mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: cvs: Fix CVE-2017-12836.
* gnu/packages/patches/cvs-2017-12836.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/version-control.scm (cvs)[source]: Use it.
This commit is contained in:
parent
36bfcf7e3a
commit
15428168ea
3 changed files with 47 additions and 0 deletions
|
@ -569,6 +569,7 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/clucene-contribs-lib.patch \
|
%D%/packages/patches/clucene-contribs-lib.patch \
|
||||||
%D%/packages/patches/curl-bounds-check.patch \
|
%D%/packages/patches/curl-bounds-check.patch \
|
||||||
%D%/packages/patches/cursynth-wave-rand.patch \
|
%D%/packages/patches/cursynth-wave-rand.patch \
|
||||||
|
%D%/packages/patches/cvs-2017-12836.patch \
|
||||||
%D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch \
|
%D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch \
|
||||||
%D%/packages/patches/dblatex-remove-multirow.patch \
|
%D%/packages/patches/dblatex-remove-multirow.patch \
|
||||||
%D%/packages/patches/dbus-helper-search-path.patch \
|
%D%/packages/patches/dbus-helper-search-path.patch \
|
||||||
|
|
45
gnu/packages/patches/cvs-2017-12836.patch
Normal file
45
gnu/packages/patches/cvs-2017-12836.patch
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
Fix CVE-2017-12836:
|
||||||
|
|
||||||
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836
|
||||||
|
https://security-tracker.debian.org/tracker/CVE-2017-12836
|
||||||
|
|
||||||
|
Patch adpated from Debian (comments and changelog annotations removed):
|
||||||
|
|
||||||
|
https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094
|
||||||
|
|
||||||
|
From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001
|
||||||
|
From: mirabilos <m@mirbsd.org>
|
||||||
|
Date: Sat, 12 Aug 2017 03:17:18 +0200
|
||||||
|
Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch
|
||||||
|
|
||||||
|
---
|
||||||
|
debian/changelog | 6 ++++++
|
||||||
|
src/rsh-client.c | 10 ++++++++--
|
||||||
|
2 files changed, 14 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/rsh-client.c b/src/rsh-client.c
|
||||||
|
index fe0cfc4..1fc860d 100644
|
||||||
|
--- a/src/rsh-client.c
|
||||||
|
+++ b/src/rsh-client.c
|
||||||
|
@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
|
||||||
|
rsh_argv[i++] = argvport;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Only non-option arguments from here. (CVE-2017-12836) */
|
||||||
|
+ rsh_argv[i++] = "--";
|
||||||
|
+
|
||||||
|
rsh_argv[i++] = root->hostname;
|
||||||
|
rsh_argv[i++] = cvs_server;
|
||||||
|
if (readonlyfs)
|
||||||
|
@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
|
||||||
|
*p++ = argvport;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ *p++ = "--";
|
||||||
|
+
|
||||||
|
*p++ = root->hostname;
|
||||||
|
*p++ = command;
|
||||||
|
*p++ = NULL;
|
||||||
|
--
|
||||||
|
cgit v0.12
|
||||||
|
|
|
@ -924,6 +924,7 @@ (define-public cvs
|
||||||
(uri (string-append
|
(uri (string-append
|
||||||
"https://ftp.gnu.org/non-gnu/cvs/source/feature/"
|
"https://ftp.gnu.org/non-gnu/cvs/source/feature/"
|
||||||
version "/cvs-" version ".tar.bz2"))
|
version "/cvs-" version ".tar.bz2"))
|
||||||
|
(patches (search-patches "cvs-2017-12836.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq"))))
|
"0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq"))))
|
||||||
|
|
Loading…
Reference in a new issue