pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/devel/bzr Add patch for CVE-2017-14176
details: https://anonhg.NetBSD.org/pkgsrc/rev/9c4f0f0328a0
branches: trunk
changeset: 373732:9c4f0f0328a0
user: tez <tez%pkgsrc.org@localhost>
date: Tue Jan 09 22:18:57 2018 +0000
description:
Add patch for CVE-2017-14176
diffstat:
devel/bzr/Makefile | 3 +-
devel/bzr/distinfo | 3 +-
devel/bzr/patches/patch-CVE-2017-14176 | 151 +++++++++++++++++++++++++++++++++
3 files changed, 155 insertions(+), 2 deletions(-)
diffs (180 lines):
diff -r c7ff4019965a -r 9c4f0f0328a0 devel/bzr/Makefile
--- a/devel/bzr/Makefile Tue Jan 09 20:56:04 2018 +0000
+++ b/devel/bzr/Makefile Tue Jan 09 22:18:57 2018 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.69 2017/01/01 14:43:29 wiz Exp $
+# $NetBSD: Makefile,v 1.70 2018/01/09 22:18:57 tez Exp $
DISTNAME= bzr-2.6.0
+PKGREVISION= 1
CATEGORIES= devel scm
MASTER_SITES= https://launchpad.net/bzr/${PKGVERSION_NOREV:R}/${PKGVERSION_NOREV}/+download/
diff -r c7ff4019965a -r 9c4f0f0328a0 devel/bzr/distinfo
--- a/devel/bzr/distinfo Tue Jan 09 20:56:04 2018 +0000
+++ b/devel/bzr/distinfo Tue Jan 09 22:18:57 2018 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.42 2015/11/03 03:27:17 agc Exp $
+$NetBSD: distinfo,v 1.43 2018/01/09 22:18:57 tez Exp $
SHA1 (bzr-2.6.0.tar.gz) = 5eb4d0367c6d83396250165da5bb2c8a9f378293
RMD160 (bzr-2.6.0.tar.gz) = 794dbc585fd1acc711b59016d0b2c3dfe97927d7
SHA512 (bzr-2.6.0.tar.gz) = f40d4380a837321c2ed168d15b0b5d31e9de6df93c0f8f2fd9b16c9351524b0afac5b8744740f587e9704efeb4cc004cae7f35aed47f73b5c796cbe2526af980
Size (bzr-2.6.0.tar.gz) = 11301124 bytes
+SHA1 (patch-CVE-2017-14176) = 65a38a9db017854cdc677d0c45dcb69d4214b549
SHA1 (patch-ab) = eae7e2baa12239e9c05e2afe775f8334c734de75
diff -r c7ff4019965a -r 9c4f0f0328a0 devel/bzr/patches/patch-CVE-2017-14176
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/bzr/patches/patch-CVE-2017-14176 Tue Jan 09 22:18:57 2018 +0000
@@ -0,0 +1,151 @@
+$NetBSD: patch-CVE-2017-14176,v 1.1 2018/01/09 22:18:57 tez Exp $
+
+Patch for CVE-2017-14176 from http://bazaar.launchpad.net/~brz/brz/trunk/revision/6754
+
+
+--- bzrlib/transport/ssh.py.orig 2013-07-27 11:50:53.000000000 +0000
++++ bzrlib/transport/ssh.py
+@@ -45,6 +45,10 @@ else:
+ from paramiko.sftp_client import SFTPClient
+
+
++class StrangeHostname(errors.BzrError):
++ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
++
++
+ SYSTEM_HOSTKEYS = {}
+ BZR_HOSTKEYS = {}
+
+@@ -359,6 +363,11 @@ class SubprocessVendor(SSHVendor):
+ # tests, but beware of using PIPE which may hang due to not being read.
