Re: [Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Sébastien Delafond dixit:
>Would you be able to produce debdiffs for jessie and stretch, so we can
>review them and give you the go-ahead to upload to security-master ?
OK, now that I’m waiting on the multi-hour testsuite results on sid.
(It’s mostly that, due to the extra checks, the testsuite needs changes,
not the code.)
I’m attaching one for stretch, and if it pleases you, I’ll do them in
the same vain for jessie and wheezy and upload them. (As I said, they
will all look identical, the code has not changed in quite a while…
the file in question did not change *at all*, and it’s not affected
by the other code changes since then.)
Since I do not upload to past releases often: do I just dput them,
or do I put them on a different upload server/queue?
Thanks,
//mirabilos
--
> emacs als auch vi zum Kotzen finde (joe rules) und pine für den einzig
> bedienbaren textmode-mailclient halte (und ich hab sie alle ausprobiert). ;)
Hallo, ich bin der Holger ("Hallo Holger!"), und ich bin ebenfalls
... pine-User, und das auch noch gewohnheitsmäßig ("Oooohhh"). [aus dasr]diff -u cvs-1.12.13+real/debian/changelog cvs-1.12.13+real/debian/changelog
--- cvs-1.12.13+real/debian/changelog
+++ cvs-1.12.13+real/debian/changelog
@@ -1,3 +1,9 @@
+cvs (2:1.12.13+real-22+deb9u1) stretch; urgency=high
+
+ * Fix CVE-2017-12836 (Closes: #871810)
+
+ -- Thorsten Glaser Sat, 12 Aug 2017 03:15:49 +0200
+
cvs (2:1.12.13+real-22) unstable; urgency=low
* cvs init: Change default history logging configuration
diff -u cvs-1.12.13+real/src/rsh-client.c cvs-1.12.13+real/src/rsh-client.c
--- cvs-1.12.13+real/src/rsh-client.c
+++ cvs-1.12.13+real/src/rsh-client.c
@@ -53,8 +53,9 @@
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
-/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
- "cmd (w/ args)", and NULL. We leave some room to grow. */
+/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+ "--", "host", "cvs", "-R", "server", and NULL.
+ We leave some room to grow. */
char *rsh_argv[16];
char argvport[16];
@@ -105,6 +106,9 @@
rsh_argv[i++] = argvport;
}
+/* Only non-option arguments from here. (CVE-2017-12836) */
+rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
if (readonlyfs)
@@ -189,6 +193,8 @@
*p++ = argvport;
}
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
Re: [Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Sébastien Delafond dixit:
>On Aug/11, Thorsten Glaser wrote:
>> For {,{,old}old}stable-security, this should suffice:
>> [...]
>
>Would you be able to produce debdiffs for jessie and stretch, so we can
>review them and give you the go-ahead to upload to security-master ?
Yes, although they’d look like the patch I showed plus changelog.
But let me take care of sid first please, I also implement hostname
checking to be on the safe side, since other VCSes do so, too.
bye,
//mirabilos
--
18:47⎜ well channels… you see, I see everything in the
same window anyway 18:48⎜ i know, you have some kind of
telnet with automatic pong 18:48⎜ haha, yes :D
18:49⎜ though that's more tinyirc – sirc is more comfy
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
Re: [Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
On Aug/11, Thorsten Glaser wrote:
> For {,{,old}old}stable-security, this should suffice:
> [...]
Would you be able to produce debdiffs for jessie and stretch, so we can
review them and give you the go-ahead to upload to security-master ?
Cheers,
--Seb
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
Re: [Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
tags 871810 + patch pending
thanks
Salvatore Bonaccorso dixit:
>Severity: grave
Probably not as severe, the attack vector seems minimal.
>[0] https://security-tracker.debian.org/tracker/CVE-2017-12836
>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
>[1] http://www.openwall.com/lists/oss-security/2017/08/11/1
Thanks for the heads-up. I’ve got a working patch, but I’ll also
work some more on sanitising username (if possible) and port (not
really necessary but still) parsing and test the changes before
I’ll upload.
For {,{,old}old}stable-security, this should suffice:
Index: src/gnu/usr.bin/cvs/src/rsh-client.c
diff -up src/gnu/usr.bin/cvs/src/rsh-client.c:1.6
src/gnu/usr.bin/cvs/src/rsh-client.c:1.7
--- src/gnu/usr.bin/cvs/src/rsh-client.c:1.6Sun Mar 26 15:54:10 2017
+++ src/gnu/usr.bin/cvs/src/rsh-client.cFri Aug 11 20:41:40 2017
@@ -55,8 +55,9 @@ start_rsh_server (cvsroot_t *root, struc
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
-/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
- "cmd (w/ args)", and NULL. We leave some room to grow. */
+/* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+ "--", "host", "cvs", "-R", "server", and NULL.
+ We leave some room to grow. */
char *rsh_argv[16];
char argvport[16];
@@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc
rsh_argv[i++] = argvport;
}
+/* Only non-option arguments from here. (CVE-2017-12836) */
+rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
if (readonlyfs)
@@ -191,6 +195,8 @@ start_rsh_server (cvsroot_t *root, struc
*p++ = argvport;
}
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
Thanks,
//mirabilos
--
13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜ Thank god I found you =) 20:03│«bioe007:#cvs» mira2k: ty
17:14⎜ Thanks big help you are :-)mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW! 23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜ yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜ i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD. 18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh. Okay. Sorry for the dumb question. Thank you
21:34⎜ mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated «garrett__:#cvs» thanks for your time
23:39⎜ this worked, thank you very much 16:26⎜ ok
thx, i'll try that 20:00⎜«stableable:#cvs» Thank you.20:50⎜«s833:#cvs»
mirabilos: thanks a lot.19:34⎜ Thanks for confirming :)
20:08⎜ ...works like a charm.. thanks mirabilos
___
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
