Mon Aug 21 22:57:45 2017 UTC ()
Fix for CVE-2017-12836


(tez)
diff -r1.17 -r1.18 pkgsrc/devel/scmcvs/Makefile
diff -r1.18 -r1.19 pkgsrc/devel/scmcvs/distinfo
diff -r0 -r1.1 pkgsrc/devel/scmcvs/patches/patch-rsh-client.c
cvs diff -r1.17 -r1.18 pkgsrc/devel/scmcvs/Makefile (expand / switch to unified diff)

--- pkgsrc/devel/scmcvs/Makefile 2017/05/12 05:13:43 1.17
+++ pkgsrc/devel/scmcvs/Makefile 2017/08/21 22:57:45 1.18
@@ -1,17 +1,17 @@ @@ -1,17 +1,17 @@
1# $NetBSD: Makefile,v 1.17 2017/05/12 05:13:43 maya Exp $ 1# $NetBSD: Makefile,v 1.18 2017/08/21 22:57:45 tez Exp $
2 2
3DISTNAME= cvs-1.12.13 3DISTNAME= cvs-1.12.13
4PKGREVISION= 5 4PKGREVISION= 6
5CATEGORIES= devel scm 5CATEGORIES= devel scm
6MASTER_SITES= http://ftp.gnu.org/non-gnu/cvs/source/feature/${PKGVERSION_NOREV}/ 6MASTER_SITES= http://ftp.gnu.org/non-gnu/cvs/source/feature/${PKGVERSION_NOREV}/
7EXTRACT_SUFX= .tar.bz2 7EXTRACT_SUFX= .tar.bz2
8 8
9MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= http://cvs.nongnu.org/ 10HOMEPAGE= http://cvs.nongnu.org/
11COMMENT= Concurrent Versions System 11COMMENT= Concurrent Versions System
12LICENSE= gnu-gpl-v2 12LICENSE= gnu-gpl-v2
13 13
14USE_TOOLS+= makeinfo autoconf 14USE_TOOLS+= makeinfo autoconf
15GNU_CONFIGURE= yes 15GNU_CONFIGURE= yes
16CONFIGURE_ARGS+= --with-external-zlib 16CONFIGURE_ARGS+= --with-external-zlib
17CONFIGURE_ARGS+= --with-rsh=ssh 17CONFIGURE_ARGS+= --with-rsh=ssh
cvs diff -r1.18 -r1.19 pkgsrc/devel/scmcvs/distinfo (expand / switch to unified diff)

