Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

To: debian-lts@lists.debian.org
Cc: 871810@bugs.debian.org
Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
From: Thorsten Glaser <tg@debian.org>
Date: Sat, 12 Aug 2017 17:26:22 +0000 (UTC)
Message-id: <[🔎] Pine.BSM.4.64L.1708121716390.13595@herc.mirbsd.org>
In-reply-to: <Pine.BSM.4.64L.1708121621030.26851@herc.mirbsd.org>
References: <150248035637.23673.5939293354401814200.reportbug@eldamar.local> <Pine.BSM.4.64L.1708112120060.28188@herc.mirbsd.org> <150248035637.23673.5939293354401814200.reportbug@eldamar.local> <20170811220207.zrpuegg7t6h6uarj@centurion.befour.org> <Pine.BSM.4.64L.1708120128390.28188@herc.mirbsd.org> <150248035637.23673.5939293354401814200.reportbug@eldamar.local> <20170812103657.oqgc7ee5xhqw5hk7@centurion.befour.org> <20170812141635.b74rcsrhalov22sq@lorien.valinor.li> <150248035637.23673.5939293354401814200.reportbug@eldamar.local> <Pine.BSM.4.64L.1708121621030.26851@herc.mirbsd.org>

Hi LTS team,

>>On Sat, Aug 12, 2017 at 12:36:57PM +0200, SC)bastien Delafond wrote:

>>>For wheezy, you'll need to check directly with the Debian LTS team, that
>>>can be reached via debian-lts@lists.debian.org.

is the attached debdiff ok to upload? (Specifically, is the distribution
in the changelog set correctly?) Obviously, I’ll build it in a wheezy
cowbuilder first.

How do I upload, i.e. to what queue do I dput, and do I use -sa?

Thanks,
//mirabilos
-- 
11:56⎜«liwakura:#!/bin/mksh» also, i wanted to add mksh to my own distro │
i was disappointed that there is no makefile │ but somehow the Build.sh is
the least painful built system i've ever seen │ honours CC, {CPP,C,LD}FLAGS
properly │ looks cleary like done by someone who knows what they are doing

diff -u cvs-1.12.13+real/src/rsh-client.c cvs-1.12.13+real/src/rsh-client.c
--- cvs-1.12.13+real/src/rsh-client.c
+++ cvs-1.12.13+real/src/rsh-client.c
@@ -53,8 +53,9 @@
     char *cvs_server = (root->cvs_server != NULL
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+       "--", "host", "cvs", "-R", "server", and NULL.
+       We leave some room to grow. */
     char *rsh_argv[16];
     char argvport[16];
 
@@ -105,6 +106,9 @@
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -189,6 +193,8 @@
 		*p++ = argvport;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;
diff -u cvs-1.12.13+real/debian/changelog cvs-1.12.13+real/debian/changelog
--- cvs-1.12.13+real/debian/changelog
+++ cvs-1.12.13+real/debian/changelog
@@ -1,3 +1,9 @@
+cvs (2:1.12.13+real-9+deb7u1) wheezy-security; urgency=high
+
+  * Fix CVE-2017-12836 (Closes: #871810)
+
+ -- Thorsten Glaser <tg@mirbsd.de>  Sat, 12 Aug 2017 19:23:10 +0200
+
 cvs (2:1.12.13+real-9) unstable; urgency=low
 
   * Fix watch file: mange Epoch away, too

Reply to:

Follow-Ups:
- Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
  - From: Chris Lamb <lamby@debian.org>
- Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Wheezy update of ruby-passenger?
Next by Date: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Previous by thread: Wheezy update of ruby-passenger?
Next by thread: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection
Index(es):
- Date
- Thread