GNU bug report logs - #28086
[PATCH] gnu: cvs: Fix CVE-2017-12836.

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Mon, 14 Aug 2017 16:29:02 UTC

Severity: normal

Tags: patch

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28086 in the body.
You can then email your comments to 28086 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#28086; Package guix-patches. (Mon, 14 Aug 2017 16:29:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 14 Aug 2017 16:29:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: cvs: Fix CVE-2017-12836.
Date: Mon, 14 Aug 2017 12:27:45 -0400

* gnu/packages/patches/cvs-2017-12836.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/version-control.scm (cvs)[source]: Use it.
---
 gnu/local.mk                              |  1 +
 gnu/packages/patches/cvs-2017-12836.patch | 45 +++++++++++++++++++++++++++++++
 gnu/packages/version-control.scm          |  1 +
 3 files changed, 47 insertions(+)
 create mode 100644 gnu/packages/patches/cvs-2017-12836.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ec37f81b0..97e876a50 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -569,6 +569,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/clucene-contribs-lib.patch               \
   %D%/packages/patches/curl-bounds-check.patch			\
   %D%/packages/patches/cursynth-wave-rand.patch			\
+  %D%/packages/patches/cvs-2017-12836.patch			\
   %D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch		\
   %D%/packages/patches/dblatex-remove-multirow.patch		\
   %D%/packages/patches/dbus-helper-search-path.patch		\
diff --git a/gnu/packages/patches/cvs-2017-12836.patch b/gnu/packages/patches/cvs-2017-12836.patch
new file mode 100644
index 000000000..507ab0f7d
--- /dev/null
+++ b/gnu/packages/patches/cvs-2017-12836.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-12836:
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836
+https://security-tracker.debian.org/tracker/CVE-2017-12836
+
+Patch adpated from Debian (comments and changelog annotations removed):
+
+https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094
+
+From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001
+From: mirabilos <m <at> mirbsd.org>
+Date: Sat, 12 Aug 2017 03:17:18 +0200
+Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch
+
+---
+ debian/changelog |  6 ++++++
+ src/rsh-client.c | 10 ++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/rsh-client.c b/src/rsh-client.c
+index fe0cfc4..1fc860d 100644
+--- a/src/rsh-client.c
++++ b/src/rsh-client.c
+@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
+ 	rsh_argv[i++] = argvport;
+     }
+ 
++    /* Only non-option arguments from here. (CVE-2017-12836) */
++    rsh_argv[i++] = "--";
++
+     rsh_argv[i++] = root->hostname;
+     rsh_argv[i++] = cvs_server;
+     if (readonlyfs)
+@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
+ 		*p++ = argvport;
+ 	}
+ 
++	*p++ = "--";
++
+ 	*p++ = root->hostname;
+ 	*p++ = command;
+ 	*p++ = NULL;
+-- 
+cgit v0.12
+
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index bff647155..3689d0613 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -921,6 +921,7 @@ machine.")
              (uri (string-append
                    "https://ftp.gnu.org/non-gnu/cvs/source/feature/"
                    version "/cvs-" version ".tar.bz2"))
+             (patches (search-patches "cvs-2017-12836.patch"))
              (sha256
               (base32
                "0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq"))))
-- 
2.14.1
Information forwarded to guix-patches <at> gnu.org:
bug#28086; Package guix-patches. (Mon, 14 Aug 2017 19:47:01 GMT) Full text and rfc822 format available.

Message #8 received at 28086 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 28086 <at> debbugs.gnu.org
Subject: Re: [bug#28086] [PATCH] gnu: cvs: Fix CVE-2017-12836.
Date: Mon, 14 Aug 2017 21:45:55 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> * gnu/packages/patches/cvs-2017-12836.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/version-control.scm (cvs)[source]: Use it.

LGTM, thanks!

[signature.asc (application/pgp-signature, inline)]
bug closed, send any further explanations to 28086 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name> Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Mon, 14 Aug 2017 19:57:01 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 12 Sep 2017 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 276 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.