Fix CVE-2017-12836:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836
https://security-tracker.debian.org/tracker/CVE-2017-12836

Patch adpated from Debian (comments and changelog annotations removed):

https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094

From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001
From: mirabilos <m@mirbsd.org>
Date: Sat, 12 Aug 2017 03:17:18 +0200
Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch

---
 debian/changelog |  6 ++++++
 src/rsh-client.c | 10 ++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/rsh-client.c b/src/rsh-client.c
index fe0cfc4..1fc860d 100644
--- a/src/rsh-client.c
+++ b/src/rsh-client.c
@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
 		*p++ = argvport;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;
-- 
cgit v0.12

b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5'>tree</a><a href='/guix/commit/gnu/packages/gdb.scm?id=b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5'>commit</a><a href='/guix/diff/gnu/packages/gdb.scm?id=b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/gnu/packages/gdb.scm'>
<input type='hidden' name='id' value='b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5'>root</a>/<a href='/guix/log/gnu?id=b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5'>gnu</a>/<a href='/guix/log/gnu/packages?id=b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5'>packages</a>/<a href='/guix/log/gnu/packages/gdb.scm?id=b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5'>gdb.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/gdb.scm?id=b764dbc3195c843ae9f7bebb94dcaa9b1bdd43e5&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-11-15 11:43:54 +0100'>2024-11-15</span></td><td><a href='/guix/commit/gnu/packages/gdb.scm?id=773aa7a60b73d51869900ab23f86259965c21a28'>gnu: gdb: Use G-expressions.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gdb.scm (gdb/pinned): Use G-expressions.
(gdb-minimal gdb-multiarch, avr-gdb): ): Update acordingly.

Change-Id: Ifcdc6a337ec9c4d5c4303082d207b657cbc34765
</span></span></td><td>Janneke Nieuwenhuizen</td></tr>
<tr><td><span title='2024-08-31 10:42:19 +0200'>2024-08-31</span></td><td><a href='/guix/commit/gnu/packages/gdb.scm?id=bcc7655998332281c00bd1b579078c139850a1c6'>gnu: gdb: Import the correct set of modules.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gdb.scm (gdb) [arguments]
&lt;modules&gt;: Replace %default-gnu-imported-modules with %default-gnu-modules.

Change-Id: I0bf897af81c09ab7d00c1d06fb527633ed4c9bd8
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2024-08-31 10:42:16 +0200'>2024-08-31</span></td><td><a href='/guix/commit/gnu/packages/gdb.scm?id=f59df1aa3c104aabff3291f6b8b155fb01aebc06'>build-systems: gnu: Export %default-gnu-imported-modules and %default-gnu-mod...</a><span class='msg-avail'>...<span class='msg-tooltip'>Until now users would have to cargo cult or inspect the private
%default-modules variable of (guix build-systems gnu) to discover which
modules to include when extending the used modules via the #:modules argument.

The renaming was automated via the command:

  $ git grep -l %gnu-build-system-modules
    | xargs sed 's/%gnu-build-system-modules/%default-gnu-imported-modules/' -i

* guix/build-system/gnu.scm (%gnu-build-system-modules): Rename to...
(%default-gnu-imported-modules): ... this.
(%default-modules): Rename to...
(%default-gnu-modules): ... this.  Export.
(dist-package, gnu-build, gnu-cross-build): Adjust accordingly.

Change-Id: Idef307fff13cb76f3182d782b26e1cd3a5c757ee
</span></span></td><td>Maxim Cournoyer</td></tr>

Age	Commit message (Expand)	Author
2024-11-15	gnu: gdb: Use G-expressions....* gnu/packages/gdb.scm (gdb/pinned): Use G-expressions. (gdb-minimal gdb-multiarch, avr-gdb): ): Update acordingly. Change-Id: Ifcdc6a337ec9c4d5c4303082d207b657cbc34765	Janneke Nieuwenhuizen
2024-08-31	gnu: gdb: Import the correct set of modules....* gnu/packages/gdb.scm (gdb) [arguments] <modules>: Replace %default-gnu-imported-modules with %default-gnu-modules. Change-Id: I0bf897af81c09ab7d00c1d06fb527633ed4c9bd8	Maxim Cournoyer
2024-08-31	build-systems: gnu: Export %default-gnu-imported-modules and %default-gnu-mod......Until now users would have to cargo cult or inspect the private %default-modules variable of (guix build-systems gnu) to discover which modules to include when extending the used modules via the #:modules argument. The renaming was automated via the command: $ git grep -l %gnu-build-system-modules \| xargs sed 's/%gnu-build-system-modules/%default-gnu-imported-modules/' -i * guix/build-system/gnu.scm (%gnu-build-system-modules): Rename to... (%default-gnu-imported-modules): ... this. (%default-modules): Rename to... (%default-gnu-modules): ... this. Export. (dist-package, gnu-build, gnu-cross-build): Adjust accordingly. Change-Id: Idef307fff13cb76f3182d782b26e1cd3a5c757ee	Maxim Cournoyer