From unknown Sat Jun 14 03:56:37 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#28086] [PATCH] gnu: cvs: Fix CVE-2017-12836. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 14 Aug 2017 16:29:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28086 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 28086@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.150272809019336 (code B ref -1); Mon, 14 Aug 2017 16:29:02 +0000 Received: (at submit) by debbugs.gnu.org; 14 Aug 2017 16:28:10 +0000 Received: from localhost ([127.0.0.1]:35770 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhIDl-00051o-Ck for submit@debbugs.gnu.org; Mon, 14 Aug 2017 12:28:09 -0400 Received: from eggs.gnu.org ([208.118.235.92]:41272) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhIDh-00051P-Od for submit@debbugs.gnu.org; Mon, 14 Aug 2017 12:28:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dhIDb-0005z4-9I for submit@debbugs.gnu.org; Mon, 14 Aug 2017 12:27:56 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:39398) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dhIDb-0005z0-69 for submit@debbugs.gnu.org; Mon, 14 Aug 2017 12:27:55 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60445) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dhIDZ-0002Z3-FN for guix-patches@gnu.org; Mon, 14 Aug 2017 12:27:54 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dhIDW-0005wg-1W for guix-patches@gnu.org; Mon, 14 Aug 2017 12:27:53 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:39255) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dhIDV-0005wS-P4 for guix-patches@gnu.org; Mon, 14 Aug 2017 12:27:49 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id E3F94206AC; Mon, 14 Aug 2017 12:27:48 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Mon, 14 Aug 2017 12:27:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=+fuSs1SRrQMcowDix7st+ztXQp+ cM0gSgNSzkTS6qRc=; b=dBY4c2L8VITDvBBGJYkLs3HIQSjlkiQ/EZO8WyLQ9/L cCzDg6WZ5CVdokxqt60MKqf43k0oRcTmjXfAlgrN/snBaGIe3guD7DRgS68ORIkO 6RYTB64N7FpE8ozKeZA1OUiPvtM7/9T2WUNBsdX+JVjNGExy5XoOOO9uN6igN6XY = DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=+fuSs1 SRrQMcowDix7st+ztXQp+cM0gSgNSzkTS6qRc=; b=e5VH4QfG6SjS7EF0xuViLy s0yXqDj6c87tJ5k0YfbX914aW7uvJga2tk9sSOGZ3/Z83JqyolWr+wjut61U/j/h BlwAGrAdvKqKu5WhLM2vfjkDeefwHysfalWsfh/tRsCQgrYG8+Ou6mHnaLgUJv0T xA+kE+U9M9HEPbrxRWH4kUcc5Uk4ooD3M7LdYh4F321AnCSbkBmvAdnJk49h0V7D u70pgegEjHEFVR/bXAgWPIGS76stbVlaKxIzbk4sX50XHeqTAlYu1ccONs9I7KzV hMq6FHzf9n12vLIVzV2PgHyYzk1GEcR0FQQ6Lz+l5T5dPfi06a5ZiUBPdzh8IqNg == X-ME-Sender: X-Sasl-enc: ssXv69C7Ap8+SG26rf02ZVJfQHeA8hLQ+8pbTWSgyc6+ 1502728068 Received: from jasmine.lan (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 96B2A2471A for ; Mon, 14 Aug 2017 12:27:48 -0400 (EDT) From: Leo Famulari Date: Mon, 14 Aug 2017 12:27:45 -0400 Message-Id: <9a3ab28b726806b80a0e28ff4e0d6b2ac4636c85.1502728065.git.leo@famulari.name> X-Mailer: git-send-email 2.14.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) * gnu/packages/patches/cvs-2017-12836.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/version-control.scm (cvs)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/cvs-2017-12836.patch | 45 +++++++++++++++++++++++++++++++ gnu/packages/version-control.scm | 1 + 3 files changed, 47 insertions(+) create mode 100644 gnu/packages/patches/cvs-2017-12836.patch diff --git a/gnu/local.mk b/gnu/local.mk index ec37f81b0..97e876a50 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -569,6 +569,7 @@ dist_patch_DATA = \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/curl-bounds-check.patch \ %D%/packages/patches/cursynth-wave-rand.patch \ + %D%/packages/patches/cvs-2017-12836.patch \ %D%/packages/patches/cyrus-sasl-CVE-2013-4122.patch \ %D%/packages/patches/dblatex-remove-multirow.patch \ %D%/packages/patches/dbus-helper-search-path.patch \ diff --git a/gnu/packages/patches/cvs-2017-12836.patch b/gnu/packages/patches/cvs-2017-12836.patch new file mode 100644 index 000000000..507ab0f7d --- /dev/null +++ b/gnu/packages/patches/cvs-2017-12836.