[src/netbsd-8]: src/external/gpl2/xcvs/dist/src Pull up following revision(s)...

[snj <snj%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/0c40f802f633
branches:  netbsd-8
changeset: 434627:0c40f802f633
user:      snj <snj%NetBSD.org@localhost>
date:      Mon Feb 12 00:20:01 2018 +0000

description:
Pull up following revision(s) (requested by christos in ticket #543):
        external/gpl2/xcvs/dist/src/rsh-client.c: 1.3
Fix for CVE-2017-12836; (cvs command injection) from MirBSD.

diffstat:

 external/gpl2/xcvs/dist/src/rsh-client.c |  15 ++++++++++-----
 1 files changed, 10 insertions(+), 5 deletions(-)

diffs (55 lines):

diff -r afb0a3977751 -r 0c40f802f633 external/gpl2/xcvs/dist/src/rsh-client.c
--- a/external/gpl2/xcvs/dist/src/rsh-client.c  Sun Feb 11 21:56:20 2018 +0000
+++ b/external/gpl2/xcvs/dist/src/rsh-client.c  Mon Feb 12 00:20:01 2018 +0000
@@ -10,7 +10,7 @@
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.  */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: rsh-client.c,v 1.2 2016/05/17 14:00:09 christos Exp $");
+__RCSID("$NetBSD: rsh-client.c,v 1.2.8.1 2018/02/12 00:20:01 snj Exp $");
 
 #include <config.h>
 
@@ -55,11 +55,11 @@
     char *cvs_server = (root->cvs_server != NULL
                        ? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+    /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
        "cmd (w/ args)", and NULL.  We leave some room to grow. */
-    char *rsh_argv[10];
+    char *rsh_argv[16];
 
-    if (!cvs_rsh)
+    if (!cvs_rsh || !*cvs_rsh)
        /* People sometimes suggest or assume that this should default
           to "remsh" on systems like HPUX in which that is the
           system-supplied name for the rsh program.  However, that
@@ -99,6 +99,9 @@
        rsh_argv[i++] = root->username;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     rsh_argv[i++] = "server";
@@ -159,7 +162,7 @@
     command = Xasprintf ("%s server", cvs_server);
 
     {
-        char *argv[10];
+        char *argv[16];
        char **p = argv;
 
        *p++ = cvs_rsh;
@@ -173,6 +176,8 @@
            *p++ = root->username;
        }
 
+       *p++ = "--";
+
        *p++ = root->hostname;
        *p++ = command;
        *p++ = NULL;