Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Hi, >As you have seen, Seb took the coordination for jessie- and >stretch-security. … and… >Thanks for uploading. I'll send the DLA announcement out now… Thanks for that. I spent yesterday mostly offline. bye, //mirabilos -- Beware of ritual lest you forget the meaning behind it. yeah but it means if you really care about something, don't ritualise it, or you will lose it. don't fetishise it, don't obsess. or you'll forget why you love it in the first place.
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Hi Thorsten, > >Thanks for uploading. I'll send the DLA announcement out now… > > Thanks for that. I spent yesterday mostly offline. That's what Sundays are for. :) For completeness, here was what was sent: https://lists.debian.org/debian-lts-announce/2017/08/msg8.html Thanks again :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Hi Thorsten, > […] Thanks for uploading. I'll send the DLA announcement out now… Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Hi Thorsten, On Sat, Aug 12, 2017 at 05:26:22PM +, Thorsten Glaser wrote: > Hi LTS team, > > >>On Sat, Aug 12, 2017 at 12:36:57PM +0200, SC)bastien Delafond wrote: > > >>>For wheezy, you'll need to check directly with the Debian LTS team, that > >>>can be reached via debian-...@lists.debian.org. > > is the attached debdiff ok to upload? (Specifically, is the distribution > in the changelog set correctly?) Obviously, I’ll build it in a wheezy > cowbuilder first. Yes, that looks correct. You could also do a source-only upload (assuming that you have otherwise built/tested in a wheezy environment). > > How do I upload, i.e. to what queue do I dput, and do I use -sa? > You can dput to security-master like a normal security update and -sa would likely get the upload rejected as the .orig.tar.gz is already in the archive. Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: Digital signature
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Hi Thorsten, > is the distribution in the changelog set correctly Yep. > How do I upload, i.e. to what queue do I dput, and do I use -sa? Can I link you to: https://wiki.debian.org/LTS/Development If there is something missing there let us know and we'll add it; thus saving the "next" person a question :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Hi LTS team,
>>On Sat, Aug 12, 2017 at 12:36:57PM +0200, SC)bastien Delafond wrote:
>>>For wheezy, you'll need to check directly with the Debian LTS team, that
>>>can be reached via debian-...@lists.debian.org.
is the attached debdiff ok to upload? (Specifically, is the distribution
in the changelog set correctly?) Obviously, I’ll build it in a wheezy
cowbuilder first.
How do I upload, i.e. to what queue do I dput, and do I use -sa?
Thanks,
//mirabilos
--
11:56⎜«liwakura:#!/bin/mksh» also, i wanted to add mksh to my own distro │
i was disappointed that there is no makefile │ but somehow the Build.sh is
the least painful built system i've ever seen │ honours CC, {CPP,C,LD}FLAGS
properly │ looks cleary like done by someone who knows what they are doingdiff -u cvs-1.12.13+real/src/rsh-client.c cvs-1.12.13+real/src/rsh-client.c
--- cvs-1.12.13+real/src/rsh-client.c
+++ cvs-1.12.13+real/src/rsh-client.c
@@ -53,8 +53,9 @@
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
-/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
- "cmd (w/ args)", and NULL. We leave some room to grow. */
+/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+ "--", "host", "cvs", "-R", "server", and NULL.
+ We leave some room to grow. */
char *rsh_argv[16];
char argvport[16];
@@ -105,6 +106,9 @@
rsh_argv[i++] = argvport;
}
+/* Only non-option arguments from here. (CVE-2017-12836) */
+rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
if (readonlyfs)
@@ -189,6 +193,8 @@
*p++ = argvport;
}
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
diff -u cvs-1.12.13+real/debian/changelog cvs-1.12.13+real/debian/changelog
--- cvs-1.12.13+real/debian/changelog
+++ cvs-1.12.13+real/debian/changelog
@@ -1,3 +1,9 @@
+cvs (2:1.12.13+real-9+deb7u1) wheezy-security; urgency=high
+
+ * Fix CVE-2017-12836 (Closes: #871810)
+
+ -- Thorsten Glaser Sat, 12 Aug 2017 19:23:10 +0200
+
cvs (2:1.12.13+real-9) unstable; urgency=low
* Fix watch file: mange Epoch away, too
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Salvatore Bonaccorso dixit: >For the security-upload s/stretch/stretch-security/ but that was >already commented by Moritz :) OK, will do. >On Sat, Aug 12, 2017 at 12:36:57PM +0200, SC)bastien Delafond wrote: >> >> > Since I do not upload to past releases often: do I just dput them, >> > or do I put them on a different upload server/queue? >> >> Thank you, the stretch one looks alright. You can simply upload it to >> security-master[0]. Don't forget to build with -sa as the package will >> be new there. That would be “dput security-master *.changes”, for future reference. >Actually please do only the first one with -sa, then wait for the >ACCEPTED mail into the embargoed queue, then the second one without >-sa (preferably, otherwise this would cause potential issues when >uploading the packages from security-master to ftp-master for the >proposed-updates queues). OK, I understand. >> Please do the same for the jessie fix (targetting jessie-security of >> course), including -sa. >>For wheezy, you'll need to check directly with the Debian LTS team, that >>can be reached via debian-...@lists.debian.org. Will do. >Thanks a lot for your work! Thanks for guiding me through it, as well. bye, //mirabilos -- Solange man keine schmutzigen Tricks macht, und ich meine *wirklich* schmutzige Tricks, wie bei einer doppelt verketteten Liste beide Pointer XORen und in nur einem Word speichern, funktioniert Boehm ganz hervorragend. -- Andreas Bogk über boehm-gc in d.a.s.r
