Skip to content

Commit

Permalink
cvs: fix CVE-2017-12836
Browse files Browse the repository at this point in the history 
This patch is based on the work of the patch from Thorsten Glaser (MirBSD) [1]

[1] http://www.mirbsd.org/cvs.cgi/src/gnu/usr.bin/cvs/src/rsh-client.c.diff?r1=1.6;r2=1.7

(cherry picked from commit d0c8c66)
  • Loading branch information
@andir @NeQuissimus
andir authored and NeQuissimus committed Nov 7, 2017
1 parent 02b67d9 commit edcc045
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 0 deletions.
29 changes: 29 additions & 0 deletions pkgs/applications/version-management/cvs/CVE-2017-12836.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
--- a/src/rsh-client.c.orig 2005-10-02 17:17:21.000000000 +0200
+++ b/src/rsh-client.c 2017-11-07 16:56:06.957370469 +0100
@@ -53,7 +53,7 @@
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
"cmd (w/ args)", and NULL. We leave some room to grow. */
char *rsh_argv[10];

@@ -97,6 +97,9 @@
rsh_argv[i++] = root->username;
}

+ /* Only non-option arguments from here. (CVE-2017-12836) */
+ rsh_argv[i++] = "--";
+
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
rsh_argv[i++] = "server";
@@ -171,6 +174,7 @@
*p++ = root->username;
}

+ *p++ = "--";
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
1 change: 1 addition & 0 deletions pkgs/applications/version-management/cvs/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ stdenv.mkDerivation {
patches = [
./getcwd-chroot.patch
./CVE-2012-0804.patch
./CVE-2017-12836.patch
];

hardeningDisable = [ "fortify" "format" ];
Expand Down

0 comments on commit edcc045

Please sign in to comment.