+ _stderr_target = None
+
++ @staticmethod
++ def _check_hostname(arg):
++ if arg.startswith('-'):
++ raise StrangeHostname(hostname=arg)
++
+ def _connect(self, argv):
+ # Attempt to make a socketpair to use as stdin/stdout for the SSH
+ # subprocess. We prefer sockets to pipes because they support
+@@ -423,9 +432,9 @@ class OpenSSHSubprocessVendor(Subprocess
+ if username is not None:
+ args.extend(['-l', username])
+ if subsystem is not None:
+- args.extend(['-s', host, subsystem])
++ args.extend(['-s', '--', host, subsystem])
+ else:
+- args.extend([host] + command)
++ args.extend(['--', host] + command)
+ return args
+
+ register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
+@@ -438,6 +447,7 @@ class SSHCorpSubprocessVendor(Subprocess
+
+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+ command=None):
++ self._check_hostname(host)
+ args = [self.executable_path, '-x']
+ if port is not None:
+ args.extend(['-p', str(port)])
+@@ -459,6 +469,7 @@ class LSHSubprocessVendor(SubprocessVend
+
+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+ command=None):
++ self._check_hostname(host)
+ args = [self.executable_path]
+ if port is not None:
+ args.extend(['-p', str(port)])
+@@ -480,6 +491,7 @@ class PLinkSubprocessVendor(SubprocessVe
+
+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+ command=None):
++ self._check_hostname(host)
+ args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
+ if port is not None:
+ args.extend(['-P', str(port)])
+
+--- bzrlib/tests/test_ssh_transport.py.orig 2013-07-27 11:50:53.000000000 +0000
++++ bzrlib/tests/test_ssh_transport.py
+@@ -22,6 +22,7 @@ from bzrlib.transport.ssh import (
+ SSHCorpSubprocessVendor,
+ LSHSubprocessVendor,
+ SSHVendorManager,
++ StrangeHostname,
+ )
+
+
+@@ -161,6 +162,19 @@ class SSHVendorManagerTests(TestCase):
+
+ class SubprocessVendorsTests(TestCase):
+
++ def test_openssh_command_tricked(self):
++ vendor = OpenSSHSubprocessVendor()
++ self.assertEqual(
++ vendor._get_vendor_specific_argv(
++ "user", "-oProxyCommand=blah", 100, command=["bzr"]),
++ ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
++ "-oClearAllForwardings=yes",
++ "-oNoHostAuthenticationForLocalhost=yes",
++ "-p", "100",
++ "-l", "user",
++ "--",
++ "-oProxyCommand=blah", "bzr"])
++
+ def test_openssh_command_arguments(self):
+ vendor = OpenSSHSubprocessVendor()
+ self.assertEqual(
+@@ -171,6 +185,7 @@ class SubprocessVendorsTests(TestCase):
+ "-oNoHostAuthenticationForLocalhost=yes",
+ "-p", "100",
+ "-l", "user",
++ "--",
+ "host", "bzr"]
+ )
+
+@@ -184,9 +199,16 @@ class SubprocessVendorsTests(TestCase):
+ "-oNoHostAuthenticationForLocalhost=yes",
+ "-p", "100",
+ "-l", "user",
+- "-s", "host", "sftp"]
++ "-s", "--", "host", "sftp"]
+ )
+
++ def test_openssh_command_tricked(self):
++ vendor = SSHCorpSubprocessVendor()
++ self.assertRaises(
++ StrangeHostname,
++ vendor._get_vendor_specific_argv,
++ "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+ def test_sshcorp_command_arguments(self):
+ vendor = SSHCorpSubprocessVendor()
+ self.assertEqual(
+@@ -209,6 +231,13 @@ class SubprocessVendorsTests(TestCase):
+ "-s", "sftp", "host"]
+ )
+
++ def test_lsh_command_tricked(self):
++ vendor = LSHSubprocessVendor()
++ self.assertRaises(
++ StrangeHostname,
++ vendor._get_vendor_specific_argv,
++ "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+ def test_lsh_command_arguments(self):
+ vendor = LSHSubprocessVendor()
+ self.assertEqual(
+@@ -231,6 +260,13 @@ class SubprocessVendorsTests(TestCase):
+ "--subsystem", "sftp", "host"]
+ )
+
++ def test_plink_command_tricked(self):
++ vendor = PLinkSubprocessVendor()
++ self.assertRaises(
++ StrangeHostname,
++ vendor._get_vendor_specific_argv,
++ "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+ def test_plink_command_arguments(self):
+ vendor = PLinkSubprocessVendor()
+ self.assertEqual(
Home |
Main Index |
Thread Index |
Old Index