diff options
author | Leo Famulari <leo@famulari.name> | 2017-08-14 12:27:01 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-08-14 15:55:31 -0400 |
commit | 15428168eaf06ce54aa3f8ed8eec819d6bbdefec (patch) | |
tree | d8b3b816ca72967aa1ce5acf33fde62bd0f9b484 /gnu/packages/patches/cvs-2017-12836.patch | |
parent | 36bfcf7e3a6d2a2dbaa05a4cfb4066adcf13da6d (diff) | |
download | guix-15428168eaf06ce54aa3f8ed8eec819d6bbdefec.tar guix-15428168eaf06ce54aa3f8ed8eec819d6bbdefec.tar.gz |
gnu: cvs: Fix CVE-2017-12836.
* gnu/packages/patches/cvs-2017-12836.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/version-control.scm (cvs)[source]: Use it.
Diffstat (limited to 'gnu/packages/patches/cvs-2017-12836.patch')
-rw-r--r-- | gnu/packages/patches/cvs-2017-12836.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/gnu/packages/patches/cvs-2017-12836.patch b/gnu/packages/patches/cvs-2017-12836.patch new file mode 100644 index 0000000000..507ab0f7d0 --- /dev/null +++ b/gnu/packages/patches/cvs-2017-12836.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-12836: + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836 +https://security-tracker.debian.org/tracker/CVE-2017-12836 + +Patch adpated from Debian (comments and changelog annotations removed): + +https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094 + +From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001 +From: mirabilos <m@mirbsd.org> +Date: Sat, 12 Aug 2017 03:17:18 +0200 +Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch + +--- + debian/changelog | 6 ++++++ + src/rsh-client.c | 10 ++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/rsh-client.c b/src/rsh-client.c +index fe0cfc4..1fc860d 100644 +--- a/src/rsh-client.c ++++ b/src/rsh-client.c +@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, + rsh_argv[i++] = argvport; + } + ++ /* Only non-option arguments from here. (CVE-2017-12836) */ ++ rsh_argv[i++] = "--"; ++ + rsh_argv[i++] = root->hostname; + rsh_argv[i++] = cvs_server; + if (readonlyfs) +@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, + *p++ = argvport; + } + ++ *p++ = "--"; ++ + *p++ = root->hostname; + *p++ = command; + *p++ = NULL; +-- +cgit v0.12 + |