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Hi On Sat, Aug 12, 2017 at 12:36:57PM +0200, Sébastien Delafond wrote: > On Aug/12, Thorsten Glaser wrote: > > I’m attaching one for stretch, and if it pleases you, I’ll do them in > > the same vain for jessie and wheezy and upload them. (As I said, they > > will all look identical, the code has not changed in quite a while… > > the file in question did not change *at all*, and it’s not affected > > by the other code changes since then.) > > > > Since I do not upload to past releases often: do I just dput them, > > or do I put them on a different upload server/queue? > > Thank you, the stretch one looks alright. You can simply upload it to > security-master[0]. Don't forget to build with -sa as the package will > be new there. > > Please do the same for the jessie fix (targetting jessie-security of > course), including -sa. Actually please do only the first one with -sa, then wait for the ACCEPTED mail into the embargoed queue, then the second one without -sa (preferably, otherwise this would cause potential issues when uploading the packages from security-master to ftp-master for the proposed-updates queues). For the security-upload s/stretch/stretch-security/ but that was already commented by Moritz :) Thanks a lot for your work! Regards, Salvatore
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
On Sat, Aug 12, 2017 at 12:36:57PM +0200, Sébastien Delafond wrote: > On Aug/12, Thorsten Glaser wrote: > > I’m attaching one for stretch, and if it pleases you, I’ll do them in > > the same vain for jessie and wheezy and upload them. (As I said, they > > will all look identical, the code has not changed in quite a while… > > the file in question did not change *at all*, and it’s not affected > > by the other code changes since then.) > > > > Since I do not upload to past releases often: do I just dput them, > > or do I put them on a different upload server/queue? > > Thank you, the stretch one looks alright. You can simply upload it to > security-master[0]. Don't forget to build with -sa as the package will > be new there. The attached debdiff targets "stretch", though. That needs to be stretch-security. Cheers, Moritz
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
On Aug/12, Thorsten Glaser wrote: > I’m attaching one for stretch, and if it pleases you, I’ll do them in > the same vain for jessie and wheezy and upload them. (As I said, they > will all look identical, the code has not changed in quite a while… > the file in question did not change *at all*, and it’s not affected > by the other code changes since then.) > > Since I do not upload to past releases often: do I just dput them, > or do I put them on a different upload server/queue? Thank you, the stretch one looks alright. You can simply upload it to security-master[0]. Don't forget to build with -sa as the package will be new there. Please do the same for the jessie fix (targetting jessie-security of course), including -sa. For wheezy, you'll need to check directly with the Debian LTS team, that can be reached via debian-...@lists.debian.org. Cheers, --Seb [0] https://www.debian.org/security/faq.html#SecurityUploadQueue
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Sébastien Delafond dixit:
>Would you be able to produce debdiffs for jessie and stretch, so we can
>review them and give you the go-ahead to upload to security-master ?
OK, now that I’m waiting on the multi-hour testsuite results on sid.
(It’s mostly that, due to the extra checks, the testsuite needs changes,
not the code.)
I’m attaching one for stretch, and if it pleases you, I’ll do them in
the same vain for jessie and wheezy and upload them. (As I said, they
will all look identical, the code has not changed in quite a while…
the file in question did not change *at all*, and it’s not affected
by the other code changes since then.)
Since I do not upload to past releases often: do I just dput them,
or do I put them on a different upload server/queue?
Thanks,
//mirabilos
--
> emacs als auch vi zum Kotzen finde (joe rules) und pine für den einzig
> bedienbaren textmode-mailclient halte (und ich hab sie alle ausprobiert). ;)
Hallo, ich bin der Holger ("Hallo Holger!"), und ich bin ebenfalls
... pine-User, und das auch noch gewohnheitsmäßig ("Oooohhh"). [aus dasr]diff -u cvs-1.12.13+real/debian/changelog cvs-1.12.13+real/debian/changelog
--- cvs-1.12.13+real/debian/changelog
+++ cvs-1.12.13+real/debian/changelog
@@ -1,3 +1,9 @@
+cvs (2:1.12.13+real-22+deb9u1) stretch; urgency=high
+
+ * Fix CVE-2017-12836 (Closes: #871810)
+
+ -- Thorsten Glaser Sat, 12 Aug 2017 03:15:49 +0200
+
cvs (2:1.12.13+real-22) unstable; urgency=low
* cvs init: Change default history logging configuration
diff -u cvs-1.12.13+real/src/rsh-client.c cvs-1.12.13+real/src/rsh-client.c
--- cvs-1.12.13+real/src/rsh-client.c
+++ cvs-1.12.13+real/src/rsh-client.c
@@ -53,8 +53,9 @@
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
-/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
- "cmd (w/ args)", and NULL. We leave some room to grow. */
+/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+ "--", "host", "cvs", "-R", "server", and NULL.
