cvs: fix CVE-2017-12836, patch from MirBSD.

2017-08-25 16:22:08 +02:00 · 2017-08-25 16:22:08 +02:00 · 656a706193
commit 656a706193
parent 4d30abbdf1
2 changed files with 24 additions and 1 deletions
--- a/srcpkgs/cvs/patches/ssh.patch
+++ b/srcpkgs/cvs/patches/ssh.patch
@ -0,0 +1,23 @@
+Fix for CVE-2017-12836, extracted from MirBSD repository.
+
+--- src/rsh-client.c	2017/03/26 15:54:10	1.6
+++ src/rsh-client.c	2017/08/11 20:41:40	1.7
+@@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc
+ 	rsh_argv[i++] = argvport;
+     }
+ 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     if (readonlyfs)
+@@ -190,6 +194,8 @@ start_rsh_server (cvsroot_t *root, struc
+ 		*p++ = "-p";
+ 		*p++ = argvport;
+ 	}
+
+	*p++ = "--";
+ 
+ 	*p++ = root->hostname;
+ 	*p++ = command;
--- a/srcpkgs/cvs/template
+++ b/srcpkgs/cvs/template
@ -1,7 +1,7 @@
 # Template file for 'cvs'
 pkgname=cvs
 version=1.12.13
-revision=4
+revision=5
 build_style=gnu-configure
 configure_args="--with-editor=/usr/bin/vi --with-external-zlib
 ac_cv_func_working_mktime=yes"  # broken test upstream