[Secure-testing-team] Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

[Thorsten Glaser]

Sébastien Delafond dixit:

>Would you be able to produce debdiffs for jessie and stretch, so we can
>review them and give you the go-ahead to upload to security-master ?

OK, now that I’m waiting on the multi-hour testsuite results on sid.
(It’s mostly that, due to the extra checks, the testsuite needs changes,
not the code.)

I’m attaching one for stretch, and if it pleases you, I’ll do them in
the same vain for jessie and wheezy and upload them. (As I said, they
will all look identical, the code has not changed in quite a while…
the file in question did not change *at all*, and it’s not affected
by the other code changes since then.)

Since I do not upload to past releases often: do I just dput them,
or do I put them on a different upload server/queue?

Thanks,
//mirabilos
-- 
> emacs als auch vi zum Kotzen finde (joe rules) und pine für den einzig
> bedienbaren textmode-mailclient halte (und ich hab sie alle ausprobiert). ;)
Hallooooo, ich bin der Holger ("Hallo Holger!"), und ich bin ebenfalls
... pine-User, und das auch noch gewohnheitsmäßig ("Oooooooohhh").  [aus dasr]
-------------- next part --------------
diff -u cvs-1.12.13+real/debian/changelog cvs-1.12.13+real/debian/changelog
--- cvs-1.12.13+real/debian/changelog
+++ cvs-1.12.13+real/debian/changelog
@@ -1,3 +1,9 @@
+cvs (2:1.12.13+real-22+deb9u1) stretch; urgency=high
+
+  * Fix CVE-2017-12836 (Closes: #871810)
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Sat, 12 Aug 2017 03:15:49 +0200
+
 cvs (2:1.12.13+real-22) unstable; urgency=low
 
   * cvs init: Change default history logging configuration
diff -u cvs-1.12.13+real/src/rsh-client.c cvs-1.12.13+real/src/rsh-client.c
--- cvs-1.12.13+real/src/rsh-client.c
+++ cvs-1.12.13+real/src/rsh-client.c
@@ -53,8 +53,9 @@
     char *cvs_server = (root->cvs_server != NULL
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+       "--", "host", "cvs", "-R", "server", and NULL.
+       We leave some room to grow. */
     char *rsh_argv[16];
     char argvport[16];
 
@@ -105,6 +106,9 @@
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -189,6 +193,8 @@
 		*p++ = argvport;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;