CVS commit: pkgsrc/devel/bzr

["Tim Zingelman" <tez%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   tez
Date:           Tue Jan  9 22:18:57 UTC 2018

Modified Files:
        pkgsrc/devel/bzr: Makefile distinfo
Added Files:
        pkgsrc/devel/bzr/patches: patch-CVE-2017-14176

Log Message:
Add patch for CVE-2017-14176


To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.70 pkgsrc/devel/bzr/Makefile
cvs rdiff -u -r1.42 -r1.43 pkgsrc/devel/bzr/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/bzr/patches/patch-CVE-2017-14176

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/bzr/Makefile
diff -u pkgsrc/devel/bzr/Makefile:1.69 pkgsrc/devel/bzr/Makefile:1.70
--- pkgsrc/devel/bzr/Makefile:1.69      Sun Jan  1 14:43:29 2017
+++ pkgsrc/devel/bzr/Makefile   Tue Jan  9 22:18:57 2018
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.69 2017/01/01 14:43:29 wiz Exp $
+# $NetBSD: Makefile,v 1.70 2018/01/09 22:18:57 tez Exp $
 
 DISTNAME=      bzr-2.6.0
+PKGREVISION=   1
 CATEGORIES=    devel scm
 MASTER_SITES=  https://launchpad.net/bzr/${PKGVERSION_NOREV:R}/${PKGVERSION_NOREV}/+download/
 

Index: pkgsrc/devel/bzr/distinfo
diff -u pkgsrc/devel/bzr/distinfo:1.42 pkgsrc/devel/bzr/distinfo:1.43
--- pkgsrc/devel/bzr/distinfo:1.42      Tue Nov  3 03:27:17 2015
+++ pkgsrc/devel/bzr/distinfo   Tue Jan  9 22:18:57 2018
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.42 2015/11/03 03:27:17 agc Exp $
+$NetBSD: distinfo,v 1.43 2018/01/09 22:18:57 tez Exp $
 
 SHA1 (bzr-2.6.0.tar.gz) = 5eb4d0367c6d83396250165da5bb2c8a9f378293
 RMD160 (bzr-2.6.0.tar.gz) = 794dbc585fd1acc711b59016d0b2c3dfe97927d7
 SHA512 (bzr-2.6.0.tar.gz) = f40d4380a837321c2ed168d15b0b5d31e9de6df93c0f8f2fd9b16c9351524b0afac5b8744740f587e9704efeb4cc004cae7f35aed47f73b5c796cbe2526af980
 Size (bzr-2.6.0.tar.gz) = 11301124 bytes
+SHA1 (patch-CVE-2017-14176) = 65a38a9db017854cdc677d0c45dcb69d4214b549
 SHA1 (patch-ab) = eae7e2baa12239e9c05e2afe775f8334c734de75

Added files:

