Fix CVE-2017-12836:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836
https://security-tracker.debian.org/tracker/CVE-2017-12836

Patch adpated from Debian (comments and changelog annotations removed):

https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094

From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001
From: mirabilos <m@mirbsd.org>
Date: Sat, 12 Aug 2017 03:17:18 +0200
Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch

---
 debian/changelog |  6 ++++++
 src/rsh-client.c | 10 ++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/rsh-client.c b/src/rsh-client.c
index fe0cfc4..1fc860d 100644
--- a/src/rsh-client.c
+++ b/src/rsh-client.c
@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
 		*p++ = argvport;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;
-- 
cgit v0.12

ions.scm?id=b021a640d334d8300cd3b50b29f958ffec6004e4'>tree</a><a href='/guix/commit/tests/transformations.scm?id=b021a640d334d8300cd3b50b29f958ffec6004e4'>commit</a><a href='/guix/diff/tests/transformations.scm?id=b021a640d334d8300cd3b50b29f958ffec6004e4'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/tests/transformations.scm'>
<input type='hidden' name='id' value='b021a640d334d8300cd3b50b29f958ffec6004e4'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=b021a640d334d8300cd3b50b29f958ffec6004e4'>root</a>/<a href='/guix/log/tests?id=b021a640d334d8300cd3b50b29f958ffec6004e4'>tests</a>/<a href='/guix/log/tests/transformations.scm?id=b021a640d334d8300cd3b50b29f958ffec6004e4'>transformations.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/tests/transformations.scm?id=b021a640d334d8300cd3b50b29f958ffec6004e4&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2021-09-08 18:03:50 +0200'>2021-09-08</span></td><td><a href='/guix/commit/tests/transformations.scm?id=16ef7b4938b14e68f8ca7504c9614f84530572ed'>transformations: Git tags and 'git describe' style IDs are used as version.</a><span class='msg-avail'>...</span></td><td>Marius Bakke</td></tr>
<tr><td><span title='2021-08-11 16:35:28 +0200'>2021-08-11</span></td><td><a href='/guix/commit/tests/transformations.scm?id=373e7ac4f9d510d3a58fcdbe9ec2d67eb426336b'>transformations: 'with-patch' works on non-origin sources.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-03-05 12:49:27 +0100'>2021-03-05</span></td><td><a href='/guix/commit/tests/transformations.scm?id=90ea8b16eb519a88d8f739fea5a416c0b99de19f'>profiles: 'package-&gt;manifest-entry' preserves transformations by default.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-01-19 17:45:39 +0100'>2021-01-19</span></td><td><a href='/guix/commit/tests/transformations.scm?id=9ab817b2a4601b4a6755983590ed7d93ebdc8d09'>transformations: Add '--with-latest'.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2020-12-27 17:23:40 +0100'>2020-12-27</span></td><td><a href='/guix/commit/tests/transformations.scm?id=e38d90d497e19e00263fa28961c688a433154386'>transformations: Add '--with-patch'.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2020-12-21 17:47:35 +0100'>2020-12-21</span></td><td><a href='/guix/commit/tests/transformations.scm?id=527551287011888c2ba13fe92e636300ce625430'>tests: Check the effect of '--without-tests' on implicit inputs.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2020-10-31 23:16:43 +0100'>2020-10-31</span></td><td><a href='/guix/commit/tests/transformations.scm?id=f68b3ba12dc7532dddde7dc63afb81a8492c661e'>guix build: Move transformation options to (guix transformations).</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>

Age	Commit message (Expand)	Author
2021-09-08	transformations: Git tags and 'git describe' style IDs are used as version....	Marius Bakke
2021-08-11	transformations: 'with-patch' works on non-origin sources....	Ludovic Courtès
2021-03-05	profiles: 'package->manifest-entry' preserves transformations by default....	Ludovic Courtès
2021-01-19	transformations: Add '--with-latest'....	Ludovic Courtès
2020-12-27	transformations: Add '--with-patch'....	Ludovic Courtès
2020-12-21	tests: Check the effect of '--without-tests' on implicit inputs....	Ludovic Courtès
2020-10-31	guix build: Move transformation options to (guix transformations)....	Ludovic Courtès