1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
Subject: [PATCH] Fix CVE-2017-12836
From: Thorsten Glaser <tg@mirbsd.de>
--- a/src/rsh-client.c
+++ b/src/rsh-client.c
@@ -53,9 +53,10 @@
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
- "cmd (w/ args)", and NULL. We leave some room to grow. */
- char *rsh_argv[10];
+ /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+ "--", "host", "cvs", "-R", "server", and NULL.
+ We leave some room to grow. */
+ char *rsh_argv[16];
if (!cvs_rsh)
/* People sometimes suggest or assume that this should default
@@ -97,6 +98,9 @@
rsh_argv[i++] = root->username;
}
+ /* Only non-option arguments from here. (CVE-2017-12836) */
+ rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
rsh_argv[i++] = "server";
@@ -171,6 +175,8 @@
*p++ = root->username;
}
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
|
