From 15428168eaf06ce54aa3f8ed8eec819d6bbdefec Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 14 Aug 2017 12:27:01 -0400 Subject: [PATCH] gnu: cvs: Fix CVE-2017-12836. * gnu/packages/patches/cvs-2017-12836.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/version-control.scm (cvs)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/cvs-2017-12836.patch | 45 +++++++++++++++++++++++ gnu/packages/version-control.scm | 1 + 3 files changed, 47 insertions(+) create mode 100644 gnu/packages/patches/cvs-2017-12836.patch diff --git a/gnu/local.mk b/gnu/local.mk index ec37f81b0f..97e876a507 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -569,6 +569,7 @@ dist_patch_DATA = \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/curl-bounds-check.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ + %D%/packages/patches/cvs-2017-12836.patch \ %D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch \ %D%/packages/patches/dblatex-remove-multirow.patch \ %D%/packages/patches/dbus-helper-search-path.patch \ diff --git a/gnu/packages/patches/cvs-2017-12836.patch b/gnu/packages/patches/cvs-2017-12836.patch new file mode 100644 index 0000000000..507ab0f7d0 --- /dev/null +++ b/gnu/packages/patches/cvs-2017-12836.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-12836: + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836 +https://security-tracker.debian.org/tracker/CVE-2017-12836 + +Patch adpated from Debian (comments and changelog annotations removed): + +https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094 + +From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001 +From: mirabilos +Date: Sat, 12 Aug 2017 03:17:18 +0200 +Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch + +--- + debian/changelog | 6 ++++++ + src/rsh-client.c | 10 ++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/rsh-client.c b/src/rsh-client.c +index fe0cfc4..1fc860d 100644 +--- a/src/rsh-client.c ++++ b/src/rsh-client.c +@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, + rsh_argv[i++] = argvport; + } + ++ /* Only non-option arguments from here. (CVE-2017-12836) */ ++ rsh_argv[i++] = "--"; ++ + rsh_argv[i++] = root->hostname; + rsh_argv[i++] = cvs_server; + if (readonlyfs) +@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, + *p++ = argvport; + } + ++ *p++ = "--"; ++ + *p++ = root->hostname; + *p++ = command; + *p++ = NULL; +-- +cgit v0.12 + diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 151cf0cf10..7c1f02d5ad 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -924,6 +924,7 @@ (define-public cvs (uri (string-append "https://ftp.gnu.org/non-gnu/cvs/source/feature/" version "/cvs-" version ".tar.bz2")) + (patches (search-patches "cvs-2017-12836.patch")) (sha256 (base32 "0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq"))))