~ruther/guix-local

15428168eaf06ce54aa3f8ed8eec819d6bbdefec — Leo Famulari 8 years ago 36bfcf7 
gnu: cvs: Fix CVE-2017-12836.

* gnu/packages/patches/cvs-2017-12836.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/version-control.scm (cvs)[source]: Use it.
patch browse .tar.gz 
3 files changed, 47 insertions(+), 0 deletions(-)

M gnu/local.mk
A gnu/packages/patches/cvs-2017-12836.patch
M gnu/packages/version-control.scm

M gnu/local.mk => gnu/local.mk +1 -0
@@ 569,6 569,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/clucene-contribs-lib.patch               \
  %D%/packages/patches/curl-bounds-check.patch			\
  %D%/packages/patches/cursynth-wave-rand.patch			\
  %D%/packages/patches/cvs-2017-12836.patch			\
  %D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch		\
  %D%/packages/patches/dblatex-remove-multirow.patch		\
  %D%/packages/patches/dbus-helper-search-path.patch		\


A gnu/packages/patches/cvs-2017-12836.patch => gnu/packages/patches/cvs-2017-12836.patch +45 -0
@@ 0,0 1,45 @@
Fix CVE-2017-12836:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836
https://security-tracker.debian.org/tracker/CVE-2017-12836

Patch adpated from Debian (comments and changelog annotations removed):

https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094

From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001
From: mirabilos <m@mirbsd.org>
Date: Sat, 12 Aug 2017 03:17:18 +0200
Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch

---
 debian/changelog |  6 ++++++
 src/rsh-client.c | 10 ++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/rsh-client.c b/src/rsh-client.c
index fe0cfc4..1fc860d 100644
--- a/src/rsh-client.c
+++ b/src/rsh-client.c
@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
 		*p++ = argvport;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;
-- 
cgit v0.12



M gnu/packages/version-control.scm => gnu/packages/version-control.scm +1 -0
@@ 924,6 924,7 @@ machine.")
             (uri (string-append
                   "https://ftp.gnu.org/non-gnu/cvs/source/feature/"
                   version "/cvs-" version ".tar.bz2"))
             (patches (search-patches "cvs-2017-12836.patch"))
             (sha256
              (base32
               "0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq"))))