--- pkgsrc/devel/scmcvs/distinfo 2017/08/18 21:41:19 1.18
+++ pkgsrc/devel/scmcvs/distinfo 2017/08/21 22:57:45 1.19
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1$NetBSD: distinfo,v 1.18 2017/08/18 21:41:19 adam Exp $ 1$NetBSD: distinfo,v 1.19 2017/08/21 22:57:45 tez Exp $
2 2
3SHA1 (cvs-1.12.13.tar.bz2) = 93a8dacc6ff0e723a130835713235863f1f5ada9 3SHA1 (cvs-1.12.13.tar.bz2) = 93a8dacc6ff0e723a130835713235863f1f5ada9
4RMD160 (cvs-1.12.13.tar.bz2) = ba3048e3e2d99ae78f6a759889b615acf65dd487 4RMD160 (cvs-1.12.13.tar.bz2) = ba3048e3e2d99ae78f6a759889b615acf65dd487
5SHA512 (cvs-1.12.13.tar.bz2) = 7d10f808de62190b18d4f706d2d03ab218a508bfb52047ff3e830e293ec40c5e8bf6cc743ef72a5c24be5aa867c9e4892d7d475a026a98b296a3764b4bd0f4d8 5SHA512 (cvs-1.12.13.tar.bz2) = 7d10f808de62190b18d4f706d2d03ab218a508bfb52047ff3e830e293ec40c5e8bf6cc743ef72a5c24be5aa867c9e4892d7d475a026a98b296a3764b4bd0f4d8
6Size (cvs-1.12.13.tar.bz2) = 3911104 bytes 6Size (cvs-1.12.13.tar.bz2) = 3911104 bytes
7SHA1 (patch-ab) = bc26fcb899d6316298c97779016aab4edb5cd124 7SHA1 (patch-ab) = bc26fcb899d6316298c97779016aab4edb5cd124
8SHA1 (patch-ad) = 12847d39cece34b310e4bc88c47fa8769233dff5 8SHA1 (patch-ad) = 12847d39cece34b310e4bc88c47fa8769233dff5
9SHA1 (patch-ae) = be535ece7dc9b62c940f500e67c454bf1a86feed 9SHA1 (patch-ae) = be535ece7dc9b62c940f500e67c454bf1a86feed
10SHA1 (patch-af) = 4299a901206aef3accb428579deb8774411992c7 10SHA1 (patch-af) = 4299a901206aef3accb428579deb8774411992c7
11SHA1 (patch-ag) = 53d072ba6bdbe0f988829616a232bb154cab2be3 11SHA1 (patch-ag) = 53d072ba6bdbe0f988829616a232bb154cab2be3
12SHA1 (patch-ah) = b03e6675ab1f6f62fc885d990b5a6bf64c309e9f 12SHA1 (patch-ah) = b03e6675ab1f6f62fc885d990b5a6bf64c309e9f
13SHA1 (patch-ai) = d265a2967566cf2679ad6fff1dffd5c6d6cbd120 13SHA1 (patch-ai) = d265a2967566cf2679ad6fff1dffd5c6d6cbd120
14SHA1 (patch-ak) = 3582de771a424cd7c906574bf4a76fc57f977e6b 14SHA1 (patch-ak) = 3582de771a424cd7c906574bf4a76fc57f977e6b
@@ -19,16 +19,17 @@ SHA1 (patch-ao) = ccc7a159a6eb1ebc07c918 @@ -19,16 +19,17 @@ SHA1 (patch-ao) = ccc7a159a6eb1ebc07c918
19SHA1 (patch-ap) = 8c8aafece339da841d3d3629449f1197339f3b22 19SHA1 (patch-ap) = 8c8aafece339da841d3d3629449f1197339f3b22
20SHA1 (patch-aq) = b7cabaf9b713aac2a199a98a91432f1abf406c82 20SHA1 (patch-aq) = b7cabaf9b713aac2a199a98a91432f1abf406c82
21SHA1 (patch-ar) = 3cb7fce566606a3757f51d5ca562a8117ebfec92 21SHA1 (patch-ar) = 3cb7fce566606a3757f51d5ca562a8117ebfec92
22SHA1 (patch-at) = 618673945aa10053f9fed5bee71b51605f39f4b4 22SHA1 (patch-at) = 618673945aa10053f9fed5bee71b51605f39f4b4
23SHA1 (patch-au) = 2f906a2940c496c4ecfcbb6efaf79fe43726a12c 23SHA1 (patch-au) = 2f906a2940c496c4ecfcbb6efaf79fe43726a12c
24SHA1 (patch-av) = 4bcfb17e86cd772dd9e182384f048c593462f5a8 24SHA1 (patch-av) = 4bcfb17e86cd772dd9e182384f048c593462f5a8
25SHA1 (patch-ay) = 6ce1c3c21dbc478248068f8b8850c21b0cb48c42 25SHA1 (patch-ay) = 6ce1c3c21dbc478248068f8b8850c21b0cb48c42
26SHA1 (patch-az) = 9dfd460ae6617f1492e0e6861387ff80080a7d5d 26SHA1 (patch-az) = 9dfd460ae6617f1492e0e6861387ff80080a7d5d
27SHA1 (patch-ba) = 7153e12e5da86effd4285e147f9f534011982e07 27SHA1 (patch-ba) = 7153e12e5da86effd4285e147f9f534011982e07
28SHA1 (patch-bb) = 09a607426b672f44c1882b82812e6ca81efdcf8e 28SHA1 (patch-bb) = 09a607426b672f44c1882b82812e6ca81efdcf8e
29SHA1 (patch-lib_mktime.c) = 526a0e24c6399d527ae6a463ea91e993f9f7e920 29SHA1 (patch-lib_mktime.c) = 526a0e24c6399d527ae6a463ea91e993f9f7e920
30SHA1 (patch-lib_vasnprintf.c) = fbba4d923d3c61ebcf79e82779919dc1f8a570c0 30SHA1 (patch-lib_vasnprintf.c) = fbba4d923d3c61ebcf79e82779919dc1f8a570c0
31SHA1 (patch-m4_fpending.m4) = 6b7c96d8f092e179d2cfdf036bcbfd3855292e0f 31SHA1 (patch-m4_fpending.m4) = 6b7c96d8f092e179d2cfdf036bcbfd3855292e0f
 32SHA1 (patch-rsh-client.c) = 448811f5df402501c7070677fc8c2d1873764306
32SHA1 (patch-src_error.c) = 60aba581be95aebbb6fb16c888fd384d855fe56e 33SHA1 (patch-src_error.c) = 60aba581be95aebbb6fb16c888fd384d855fe56e
33SHA1 (patch-src_ignore.c) = 90ac25311c83bb5713b83b9cfb6b2c03790ee787 34SHA1 (patch-src_ignore.c) = 90ac25311c83bb5713b83b9cfb6b2c03790ee787
34SHA1 (patch-src_zlib.c) = fee3becf1cc2e45d1241a302ed65c5f11b477a0a 35SHA1 (patch-src_zlib.c) = fee3becf1cc2e45d1241a302ed65c5f11b477a0a
File Added: pkgsrc/devel/scmcvs/patches/patch-rsh-client.c
$NetBSD: patch-rsh-client.c,v 1.1 2017/08/21 22:57:45 tez Exp $

Fix for CVE-2017-12836 from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810


--- src/rsh-client.c.orig	2017-08-21 22:38:03.283783300 +0000
+++ src/rsh-client.c
@@ -53,9 +53,9 @@ start_rsh_server (cvsroot_t *root, struc
     char *cvs_server = (root->cvs_server != NULL
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+    /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
        "cmd (w/ args)", and NULL.  We leave some room to grow. */
-    char *rsh_argv[10];
+    char *rsh_argv[16];
 
     if (!cvs_rsh)
 	/* People sometimes suggest or assume that this should default
@@ -96,6 +96,9 @@ start_rsh_server (cvsroot_t *root, struc
 	rsh_argv[i++] = "-l";
 	rsh_argv[i++] = root->username;
     }
+    
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
 
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
@@ -171,6 +174,9 @@ start_rsh_server (cvsroot_t *root, struc
 	    *p++ = root->username;
 	}
 
+        /* Only non-option arguments from here. (CVE-2017-12836) */
+        *p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;