Fix for CVE-2017-12836

4 files changed, 45 insertions, 4 deletions

diff --git a/devel/scmcvs/Makefile b/devel/scmcvs/Makefile
index bda3cdff611..df9cffc4a5f 100644
--- a/devel/scmcvs/Makefile
+++ b/devel/scmcvs/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.17 2017/05/12 05:13:43 maya Exp $
+# $NetBSD: Makefile,v 1.18 2017/08/21 22:57:45 tez Exp $
 
 DISTNAME=	cvs-1.12.13
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	devel scm
 MASTER_SITES=	http://ftp.gnu.org/non-gnu/cvs/source/feature/${PKGVERSION_NOREV}/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/devel/scmcvs/distinfo b/devel/scmcvs/distinfo
index 7df854eb84d..053ea20dcfb 100644
--- a/devel/scmcvs/distinfo
+++ b/devel/scmcvs/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2017/08/18 21:41:19 adam Exp $
+$NetBSD: distinfo,v 1.19 2017/08/21 22:57:45 tez Exp $
 
 SHA1 (cvs-1.12.13.tar.bz2) = 93a8dacc6ff0e723a130835713235863f1f5ada9
 RMD160 (cvs-1.12.13.tar.bz2) = ba3048e3e2d99ae78f6a759889b615acf65dd487
@@ -29,6 +29,7 @@ SHA1 (patch-bb) = 09a607426b672f44c1882b82812e6ca81efdcf8e
 SHA1 (patch-lib_mktime.c) = 526a0e24c6399d527ae6a463ea91e993f9f7e920
 SHA1 (patch-lib_vasnprintf.c) = fbba4d923d3c61ebcf79e82779919dc1f8a570c0
 SHA1 (patch-m4_fpending.m4) = 6b7c96d8f092e179d2cfdf036bcbfd3855292e0f
+SHA1 (patch-rsh-client.c) = 448811f5df402501c7070677fc8c2d1873764306
 SHA1 (patch-src_error.c) = 60aba581be95aebbb6fb16c888fd384d855fe56e
 SHA1 (patch-src_ignore.c) = 90ac25311c83bb5713b83b9cfb6b2c03790ee787
 SHA1 (patch-src_zlib.c) = fee3becf1cc2e45d1241a302ed65c5f11b477a0a
diff --git a/devel/scmcvs/patches/patch-rsh-client.c b/devel/scmcvs/patches/patch-rsh-client.c
new file mode 100644
index 00000000000..131f65f2f16
--- /dev/null
+++ b/devel/scmcvs/patches/patch-rsh-client.c
@@ -0,0 +1,39 @@
+$NetBSD: patch-rsh-client.c,v 1.1 2017/08/21 22:57:45 tez Exp $
+
+Fix for CVE-2017-12836 from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810
+
+
+--- src/rsh-client.c.orig	2017-08-21 22:38:03.283783300 +0000
++++ src/rsh-client.c
+@@ -53,9 +53,9 @@ start_rsh_server (cvsroot_t *root, struc
+     char *cvs_server = (root->cvs_server != NULL
+ 			? root->cvs_server : getenv ("CVS_SERVER"));
+     int i = 0;
+-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
++    /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
+        "cmd (w/ args)", and NULL.  We leave some room to grow. */
+-    char *rsh_argv[10];
++    char *rsh_argv[16];
+ 
+     if (!cvs_rsh)
+ 	/* People sometimes suggest or assume that this should default
+@@ -96,6 +96,9 @@ start_rsh_server (cvsroot_t *root, struc
+ 	rsh_argv[i++] = "-l";
+ 	rsh_argv[i++] = root->username;
+     }
++    
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
+ 
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+@@ -171,6 +174,9 @@ start_rsh_server (cvsroot_t *root, struc
+ 	    *p++ = root->username;
+ 	}
+ 
++        /* Only non-option arguments from here. (CVE-2017-12836) */
++        *p++ = "--";
++
+ 	*p++ = root->hostname;
+ 	*p++ = command;
+ 	*p++ = NULL;
diff --git a/doc/CHANGES-2017 b/doc/CHANGES-2017
index 731934c1473..d2d54902740 100644
--- a/doc/CHANGES-2017
+++ b/doc/CHANGES-2017
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES-2017,v 1.3398 2017/08/21 22:21:11 tez Exp $
+$NetBSD: CHANGES-2017,v 1.3399 2017/08/21 22:59:02 tez Exp $
 
 Changes to the packages collection and infrastructure in 2017:
 
@@ -4732,3 +4732,4 @@ Changes to the packages collection and infrastructure in 2017:
 	Added databases/py-unicodecsv version 0.14.1 [adam 2017-08-21]
 	Added www/py-django-sql-explorer version 1.1.1 [adam 2017-08-21]
 	Updated security/mit-krb5 to 1.14.5nb1 [tez 2017-08-21]
+	Updated devel/scmcvs to 1.12.13nb6 [tez 2017-08-21]