From 0afbcf387fbfcc951caa5335e67b7b7eebffdaf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Mon, 14 Aug 2017 10:32:25 +0200 Subject: [PATCH] Fix CVE-2017-12836 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The hostname passed to RSH (ssh) client could be interpreted by OpenSSH client as an option and lead to local command execution. This fix adds no-more-options "--" separator before the hostname argument to the RSH client command. Original patch by Thorsten Glaser <tg@mirbsd.de> from <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810> ported to 1.11.23. Signed-off-by: Petr Písař <ppisar@redhat.com> --- src/client.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/rsh-client.c b/src/rsh-client.c index 512bdad..940c4ce 100644 --- a/src/rsh-client.c +++ b/src/rsh-client.c @@ -53,7 +53,7 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, char *cvs_server = (root->cvs_server != NULL ? root->cvs_server : getenv ("CVS_SERVER")); int i = 0; - /* This needs to fit "rsh", "-b", "-l", "USER", "host", + /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host", "cmd (w/ args)", and NULL. We leave some room to grow. */ char *rsh_argv[10]; @@ -96,6 +96,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, rsh_argv[i++] = "-l"; rsh_argv[i++] = root->username; } + /* Only non-option arguments from here. (CVE-2017-12836) */ + rsh_argv[i++] = "--"; rsh_argv[i++] = root->hostname; rsh_argv[i++] = cvs_server; @@ -171,6 +173,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, *p++ = root->username; } + *p++ = "--"; + *p++ = root->hostname; *p++ = command; *p++ = NULL;