Attachment 489222 Details for Bug 627498 – Patch to add -- to SSH arguments, preventing hostname of -oProxyCommand, etc.

[patch] Patch to add -- to SSH arguments, preventing hostname of -oProxyCommand, etc.

cvs-1.12.12-CVE-2017-12836.patch (text/plain), 1.02 KB, created by Hank Leininger on 2017-08-15 19:57:24 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Hank Leininger

Created: 2017-08-15 19:57:24 UTC

Size: 1.02 KB

patch

obsolete

>diff -urP cvs-1.12.12.orig/src/rsh-client.c cvs-1.12.12/src/rsh-client.c
>--- cvs-1.12.12.orig/src/rsh-client.c	2005-03-15 10:45:10.000000000 -0700
>+++ cvs-1.12.12/src/rsh-client.c	2017-08-15 13:38:29.136095238 -0600
>@@ -54,8 +54,9 @@
> 			? root->cvs_server : getenv ("CVS_SERVER"));
>     int i = 0;
>     /* This needs to fit "rsh", "-b", "-l", "USER", "host",
>-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
>-    char *rsh_argv[10];
>+       "--", "host", "cvs", "-R", "server", and NULL.
>+       We leave some room to grow. */
>+    char *rsh_argv[16];
> 
>     if (!cvs_rsh)
> 	/* People sometimes suggest or assume that this should default
>@@ -97,6 +98,9 @@
> 	rsh_argv[i++] = root->username;
>     }
> 
>+    /* Only non-option arguments from here. (CVE-2017-12836) */
>+    rsh_argv[i++] = "--";
>+
>     rsh_argv[i++] = root->hostname;
>     rsh_argv[i++] = cvs_server;
>     rsh_argv[i++] = "server";
>@@ -171,6 +175,8 @@
> 	    *p++ = root->username;
> 	}
> 
>+	*p++ = "--";
>+
> 	*p++ = root->hostname;
> 	*p++ = command;
> 	*p++ = NULL;

Actions: View | Diff

Attachments on bug 627498: 489222 | 489224