Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 489222 Details for
Bug 627498
<dev-vcs/cvs-1.12.12-r12: vulnerable to SSH command injection with crafted repo path
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to add -- to SSH arguments, preventing hostname of -oProxyCommand, etc.
cvs-1.12.12-CVE-2017-12836.patch (text/plain), 1.02 KB, created by
Hank Leininger
on 2017-08-15 19:57:24 UTC
(
hide
)
Description:
Patch to add -- to SSH arguments, preventing hostname of -oProxyCommand, etc.
Filename:
MIME Type:
Creator:
Hank Leininger
Created:
2017-08-15 19:57:24 UTC
Size:
1.02 KB
patch
obsolete
>diff -urP cvs-1.12.12.orig/src/rsh-client.c cvs-1.12.12/src/rsh-client.c >--- cvs-1.12.12.orig/src/rsh-client.c 2005-03-15 10:45:10.000000000 -0700 >+++ cvs-1.12.12/src/rsh-client.c 2017-08-15 13:38:29.136095238 -0600 >@@ -54,8 +54,9 @@ > ? root->cvs_server : getenv ("CVS_SERVER")); > int i = 0; > /* This needs to fit "rsh", "-b", "-l", "USER", "host", >- "cmd (w/ args)", and NULL. We leave some room to grow. */ >- char *rsh_argv[10]; >+ "--", "host", "cvs", "-R", "server", and NULL. >+ We leave some room to grow. */ >+ char *rsh_argv[16]; > > if (!cvs_rsh) > /* People sometimes suggest or assume that this should default >@@ -97,6 +98,9 @@ > rsh_argv[i++] = root->username; > } > >+ /* Only non-option arguments from here. (CVE-2017-12836) */ >+ rsh_argv[i++] = "--"; >+ > rsh_argv[i++] = root->hostname; > rsh_argv[i++] = cvs_server; > rsh_argv[i++] = "server"; >@@ -171,6 +175,8 @@ > *p++ = root->username; > } > >+ *p++ = "--"; >+ > *p++ = root->hostname; > *p++ = command; > *p++ = NULL;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 627498
: 489222 |
489224