diff -urP cvs-1.12.12.orig/src/rsh-client.c cvs-1.12.12/src/rsh-client.c
--- cvs-1.12.12.orig/src/rsh-client.c	2005-03-15 10:45:10.000000000 -0700
+++ cvs-1.12.12/src/rsh-client.c	2017-08-15 13:38:29.136095238 -0600
@@ -54,8 +54,9 @@
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
     /* This needs to fit "rsh", "-b", "-l", "USER", "host",
-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
-    char *rsh_argv[10];
+       "--", "host", "cvs", "-R", "server", and NULL.
+       We leave some room to grow. */
+    char *rsh_argv[16];
 
     if (!cvs_rsh)
 	/* People sometimes suggest or assume that this should default
@@ -97,6 +98,9 @@
 	rsh_argv[i++] = root->username;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     rsh_argv[i++] = "server";
@@ -171,6 +175,8 @@
 	    *p++ = root->username;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;