diff options
Diffstat (limited to 'gnu/packages/patches/fossil-CVE-2017-17459.patch')
-rw-r--r-- | gnu/packages/patches/fossil-CVE-2017-17459.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/gnu/packages/patches/fossil-CVE-2017-17459.patch b/gnu/packages/patches/fossil-CVE-2017-17459.patch new file mode 100644 index 0000000000..e566235b4e --- /dev/null +++ b/gnu/packages/patches/fossil-CVE-2017-17459.patch @@ -0,0 +1,57 @@ +Fix CVE-2017-17459: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459 + +Patch copied from upstream source repository: + +https://www.fossil-scm.org/xfer/info/1f63db591c77108c + +Index: src/http_transport.c +================================================================== +--- src/http_transport.c ++++ src/http_transport.c +@@ -73,10 +73,23 @@ + if( resetFlag ){ + transport.nSent = 0; + transport.nRcvd = 0; + } + } ++ ++/* ++** Remove leading "-" characters from the input string. ++** ++** This prevents attacks that try to trick a victim into using ++** a ssh:// URI with a carefully crafted hostname of other ++** parameter that ends up being interpreted as a command-line ++** option by "ssh". ++*/ ++static const char *stripLeadingMinus(const char *z){ ++ while( z[0]=='-' ) z++; ++ return z; ++} + + /* + ** Default SSH command + */ + #ifdef _WIN32 +@@ -116,17 +129,17 @@ + }else{ + zHost = mprintf("%s", pUrlData->name); + } + n = blob_size(&zCmd); + blob_append(&zCmd, " ", 1); +- shell_escape(&zCmd, zHost); ++ shell_escape(&zCmd, stripLeadingMinus(zHost)); + blob_append(&zCmd, " ", 1); + shell_escape(&zCmd, mprintf("%s", pUrlData->fossil)); + blob_append(&zCmd, " test-http", 10); + if( pUrlData->path && pUrlData->path[0] ){ + blob_append(&zCmd, " ", 1); +- shell_escape(&zCmd, mprintf("%s", pUrlData->path)); ++ shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path))); + } + if( g.fSshTrace ){ + fossil_print("%s\n", blob_str(&zCmd)+n); /* Show tail of SSH command */ + } + free(zHost); + |