Module Name: src Committed By: snj Date: Mon Feb 12 00:20:01 UTC 2018
Modified Files: src/external/gpl2/xcvs/dist/src [netbsd-8]: rsh-client.c Log Message: Pull up following revision(s) (requested by christos in ticket #543): external/gpl2/xcvs/dist/src/rsh-client.c: 1.3 Fix for CVE-2017-12836; (cvs command injection) from MirBSD. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.8.1 src/external/gpl2/xcvs/dist/src/rsh-client.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/gpl2/xcvs/dist/src/rsh-client.c diff -u src/external/gpl2/xcvs/dist/src/rsh-client.c:1.2 src/external/gpl2/xcvs/dist/src/rsh-client.c:1.2.8.1 --- src/external/gpl2/xcvs/dist/src/rsh-client.c:1.2 Tue May 17 14:00:09 2016 +++ src/external/gpl2/xcvs/dist/src/rsh-client.c Mon Feb 12 00:20:01 2018 @@ -10,7 +10,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. */ #include <sys/cdefs.h> -__RCSID("$NetBSD: rsh-client.c,v 1.2 2016/05/17 14:00:09 christos Exp $"); +__RCSID("$NetBSD: rsh-client.c,v 1.2.8.1 2018/02/12 00:20:01 snj Exp $"); #include <config.h> @@ -55,11 +55,11 @@ start_rsh_server (cvsroot_t *root, struc char *cvs_server = (root->cvs_server != NULL ? root->cvs_server : getenv ("CVS_SERVER")); int i = 0; - /* This needs to fit "rsh", "-b", "-l", "USER", "host", + /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host", "cmd (w/ args)", and NULL. We leave some room to grow. */ - char *rsh_argv[10]; + char *rsh_argv[16]; - if (!cvs_rsh) + if (!cvs_rsh || !*cvs_rsh) /* People sometimes suggest or assume that this should default to "remsh" on systems like HPUX in which that is the system-supplied name for the rsh program. However, that @@ -99,6 +99,9 @@ start_rsh_server (cvsroot_t *root, struc rsh_argv[i++] = root->username; } + /* Only non-option arguments from here. (CVE-2017-12836) */ + rsh_argv[i++] = "--"; + rsh_argv[i++] = root->hostname; rsh_argv[i++] = cvs_server; rsh_argv[i++] = "server"; @@ -159,7 +162,7 @@ start_rsh_server (cvsroot_t *root, struc command = Xasprintf ("%s server", cvs_server); { - char *argv[10]; + char *argv[16]; char **p = argv; *p++ = cvs_rsh; @@ -173,6 +176,8 @@ start_rsh_server (cvsroot_t *root, struc *p++ = root->username; } + *p++ = "--"; + *p++ = root->hostname; *p++ = command; *p++ = NULL;