Fix CVE-2017-12836: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836 https://security-tracker.debian.org/tracker/CVE-2017-12836 Patch adpated from Debian (comments and changelog annotations removed): https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094 From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001 From: mirabilos Date: Sat, 12 Aug 2017 03:17:18 +0200 Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch --- debian/changelog | 6 ++++++ src/rsh-client.c | 10 ++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/rsh-client.c b/src/rsh-client.c index fe0cfc4..1fc860d 100644 --- a/src/rsh-client.c +++ b/src/rsh-client.c @@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, rsh_argv[i++] = argvport; } + /* Only non-option arguments from here. (CVE-2017-12836) */ + rsh_argv[i++] = "--"; + rsh_argv[i++] = root->hostname; rsh_argv[i++] = cvs_server; if (readonlyfs) @@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, *p++ = argvport; } + *p++ = "--"; + *p++ = root->hostname; *p++ = command; *p++ = NULL; -- cgit v0.12 -maintenance.scm?id=339eef40f85a08609bb711557a67945173b490cb'>treecommitdiff
path: root/tests/gnu-maintenance.scm
AgeCommit message (Expand)Author
2016-04-03build: Add a Guile custom test driver using SRFI-64....Mathieu Lirzin
2015-12-07gnu-maintenance: Add tests for 'release-file?'....Ludovic Courtès