From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 14 Aug 2017 10:32:25 +0200
Subject: [PATCH] Fix CVE-2017-12836
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The hostname passed to RSH (ssh) client could be interpreted by
OpenSSH client as an option and lead to local command execution.
This fix adds no-more-options "--" separator before the hostname
argument to the RSH client command.
Original patch by Thorsten Glaser <tg@mirbsd.de> from
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to
1.11.23.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/client.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/rsh-client.c b/src/rsh-client.c
index 512bdad..940c4ce 100644
--- a/src/rsh-client.c
+++ b/src/rsh-client.c
@@ -53,7 +53,7 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
- /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+ /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
"cmd (w/ args)", and NULL. We leave some room to grow. */
char *rsh_argv[10];
@@ -96,6 +96,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
rsh_argv[i++] = "-l";
rsh_argv[i++] = root->username;
}
+ /* Only non-option arguments from here. (CVE-2017-12836) */
+ rsh_argv[i++] = "--";
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
@@ -171,6 +173,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
*p++ = root->username;
}
+ *p++ = "--";
+
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;
distrib
>
Mageia
>
5
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
95d9a21cc116b62a55ddddfbf9d9ee9d
>
files
>
4
