From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:32773)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dhIEk-0003WP-7f
	for guix-patches@gnu.org; Mon, 14 Aug 2017 12:29:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dhIEh-0006Sd-0K
	for guix-patches@gnu.org; Mon, 14 Aug 2017 12:29:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:55326)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dhIEg-0006SZ-TN
	for guix-patches@gnu.org; Mon, 14 Aug 2017 12:29:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dhIEg-000524-LA
	for guix-patches@gnu.org; Mon, 14 Aug 2017 12:29:02 -0400
Subject: [bug#28086] [PATCH] gnu: cvs: Fix CVE-2017-12836.
Resent-Message-ID: <handler.28086.B.150272809019336@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60445)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dhIDZ-0002Z3-FN
	for guix-patches@gnu.org; Mon, 14 Aug 2017 12:27:54 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dhIDW-0005wg-1W
	for guix-patches@gnu.org; Mon, 14 Aug 2017 12:27:53 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:39255)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1dhIDV-0005wS-P4
	for guix-patches@gnu.org; Mon, 14 Aug 2017 12:27:49 -0400
Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net
	[73.165.108.70])
	by mail.messagingengine.com (Postfix) with ESMTPA id 96B2A2471A
	for <guix-patches@gnu.org>; Mon, 14 Aug 2017 12:27:48 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
Date: Mon, 14 Aug 2017 12:27:45 -0400
Message-Id: <9a3ab28b726806b80a0e28ff4e0d6b2ac4636c85.1502728065.git.leo@famulari.name>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 28086@debbugs.gnu.org

* gnu/packages/patches/cvs-2017-12836.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/version-control.scm (cvs)[source]: Use it.
---
 gnu/local.mk                              |  1 +
 gnu/packages/patches/cvs-2017-12836.patch | 45 +++++++++++++++++++++++++++++++
 gnu/packages/version-control.scm          |  1 +
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/cvs-2017-12836.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ec37f81b0..97e876a50 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -569,6 +569,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/curl-bounds-check.patch			\
   %D%/packages/patches/cursynth-wave-rand.patch			\
+  %D%/packages/patches/cvs-2017-12836.patch			\
   %D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch		\
   %D%/packages/patches/dblatex-remove-multirow.patch		\
   %D%/packages/patches/dbus-helper-search-path.patch		\
diff --git a/gnu/packages/patches/cvs-2017-12836.patch b/gnu/packages/patches/cvs-2017-12836.patch
new file mode 100644
index 000000000..507ab0f7d
--- /dev/null
+++ b/gnu/packages/patches/cvs-2017-12836.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-12836:
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836
+https://security-tracker.debian.org/tracker/CVE-2017-12836
+
+Patch adpated from Debian (comments and changelog annotations removed):
+
+https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094
+
+From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001
+From: mirabilos <m@mirbsd.org>
+Date: Sat, 12 Aug 2017 03:17:18 +0200
+Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch
+
+---
+ debian/changelog |  6 ++++++
+ src/rsh-client.c | 10 ++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/rsh-client.c b/src/rsh-client.c
+index fe0cfc4..1fc860d 100644
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
+ 	rsh_argv[i++] = argvport;
+     }
+ 
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
++
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     if (readonlyfs)
+@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
+ 		*p++ = argvport;
+ 	}
+ 
++	*p++ = "--";
++
+ 	*p++ = root->hostname;
+ 	*p++ = command;
+ 	*p++ = NULL;
+-- 
+cgit v0.12
+
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index bff647155..3689d0613 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -921,6 +921,7 @@ machine.")
              (uri (string-append
                    "https://ftp.gnu.org/non-gnu/cvs/source/feature/"
                    version "/cvs-" version ".tar.bz2"))
+             (patches (search-patches "cvs-2017-12836.patch"))
              (sha256
               (base32
                "0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq"))))
-- 
2.14.1