 21:52⎜«garrett__:#cvs» much appreciated «garrett__:#cvs» thanks for your time 23:39⎜<symons:#cvs> this worked, thank you very much 16:26⎜<schweizer:#cvs> ok thx, i'll try that 20:00⎜«stableable:#cvs» Thank you. 20:50⎜«s833:#cvs» mirabilos: thanks a lot. 19:34⎜<bobbytek:#cvs> Thanks for confirming :) 20:08⎜<tsolox:#cvs> ...works like a charm.. thanks mirabilos
