39 lines
1.3 KiB
C
39 lines
1.3 KiB
C
$NetBSD: patch-rsh-client.c,v 1.1 2017/08/21 22:57:45 tez Exp $
|
|
|
|
Fix for CVE-2017-12836 from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810
|
|
|
|
|
|
--- src/rsh-client.c.orig 2017-08-21 22:38:03.283783300 +0000
|
|
+++ src/rsh-client.c
|
|
@@ -53,9 +53,9 @@ start_rsh_server (cvsroot_t *root, struc
|
|
char *cvs_server = (root->cvs_server != NULL
|
|
? root->cvs_server : getenv ("CVS_SERVER"));
|
|
int i = 0;
|
|
- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
|
|
+ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
|
|
"cmd (w/ args)", and NULL. We leave some room to grow. */
|
|
- char *rsh_argv[10];
|
|
+ char *rsh_argv[16];
|
|
|
|
if (!cvs_rsh)
|
|
/* People sometimes suggest or assume that this should default
|
|
@@ -96,6 +96,9 @@ start_rsh_server (cvsroot_t *root, struc
|
|
rsh_argv[i++] = "-l";
|
|
rsh_argv[i++] = root->username;
|
|
}
|
|
+
|
|
+ /* Only non-option arguments from here. (CVE-2017-12836) */
|
|
+ rsh_argv[i++] = "--";
|
|
|
|
rsh_argv[i++] = root->hostname;
|
|
rsh_argv[i++] = cvs_server;
|
|
@@ -171,6 +174,9 @@ start_rsh_server (cvsroot_t *root, struc
|
|
*p++ = root->username;
|
|
}
|
|
|
|
+ /* Only non-option arguments from here. (CVE-2017-12836) */
|
|
+ *p++ = "--";
|
|
+
|
|
*p++ = root->hostname;
|
|
*p++ = command;
|
|
*p++ = NULL;
|