Fix CVE-2017-14176:

https://bugs.launchpad.net/bzr/+bug/1710979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176

Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1:

https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204

Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs
Bug: https://bugs.launchpad.net/brz/+bug/1710979
Bug-Debian: https://bugs.debian.org/874429
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176
Forwarded: no
Author: Jelmer Vernooij <jelmer@jelmer.uk>
Last-Update: 2017-11-26

=== modified file 'bzrlib/tests/test_ssh_transport.py'
--- old/bzrlib/tests/test_ssh_transport.py	2010-10-07 12:45:51 +0000
+++ new/bzrlib/tests/test_ssh_transport.py	2017-08-20 01:59:20 +0000
@@ -22,6 +22,7 @@
     SSHCorpSubprocessVendor,
     LSHSubprocessVendor,
     SSHVendorManager,
+    StrangeHostname,
     )
 
 
@@ -161,6 +162,19 @@
 
 class SubprocessVendorsTests(TestCase):
 
+    def test_openssh_command_tricked(self):
+        vendor = OpenSSHSubprocessVendor()
+        self.assertEqual(
+            vendor._get_vendor_specific_argv(
+                "user", "-oProxyCommand=blah", 100, command=["bzr"]),
+            ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
+                "-oClearAllForwardings=yes",
+                "-oNoHostAuthenticationForLocalhost=yes",
+                "-p", "100",
+                "-l", "user",
+                "--",
+                "-oProxyCommand=blah", "bzr"])
+
     def test_openssh_command_arguments(self):
         vendor = OpenSSHSubprocessVendor()
         self.assertEqual(
@@ -171,6 +185,7 @@
                 "-oNoHostAuthenticationForLocalhost=yes",
                 "-p", "100",
                 "-l", "user",
+                "--",
                 "host", "bzr"]
             )
 
@@ -184,9 +199,16 @@
                 "-oNoHostAuthenticationForLocalhost=yes",
                 "-p", "100",
                 "-l", "user",
-                "-s", "host", "sftp"]
+                "-s", "--", "host", "sftp"]
             )
 
+    def test_openssh_command_tricked(self):
+        vendor = SSHCorpSubprocessVendor()
+        self.assertRaises(
+            StrangeHostname,
+            vendor._get_vendor_specific_argv,
+                "user", "-oProxyCommand=host", 100, command=["bzr"])
+
     def test_sshcorp_command_arguments(self):
         vendor = SSHCorpSubprocessVendor()
         self.assertEqual(
@@ -209,6 +231,13 @@
                 "-s", "sftp", "host"]
             )
 
+    def test_lsh_command_tricked(self):
+        vendor = LSHSubprocessVendor()
+        self.assertRaises(
+            StrangeHostname,
+            vendor._get_vendor_specific_argv,
+                "user", "-oProxyCommand=host", 100, command=["bzr"])
+
     def test_lsh_command_arguments(self):
         vendor = LSHSubprocessVendor()
         self.assertEqual(
@@ -231,6 +260,13 @@
                 "--subsystem", "sftp", "host"]
             )
 
+    def test_plink_command_tricked(self):
+        vendor = PLinkSubprocessVendor()
+        self.assertRaises(
+            StrangeHostname,
+            vendor._get_vendor_specific_argv,
+                "user", "-oProxyCommand=host", 100, command=["bzr"])
+
     def test_plink_command_arguments(self):
         vendor = PLinkSubprocessVendor()
         self.assertEqual(

=== modified file 'bzrlib/transport/ssh.py'
--- ol<tr><td><span title='2020-07-12 23:08:15 +0200'>2020-07-12</span></td><td><a href='/guix/commit/gnu/packages/elixir.scm?id=b0e7b6992f3f845e83cfbca4d700b51dba50b4d5'>gnu: Remove ".git" from "https://github/…/….git".</a><span class='msg-avail'>...<span class='msg-tooltip'>Until now, 'lookup-origin' and thus 'lookup-origin-revision' in (guix
swh) would sometimes return #f for these because the ".git" URLs are
redirects to the non-".git" URLs.  Consequently, 'guix lint -c archival'
would keep saying "scheduled Software Heritage archival"; likewise, the
fallback download code would fail.

* gnu/packages/ada.scm,
gnu/packages/admin.scm,
gnu/packages/aidc.scm,
gnu/packages/algebra.scm,
gnu/packages/android.scm,
gnu/packages/animation.scm,
gnu/packages/arcan.scm,
gnu/packages/assembly.scm,
gnu/packages/audio.scm,
gnu/packages/authentication.scm,
gnu/packages/avr.scm,
gnu/packages/axoloti.scm,
gnu/packages/backup.scm,
gnu/packages/bash.scm,
gnu/packages/benchmark.scm,
gnu/packages/bioconductor.scm,
gnu/packages/bioinformatics.scm,
gnu/packages/bittorrent.scm,
gnu/packages/boost.scm,
gnu/packages/build-tools.scm,
gnu/packages/c.scm,
gnu/packages/calendar.scm,
gnu/packages/cdrom.scm,
gnu/packages/check.scm,
gnu/packages/chemistry.scm,
gnu/packages/chez.scm,
gnu/packages/clojure.scm,
gnu/packages/code.scm,
gnu/packages/compression.scm,
gnu/packages/compton.scm,
gnu/packages/coq.scm,
gnu/packages/cpp.scm,
gnu/packages/cran.scm,
gnu/packages/crypto.scm,
gnu/packages/curl.scm,
gnu/packages/databases.scm,
gnu/packages/datastructures.scm,
gnu/packages/debug.scm,
gnu/packages/disk.scm,
gnu/packages/distributed.scm,
gnu/packages/django.scm,
gnu/packages/dlang.scm,
gnu/packages/dns.scm,
gnu/packages/docker.scm,
gnu/packages/education.scm,
gnu/packages/efi.scm,
gnu/packages/elixir.scm,
gnu/packages/emacs-xyz.scm,
gnu/packages/embedded.scm,
gnu/packages/emulators.scm,
gnu/packages/engineering.scm,
gnu/packages/erlang.scm,
gnu/packages/fabric-management.scm,
gnu/packages/file-systems.scm,
gnu/packages/finance.scm,
gnu/packages/firmware.scm,
gnu/packages/flashing-tools.scm,
gnu/packages/fonts.scm,
gnu/packages/fontutils.scm,
gnu/pac