* [bug#28086] [PATCH] gnu: cvs: Fix CVE-2017-12836.
@ 2017-08-14 16:27 Leo Famulari
2017-08-14 19:45 ` Marius Bakke
0 siblings, 1 reply; 2+ messages in thread
From: Leo Famulari @ 2017-08-14 16:27 UTC (permalink / raw)
To: 28086
* gnu/packages/patches/cvs-2017-12836.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/version-control.scm (cvs)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/cvs-2017-12836.patch | 45 +++++++++++++++++++++++++++++++
gnu/packages/version-control.scm | 1 +
3 files changed, 47 insertions(+)
create mode 100644 gnu/packages/patches/cvs-2017-12836.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index ec37f81b0..97e876a50 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -569,6 +569,7 @@ dist_patch_DATA = \
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/curl-bounds-check.patch \
%D%/packages/patches/cursynth-wave-rand.patch \
+ %D%/packages/patches/cvs-2017-12836.patch \
%D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch \
%D%/packages/patches/dblatex-remove-multirow.patch \
%D%/packages/patches/dbus-helper-search-path.patch \
diff --git a/gnu/packages/patches/cvs-2017-12836.patch b/gnu/packages/patches/cvs-2017-12836.patch
new file mode 100644
index 000000000..507ab0f7d
--- /dev/null
+++ b/gnu/packages/patches/cvs-2017-12836.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-12836:
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836
+https://security-tracker.debian.org/tracker/CVE-2017-12836
+
+Patch adpated from Debian (comments and changelog annotations removed):
+
+https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094
+
+From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001
+From: mirabilos <m@mirbsd.org>
+Date: Sat, 12 Aug 2017 03:17:18 +0200
+Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch
+
+---
+ debian/changelog | 6 ++++++
+ src/rsh-client.c | 10 ++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/rsh-client.c b/src/rsh-client.c
+index fe0cfc4..1fc860d 100644
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
+ rsh_argv[i++] = argvport;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
++
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+ if (readonlyfs)
+@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
+ *p++ = argvport;
+ }
+
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;
+--
+cgit v0.12
+
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index bff647155..3689d0613 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -921,6 +921,7 @@ machine.")
(uri (string-append
"https://ftp.gnu.org/non-gnu/cvs/source/feature/"
version "/cvs-" version ".tar.bz2"))
+ (patches (search-patches "cvs-2017-12836.patch"))
(sha256
(base32
"0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq"))))
--
2.14.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-14 19:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-14 16:27 [bug#28086] [PATCH] gnu: cvs: Fix CVE-2017-12836 Leo Famulari
2017-08-14 19:45 ` Marius Bakke
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.