pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc Fix for CVE-2017-12836
details: https://anonhg.NetBSD.org/pkgsrc/rev/a324a6110736
branches: trunk
changeset: 367014:a324a6110736
user: tez <tez%pkgsrc.org@localhost>
date: Mon Aug 21 22:57:45 2017 +0000
description:
Fix for CVE-2017-12836
diffstat:
devel/scmcvs/Makefile | 4 +-
devel/scmcvs/distinfo | 3 +-
devel/scmcvs/patches/patch-rsh-client.c | 39 +++++++++++++++++++++++++++++++++
doc/CHANGES-2017 | 3 +-
4 files changed, 45 insertions(+), 4 deletions(-)
diffs (87 lines):
diff -r 46ae4600c2ab -r a324a6110736 devel/scmcvs/Makefile
--- a/devel/scmcvs/Makefile Mon Aug 21 22:21:11 2017 +0000
+++ b/devel/scmcvs/Makefile Mon Aug 21 22:57:45 2017 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.17 2017/05/12 05:13:43 maya Exp $
+# $NetBSD: Makefile,v 1.18 2017/08/21 22:57:45 tez Exp $
DISTNAME= cvs-1.12.13
-PKGREVISION= 5
+PKGREVISION= 6
CATEGORIES= devel scm
MASTER_SITES= http://ftp.gnu.org/non-gnu/cvs/source/feature/${PKGVERSION_NOREV}/
EXTRACT_SUFX= .tar.bz2
diff -r 46ae4600c2ab -r a324a6110736 devel/scmcvs/distinfo
--- a/devel/scmcvs/distinfo Mon Aug 21 22:21:11 2017 +0000
+++ b/devel/scmcvs/distinfo Mon Aug 21 22:57:45 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2017/08/18 21:41:19 adam Exp $
+$NetBSD: distinfo,v 1.19 2017/08/21 22:57:45 tez Exp $
SHA1 (cvs-1.12.13.tar.bz2) = 93a8dacc6ff0e723a130835713235863f1f5ada9
RMD160 (cvs-1.12.13.tar.bz2) = ba3048e3e2d99ae78f6a759889b615acf65dd487
@@ -29,6 +29,7 @@
SHA1 (patch-lib_mktime.c) = 526a0e24c6399d527ae6a463ea91e993f9f7e920
SHA1 (patch-lib_vasnprintf.c) = fbba4d923d3c61ebcf79e82779919dc1f8a570c0
SHA1 (patch-m4_fpending.m4) = 6b7c96d8f092e179d2cfdf036bcbfd3855292e0f
+SHA1 (patch-rsh-client.c) = 448811f5df402501c7070677fc8c2d1873764306
SHA1 (patch-src_error.c) = 60aba581be95aebbb6fb16c888fd384d855fe56e
SHA1 (patch-src_ignore.c) = 90ac25311c83bb5713b83b9cfb6b2c03790ee787
SHA1 (patch-src_zlib.c) = fee3becf1cc2e45d1241a302ed65c5f11b477a0a
diff -r 46ae4600c2ab -r a324a6110736 devel/scmcvs/patches/patch-rsh-client.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/scmcvs/patches/patch-rsh-client.c Mon Aug 21 22:57:45 2017 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-rsh-client.c,v 1.1 2017/08/21 22:57:45 tez Exp $
+
+Fix for CVE-2017-12836 from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810
+
+
+--- src/rsh-client.c.orig 2017-08-21 22:38:03.283783300 +0000
++++ src/rsh-client.c
+@@ -53,9 +53,9 @@ start_rsh_server (cvsroot_t *root, struc
+ char *cvs_server = (root->cvs_server != NULL
+ ? root->cvs_server : getenv ("CVS_SERVER"));
+ int i = 0;
+- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
++ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
+ "cmd (w/ args)", and NULL. We leave some room to grow. */
+- char *rsh_argv[10];
++ char *rsh_argv[16];
+
+ if (!cvs_rsh)
+ /* People sometimes suggest or assume that this should default
+@@ -96,6 +96,9 @@ start_rsh_server (cvsroot_t *root, struc
+ rsh_argv[i++] = "-l";
+ rsh_argv[i++] = root->username;
+ }
++
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
+
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+@@ -171,6 +174,9 @@ start_rsh_server (cvsroot_t *root, struc
+ *p++ = root->username;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;
diff -r 46ae4600c2ab -r a324a6110736 doc/CHANGES-2017
--- a/doc/CHANGES-2017 Mon Aug 21 22:21:11 2017 +0000
+++ b/doc/CHANGES-2017 Mon Aug 21 22:57:45 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES-2017,v 1.3398 2017/08/21 22:21:11 tez Exp $
+$NetBSD: CHANGES-2017,v 1.3399 2017/08/21 22:59:02 tez Exp $
Changes to the packages collection and infrastructure in 2017:
@@ -4732,3 +4732,4 @@
Added databases/py-unicodecsv version 0.14.1 [adam 2017-08-21]
Added www/py-django-sql-explorer version 1.1.1 [adam 2017-08-21]
Updated security/mit-krb5 to 1.14.5nb1 [tez 2017-08-21]
+ Updated devel/scmcvs to 1.12.13nb6 [tez 2017-08-21]
Home |
Main Index |
Thread Index |
Old Index