[Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Fri Aug 11 21:22:44 UTC 2017

tags 871810 + patch pending
thanks

Salvatore Bonaccorso dixit:

>Severity: grave

Probably not as severe, the attack vector seems minimal.

>[0] https://security-tracker.debian.org/tracker/CVE-2017-12836
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
>[1] http://www.openwall.com/lists/oss-security/2017/08/11/1

Thanks for the heads-up. I’ve got a working patch, but I’ll also
work some more on sanitising username (if possible) and port (not
really necessary but still) parsing and test the changes before
I’ll upload.

For {,{,old}old}stable-security, this should suffice:



Index: src/gnu/usr.bin/cvs/src/rsh-client.c
diff -up src/gnu/usr.bin/cvs/src/rsh-client.c:1.6 src/gnu/usr.bin/cvs/src/rsh-client.c:1.7

--- src/gnu/usr.bin/cvs/src/rsh-client.c:1.6	Sun Mar 26 15:54:10 2017
+++ src/gnu/usr.bin/cvs/src/rsh-client.c	Fri Aug 11 20:41:40 2017
@@ -55,8 +55,9 @@ start_rsh_server (cvsroot_t *root, struc
     char *cvs_server = (root->cvs_server != NULL
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+       "--", "host", "cvs", "-R", "server", and NULL.
+       We leave some room to grow. */
     char *rsh_argv[16];
     char argvport[16];
 
@@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -191,6 +195,8 @@ start_rsh_server (cvsroot_t *root, struc
 		*p++ = argvport;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;



Thanks,
//mirabilos
-- 
13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜<Draget:#cvs> Thank god I found you =)   20:03│«bioe007:#cvs» mira2k: ty
17:14⎜<ldiain:#cvs> Thanks big help you are :-)   <bioe007> mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW!  23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜<bhuey:#cvs> yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou            18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜<paolo:#cvs> i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD.     18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh.  Okay.  Sorry for the dumb question.  Thank you
21:34⎜<centosian:#cvs> mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated  «garrett__:#cvs» thanks for your time
23:39⎜<symons:#cvs> this worked, thank you very much 16:26⎜<schweizer:#cvs> ok
thx, i'll try that     20:00⎜«stableable:#cvs» Thank you.    20:50⎜«s833:#cvs»
mirabilos: thanks a lot.        19:34⎜<bobbytek:#cvs> Thanks for confirming :)
20:08⎜<tsolox:#cvs> ...works like a charm.. thanks mirabilos