+ We leave some room to grow. */
char *rsh_argv[16];
char argvport[16];
@@ -105,6 +106,9 @@
rsh_argv[i++] = argvport;
}
+/* Only non-option arguments from here. (CVE-2017-12836) */
+rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
if (readonlyfs)
@@ -189,6 +193,8 @@
*p++ = argvport;
}
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Sébastien Delafond dixit:
>On Aug/11, Thorsten Glaser wrote:
>> For {,{,old}old}stable-security, this should suffice:
>> [...]
>
>Would you be able to produce debdiffs for jessie and stretch, so we can
>review them and give you the go-ahead to upload to security-master ?
Yes, although they’d look like the patch I showed plus changelog.
But let me take care of sid first please, I also implement hostname
checking to be on the safe side, since other VCSes do so, too.
bye,
//mirabilos
--
18:47⎜ well channels… you see, I see everything in the
same window anyway 18:48⎜ i know, you have some kind of
telnet with automatic pong 18:48⎜ haha, yes :D
18:49⎜ though that's more tinyirc – sirc is more comfy
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
On Aug/11, Thorsten Glaser wrote:
> For {,{,old}old}stable-security, this should suffice:
> [...]
Would you be able to produce debdiffs for jessie and stretch, so we can
review them and give you the go-ahead to upload to security-master ?
Cheers,
--Seb
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
tags 871810 + patch pending
thanks
Salvatore Bonaccorso dixit:
>Severity: grave
Probably not as severe, the attack vector seems minimal.
>[0] https://security-tracker.debian.org/tracker/CVE-2017-12836
>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
>[1] http://www.openwall.com/lists/oss-security/2017/08/11/1
Thanks for the heads-up. I’ve got a working patch, but I’ll also
work some more on sanitising username (if possible) and port (not
really necessary but still) parsing and test the changes before
I’ll upload.
For {,{,old}old}stable-security, this should suffice:
Index: src/gnu/usr.bin/cvs/src/rsh-client.c
diff -up src/gnu/usr.bin/cvs/src/rsh-client.c:1.6
src/gnu/usr.bin/cvs/src/rsh-client.c:1.7
--- src/gnu/usr.bin/cvs/src/rsh-client.c:1.6Sun Mar 26 15:54:10 2017
+++ src/gnu/usr.bin/cvs/src/rsh-client.cFri Aug 11 20:41:40 2017
@@ -55,8 +55,9 @@ start_rsh_server (cvsroot_t *root, struc
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
-/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
- "cmd (w/ args)", and NULL. We leave some room to grow. */
+/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+ "--", "host", "cvs", "-R", "server", and NULL.
+ We leave some room to grow. */
char *rsh_argv[16];
char argvport[16];
@@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc
rsh_argv[i++] = argvport;
}
+/* Only non-option arguments from here. (CVE-2017-12836) */
+rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
if (readonlyfs)
@@ -191,6 +195,8 @@ start_rsh_server (cvsroot_t *root, struc
*p++ = argvport;
}
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
Thanks,
//mirabilos
--
13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜ Thank god I found you =) 20:03│«bioe007:#cvs» mira2k: ty
17:14⎜ Thanks big help you are :-)mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW! 23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜ yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜ i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD. 18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh. Okay. Sorry for the dumb question. Thank you
21:34⎜ mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated «garrett__:#cvs» thanks for your time
23:39⎜ this worked, thank you very much 16:26⎜ ok
thx, i'll try that 20:00⎜«stableable:#cvs» Thank you.20:50⎜«s833:#cvs»
mirabilos: thanks a lot.19:34⎜ Thanks for confirming :)
20:08⎜ ...works like a charm.. thanks mirabilos
Processed: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Processing commands for cont...@bugs.debian.org: > tags 871810 + patch pending Bug #871810 [src:cvs] cvs: CVE-2017-12836: CVS and ssh command injection Added tag(s) pending and patch. > thanks Stopping processing here. Please contact me if you need assistance. -- 871810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Source: cvs Version: 2:1.12.13+real-9 Severity: grave Tags: upstream security Justification: user security hole Hi, the following vulnerability was published for cvs. CVE-2017-12836[0]: CVS and ssh command injection If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12836 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836 [1] http://www.openwall.com/lists/oss-security/2017/08/11/1 Regards, Salvatore