Index: pkgsrc/devel/bzr/patches/patch-CVE-2017-14176
diff -u /dev/null pkgsrc/devel/bzr/patches/patch-CVE-2017-14176:1.1
--- /dev/null   Tue Jan  9 22:18:57 2018
+++ pkgsrc/devel/bzr/patches/patch-CVE-2017-14176       Tue Jan  9 22:18:57 2018
@@ -0,0 +1,151 @@
+$NetBSD: patch-CVE-2017-14176,v 1.1 2018/01/09 22:18:57 tez Exp $
+
+Patch for CVE-2017-14176 from http://bazaar.launchpad.net/~brz/brz/trunk/revision/6754
+
+
+--- bzrlib/transport/ssh.py.orig       2013-07-27 11:50:53.000000000 +0000
++++ bzrlib/transport/ssh.py
+@@ -45,6 +45,10 @@ else:
+     from paramiko.sftp_client import SFTPClient
+ 
+ 
++class StrangeHostname(errors.BzrError):
++    _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
++
++
+ SYSTEM_HOSTKEYS = {}
+ BZR_HOSTKEYS = {}
+ 
+@@ -359,6 +363,11 @@ class SubprocessVendor(SSHVendor):
+     # tests, but beware of using PIPE which may hang due to not being read.
+     _stderr_target = None
+ 
++    @staticmethod
++    def _check_hostname(arg):
++        if arg.startswith('-'):
++            raise StrangeHostname(hostname=arg)
++
+     def _connect(self, argv):
+         # Attempt to make a socketpair to use as stdin/stdout for the SSH
+         # subprocess.  We prefer sockets to pipes because they support
+@@ -423,9 +432,9 @@ class OpenSSHSubprocessVendor(Subprocess
+         if username is not None:
+             args.extend(['-l', username])
+         if subsystem is not None:
+-            args.extend(['-s', host, subsystem])
++            args.extend(['-s', '--', host, subsystem])
+         else:
+-            args.extend([host] + command)
++            args.extend(['--', host] + command)
+         return args
+ 
+ register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
+@@ -438,6 +447,7 @@ class SSHCorpSubprocessVendor(Subprocess
+ 
+     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+                                   command=None):
++        self._check_hostname(host)
+         args = [self.executable_path, '-x']
+         if port is not None:
+             args.extend(['-p', str(port)])
+@@ -459,6 +469,7 @@ class LSHSubprocessVendor(SubprocessVend
+ 
+     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+                                   command=None):
++        self._check_hostname(host)
+         args = [self.executable_path]
+         if port is not None:
+             args.extend(['-p', str(port)])
+@@ -480,6 +491,7 @@ class PLinkSubprocessVendor(SubprocessVe
+ 
+     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
+                                   command=None):
++        self._check_hostname(host)
+         args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
+         if port is not None:
+             args.extend(['-P', str(port)])
+
+--- bzrlib/tests/test_ssh_transport.py.orig    2013-07-27 11:50:53.000000000 +0000
++++ bzrlib/tests/test_ssh_transport.py
+@@ -22,6 +22,7 @@ from bzrlib.transport.ssh import (
+     SSHCorpSubprocessVendor,
+     LSHSubprocessVendor,
+     SSHVendorManager,
++    StrangeHostname,
+     )
+ 
+ 
+@@ -161,6 +162,19 @@ class SSHVendorManagerTests(TestCase):
+ 
+ class SubprocessVendorsTests(TestCase):
+ 
++    def test_openssh_command_tricked(self):
++        vendor = OpenSSHSubprocessVendor()
++        self.assertEqual(
++            vendor._get_vendor_specific_argv(
++                "user", "-oProxyCommand=blah", 100, command=["bzr"]),
++            ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
++                "-oClearAllForwardings=yes",
++                "-oNoHostAuthenticationForLocalhost=yes",
++                "-p", "100",
++                "-l", "user",
++                "--",
++                "-oProxyCommand=blah", "bzr"])
++
+     def test_openssh_command_arguments(self):
+         vendor = OpenSSHSubprocessVendor()
+         self.assertEqual(
+@@ -171,6 +185,7 @@ class SubprocessVendorsTests(TestCase):
+                 "-oNoHostAuthenticationForLocalhost=yes",
+                 "-p", "100",
+                 "-l", "user",
++                "--",
+                 "host", "bzr"]
+             )
+ 
+@@ -184,9 +199,16 @@ class SubprocessVendorsTests(TestCase):
+                 "-oNoHostAuthenticationForLocalhost=yes",
+                 "-p", "100",
+                 "-l", "user",
+-                "-s", "host", "sftp"]
++                "-s", "--", "host", "sftp"]
+             )
+ 
++    def test_openssh_command_tricked(self):
++        vendor = SSHCorpSubprocessVendor()
++        self.assertRaises(
++            StrangeHostname,
++            vendor._get_vendor_specific_argv,
++                "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+     def test_sshcorp_command_arguments(self):
+         vendor = SSHCorpSubprocessVendor()
+         self.assertEqual(
+@@ -209,6 +231,13 @@ class SubprocessVendorsTests(TestCase):
+                 "-s", "sftp", "host"]
+             )
+ 
++    def test_lsh_command_tricked(self):
++        vendor = LSHSubprocessVendor()
++        self.assertRaises(
++            StrangeHostname,
++            vendor._get_vendor_specific_argv,
++                "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+     def test_lsh_command_arguments(self):
+         vendor = LSHSubprocessVendor()
+         self.assertEqual(
+@@ -231,6 +260,13 @@ class SubprocessVendorsTests(TestCase):
+                 "--subsystem", "sftp", "host"]
+             )
+ 
++    def test_plink_command_tricked(self):
++        vendor = PLinkSubprocessVendor()
++        self.assertRaises(
++            StrangeHostname,
++            vendor._get_vendor_specific_argv,
++                "user", "-oProxyCommand=host", 100, command=["bzr"])
++
+     def test_plink_command_arguments(self):
+         vendor = PLinkSubprocessVendor()
+         self.assertEqual(