pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/devel/scmcvs
Module Name: pkgsrc
Committed By: tez
Date: Mon Aug 21 22:57:45 UTC 2017
Modified Files:
pkgsrc/devel/scmcvs: Makefile distinfo
Added Files:
pkgsrc/devel/scmcvs/patches: patch-rsh-client.c
Log Message:
Fix for CVE-2017-12836
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 pkgsrc/devel/scmcvs/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/devel/scmcvs/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/scmcvs/patches/patch-rsh-client.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/devel/scmcvs/Makefile
diff -u pkgsrc/devel/scmcvs/Makefile:1.17 pkgsrc/devel/scmcvs/Makefile:1.18
--- pkgsrc/devel/scmcvs/Makefile:1.17 Fri May 12 05:13:43 2017
+++ pkgsrc/devel/scmcvs/Makefile Mon Aug 21 22:57:45 2017
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.17 2017/05/12 05:13:43 maya Exp $
+# $NetBSD: Makefile,v 1.18 2017/08/21 22:57:45 tez Exp $
DISTNAME= cvs-1.12.13
-PKGREVISION= 5
+PKGREVISION= 6
CATEGORIES= devel scm
MASTER_SITES= http://ftp.gnu.org/non-gnu/cvs/source/feature/${PKGVERSION_NOREV}/
EXTRACT_SUFX= .tar.bz2
Index: pkgsrc/devel/scmcvs/distinfo
diff -u pkgsrc/devel/scmcvs/distinfo:1.18 pkgsrc/devel/scmcvs/distinfo:1.19
--- pkgsrc/devel/scmcvs/distinfo:1.18 Fri Aug 18 21:41:19 2017
+++ pkgsrc/devel/scmcvs/distinfo Mon Aug 21 22:57:45 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2017/08/18 21:41:19 adam Exp $
+$NetBSD: distinfo,v 1.19 2017/08/21 22:57:45 tez Exp $
SHA1 (cvs-1.12.13.tar.bz2) = 93a8dacc6ff0e723a130835713235863f1f5ada9
RMD160 (cvs-1.12.13.tar.bz2) = ba3048e3e2d99ae78f6a759889b615acf65dd487
@@ -29,6 +29,7 @@ SHA1 (patch-bb) = 09a607426b672f44c1882b
SHA1 (patch-lib_mktime.c) = 526a0e24c6399d527ae6a463ea91e993f9f7e920
SHA1 (patch-lib_vasnprintf.c) = fbba4d923d3c61ebcf79e82779919dc1f8a570c0
SHA1 (patch-m4_fpending.m4) = 6b7c96d8f092e179d2cfdf036bcbfd3855292e0f
+SHA1 (patch-rsh-client.c) = 448811f5df402501c7070677fc8c2d1873764306
SHA1 (patch-src_error.c) = 60aba581be95aebbb6fb16c888fd384d855fe56e
SHA1 (patch-src_ignore.c) = 90ac25311c83bb5713b83b9cfb6b2c03790ee787
SHA1 (patch-src_zlib.c) = fee3becf1cc2e45d1241a302ed65c5f11b477a0a
Added files:
Index: pkgsrc/devel/scmcvs/patches/patch-rsh-client.c
diff -u /dev/null pkgsrc/devel/scmcvs/patches/patch-rsh-client.c:1.1
--- /dev/null Mon Aug 21 22:57:45 2017
+++ pkgsrc/devel/scmcvs/patches/patch-rsh-client.c Mon Aug 21 22:57:45 2017
@@ -0,0 +1,39 @@
+$NetBSD: patch-rsh-client.c,v 1.1 2017/08/21 22:57:45 tez Exp $
+
+Fix for CVE-2017-12836 from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810
+
+
+--- src/rsh-client.c.orig 2017-08-21 22:38:03.283783300 +0000
++++ src/rsh-client.c
+@@ -53,9 +53,9 @@ start_rsh_server (cvsroot_t *root, struc
+ char *cvs_server = (root->cvs_server != NULL
+ ? root->cvs_server : getenv ("CVS_SERVER"));
+ int i = 0;
+- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
++ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
+ "cmd (w/ args)", and NULL. We leave some room to grow. */
+- char *rsh_argv[10];
++ char *rsh_argv[16];
+
+ if (!cvs_rsh)
+ /* People sometimes suggest or assume that this should default
+@@ -96,6 +96,9 @@ start_rsh_server (cvsroot_t *root, struc
+ rsh_argv[i++] = "-l";
+ rsh_argv[i++] = root->username;
+ }
++
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ rsh_argv[i++] = "--";
+
+ rsh_argv[i++] = root->hostname;
+ rsh_argv[i++] = cvs_server;
+@@ -171,6 +174,9 @@ start_rsh_server (cvsroot_t *root, struc
+ *p++ = root->username;
+ }
+
++ /* Only non-option arguments from here. (CVE-2017-12836) */
++ *p++ = "--";
++
+ *p++ = root->hostname;
+ *p++ = command;
+ *p++ = NULL;
Home |
Main Index |
Thread Index |
Old Index