Fix CVE-2017-12836: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836 https://security-tracker.debian.org/tracker/CVE-2017-12836 Patch adpated from Debian (comments and changelog annotations removed): https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094 From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001 From: mirabilos Date: Sat, 12 Aug 2017 03:17:18 +0200 Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch --- debian/changelog | 6 ++++++ src/rsh-client.c | 10 ++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/rsh-client.c b/src/rsh-client.c index fe0cfc4..1fc860d 100644 --- a/src/rsh-client.c +++ b/src/rsh-client.c @@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, rsh_argv[i++] = argvport; } + /* Only non-option arguments from here. (CVE-2017-12836) */ + rsh_argv[i++] = "--"; + rsh_argv[i++] = root->hostname; rsh_argv[i++] = cvs_server; if (readonlyfs) @@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, *p++ = argvport; } + *p++ = "--"; + *p++ = root->hostname; *p++ = command; *p++ = NULL; -- cgit v0.12 746be30e0436773d8dcab69d8e36'>treecommitdiff
path: root/gnu/tests/rsync.scm
AgeCommit message (Expand)Author
2018-10-18services: dhcp-client: Deprecate 'dhcp-client-service' procedure....Ludovic Courtès
2018-06-13tests: Honor the return value of 'start-service'....Clément Lassieur
2017-09-23gnu: Add rsync service....Oleg Pykhalov