Re: [Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Sébastien Delafond dixit: >Would you be able to produce debdiffs for jessie and stretch, so we can >review them and give you the go-ahead to upload to security-master ? OK, now that I’m waiting on the multi-hour testsuite results on sid. (It’s mostly that, due to the extra checks, the testsuite needs changes, not the code.) I’m attaching one for stretch, and if it pleases you, I’ll do them in the same vain for jessie and wheezy and upload them. (As I said, they will all look identical, the code has not changed in quite a while… the file in question did not change *at all*, and it’s not affected by the other code changes since then.) Since I do not upload to past releases often: do I just dput them, or do I put them on a different upload server/queue? Thanks, //mirabilos -- > emacs als auch vi zum Kotzen finde (joe rules) und pine für den einzig > bedienbaren textmode-mailclient halte (und ich hab sie alle ausprobiert). ;) Hallo, ich bin der Holger ("Hallo Holger!"), und ich bin ebenfalls ... pine-User, und das auch noch gewohnheitsmäßig ("Oooohhh"). [aus dasr]diff -u cvs-1.12.13+real/debian/changelog cvs-1.12.13+real/debian/changelog --- cvs-1.12.13+real/debian/changelog +++ cvs-1.12.13+real/debian/changelog @@ -1,3 +1,9 @@ +cvs (2:1.12.13+real-22+deb9u1) stretch; urgency=high + + * Fix CVE-2017-12836 (Closes: #871810) + + -- Thorsten Glaser Sat, 12 Aug 2017 03:15:49 +0200 + cvs (2:1.12.13+real-22) unstable; urgency=low * cvs init: Change default history logging configuration diff -u cvs-1.12.13+real/src/rsh-client.c cvs-1.12.13+real/src/rsh-client.c --- cvs-1.12.13+real/src/rsh-client.c +++ cvs-1.12.13+real/src/rsh-client.c @@ -53,8 +53,9 @@ char *cvs_server = (root->cvs_server != NULL ? root->cvs_server : getenv ("CVS_SERVER")); int i = 0; -/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host", - "cmd (w/ args)", and NULL. We leave some room to grow. */ +/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, + "--", "host", "cvs", "-R", "server", and NULL. + We leave some room to grow. */ char *rsh_argv[16]; char argvport[16]; @@ -105,6 +106,9 @@ rsh_argv[i++] = argvport; } +/* Only non-option arguments from here. (CVE-2017-12836) */ +rsh_argv[i++] = "--"; + rsh_argv[i++] = root->hostname; rsh_argv[i++] = cvs_server; if (readonlyfs) @@ -189,6 +193,8 @@ *p++ = argvport; } + *p++ = "--"; + *p++ = root->hostname; *p++ = command; *p++ = NULL; ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
Re: [Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Sébastien Delafond dixit: >On Aug/11, Thorsten Glaser wrote: >> For {,{,old}old}stable-security, this should suffice: >> [...] > >Would you be able to produce debdiffs for jessie and stretch, so we can >review them and give you the go-ahead to upload to security-master ? Yes, although they’d look like the patch I showed plus changelog. But let me take care of sid first please, I also implement hostname checking to be on the safe side, since other VCSes do so, too. bye, //mirabilos -- 18:47⎜ well channels… you see, I see everything in the same window anyway 18:48⎜ i know, you have some kind of telnet with automatic pong 18:48⎜ haha, yes :D 18:49⎜ though that's more tinyirc – sirc is more comfy ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
Re: [Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
On Aug/11, Thorsten Glaser wrote: > For {,{,old}old}stable-security, this should suffice: > [...] Would you be able to produce debdiffs for jessie and stretch, so we can review them and give you the go-ahead to upload to security-master ? Cheers, --Seb ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
Re: [Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
tags 871810 + patch pending thanks Salvatore Bonaccorso dixit: >Severity: grave Probably not as severe, the attack vector seems minimal. >[0] https://security-tracker.debian.org/tracker/CVE-2017-12836 >https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836 >[1] http://www.openwall.com/lists/oss-security/2017/08/11/1 Thanks for the heads-up. I’ve got a working patch, but I’ll also work some more on sanitising username (if possible) and port (not really necessary but still) parsing and test the changes before I’ll upload. For {,{,old}old}stable-security, this should suffice: Index: src/gnu/usr.bin/cvs/src/rsh-client.c diff -up src/gnu/usr.bin/cvs/src/rsh-client.c:1.6 src/gnu/usr.bin/cvs/src/rsh-client.c:1.7 --- src/gnu/usr.bin/cvs/src/rsh-client.c:1.6Sun Mar 26 15:54:10 2017 +++ src/gnu/usr.bin/cvs/src/rsh-client.cFri Aug 11 20:41:40 2017 @@ -55,8 +55,9 @@ start_rsh_server (cvsroot_t *root, struc char *cvs_server = (root->cvs_server != NULL ? root->cvs_server : getenv ("CVS_SERVER")); int i = 0; -/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host", - "cmd (w/ args)", and NULL. We leave some room to grow. */ +/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, + "--", "host", "cvs", "-R", "server", and NULL. + We leave some room to grow. */ char *rsh_argv[16]; char argvport[16]; @@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc rsh_argv[i++] = argvport; } +/* Only non-option arguments from here. (CVE-2017-12836) */ +rsh_argv[i++] = "--"; + rsh_argv[i++] = root->hostname; rsh_argv[i++] = cvs_server; if (readonlyfs) @@ -191,6 +195,8 @@ start_rsh_server (cvsroot_t *root, struc *p++ = argvport; } + *p++ = "--"; + *p++ = root->hostname; *p++ = command; *p++ = NULL; Thanks, //mirabilos -- 13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs 13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you 13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺ 16:06⎜ Thank god I found you =) 20:03│«bioe007:#cvs» mira2k: ty 17:14⎜ Thanks big help you are :-)mira|nwt: ty again 18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o 18:36⎜«ThunderChicken:#cvs» mirabilos FTW! 23:03⎜«mithraic:#cvs» aaah. thanks 18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-) 18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that 21:57⎜ yeah, I really appreciate help 18:50⎜«grndlvl:#cvs» thankyou18:50⎜«grndlvl:#cvs» worked perfectly 20:50⎜ i see. mirabilos, thnks for your support 00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx 18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD. 18:59⎜«arcfide:#cvs» Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help. 21:33⎜«CardinalFang:#cvs» Ugh. Okay. Sorry for the dumb question. Thank you 21:34⎜ mirabilos: whoa that's sweet 21:52⎜«garrett__:#cvs» much appreciated «garrett__:#cvs» thanks for your time 23:39⎜ this worked, thank you very much 16:26⎜ ok thx, i'll try that 20:00⎜«stableable:#cvs» Thank you.20:50⎜«s833:#cvs» mirabilos: thanks a lot.19:34⎜ Thanks for confirming :) 20:08⎜ ...works like a charm.. thanks mirabilos ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team