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-12836: + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836 +https://security-tracker.debian.org/tracker/CVE-2017-12836 + +Patch adpated from Debian (comments and changelog annotations removed): + +https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094 + +From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001 +From: mirabilos +Date: Sat, 12 Aug 2017 03:17:18 +0200 +Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch + +--- + debian/changelog | 6 ++++++ + src/rsh-client.c | 10 ++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/rsh-client.c b/src/rsh-client.c +index fe0cfc4..1fc860d 100644 +--- a/src/rsh-client.c ++++ b/src/rsh-client.c +@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, + rsh_argv[i++] = argvport; + } + ++ /* Only non-option arguments from here. (CVE-2017-12836) */ ++ rsh_argv[i++] = "--"; ++ + rsh_argv[i++] = root->hostname; + rsh_argv[i++] = cvs_server; + if (readonlyfs) +@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, + *p++ = argvport; + } + ++ *p++ = "--"; ++ + *p++ = root->hostname; + *p++ = command; + *p++ = NULL; +-- +cgit v0.12 + diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index bff647155..3689d0613 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -921,6 +921,7 @@ machine.") (uri (string-append "https://ftp.gnu.org/non-gnu/cvs/source/feature/" version "/cvs-" version ".tar.bz2")) + (patches (search-patches "cvs-2017-12836.patch")) (sha256 (base32 "0pjir8cwn0087mxszzbsi1gyfc6373vif96cw4q3m1x6p49kd1bq")))) -- 2.14.1 From unknown Sat Jun 14 03:56:37 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#28086] [PATCH] gnu: cvs: Fix CVE-2017-12836. Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 14 Aug 2017 19:47:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28086 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Leo Famulari , 28086@debbugs.gnu.org Received: via spool by 28086-submit@debbugs.gnu.org id=B28086.150273997924932 (code B ref 28086); Mon, 14 Aug 2017 19:47:01 +0000 Received: (at 28086) by debbugs.gnu.org; 14 Aug 2017 19:46:19 +0000 Received: from localhost ([127.0.0.1]:36592 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhLJa-0006U4-RL for submit@debbugs.gnu.org; Mon, 14 Aug 2017 15:46:18 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:54381) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhLJV-0006Ty-LP for 28086@debbugs.gnu.org; Mon, 14 Aug 2017 15:46:16 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 40A3620EB1; Mon, 14 Aug 2017 15:46:13 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Mon, 14 Aug 2017 15:46:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=Vl8HT/hNi2m78lyYbWKFOUfF4EehOdhKyjtQQ2Q+A m4=; b=VCf2j1y3AoTYDaJ7AS/0To0Ra5S/mKe31qwFJmZ0XttF+F3zkLJU+QfRc 0z59xzKHncqM9UMkUA4AhmwfwAMxDnqC3wfJezWV0hVcOhTwrg4n4ktauPJ9cQXJ Pmvx7SCoYlX5jJEMaGvwOz8lqqICcjzp/ju7bYAFSulbV+6EEzdp+0vwKQSN2NdQ xHgYa5nL/suQdSaYjOUcs3kgyGoPYw7DQYs5btlSqbI1nai9jgY+kaipvoLjuHkP k4uMw9uVKFxafFG5vD6Z8sNa4xeqk8MsCc7wayQkpdeZEpDbeR0KEGArMR6mspRg mFW7k12CikJfKVImYdrpteAaW9MKw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=Vl8HT/hNi2m78lyYbW KFOUfF4EehOdhKyjtQQ2Q+Am4=; b=ZspDxLpaOCiOBbsSia2Yu1Axn/sMH+gcv/ 509E92i5WCitJqYHkQE2K2PpIBDAsQ+cppDMdNWELEZSr+u5FrAPMAJKAEo4eBwW p/3frpMDUkTdNSf1rALEhHdBc5GanHtO5Z5Ll+fM4yMd0MNKKAt/JWSzzIG/YlTM up6f8wqcv5IS7VOuydGSYz+pT7vZrUCOIdqsZDxxaJOjK7HhU+0FwXgtZNaDRpNS OgGzORxsRFcTfCQSsahh1S9flh/n7okz10XY2nOBuRZ1sthUOIpMcKfgQAPxaTDf PFRq3v8NodYC4bnFUJDmAHoKLq2C2NUu58xhJ/WCJJ3II5Mghxeg== X-ME-Sender: X-Sasl-enc: abUlTnXv4QczyEXjOXkLYdhy+tUBJbuAlcvTw5VajecP 1502739972 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id C249D240B1; Mon, 14 Aug 2017 15:46:12 -0400 (EDT) From: Marius Bakke In-Reply-To: <9a3ab28b726806b80a0e28ff4e0d6b2ac4636c85.1502728065.git.leo@famulari.name> References: <9a3ab28b726806b80a0e28ff4e0d6b2ac4636c85.1502728065.git.leo@famulari.name> User-Agent: Notmuch/0.25 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Mon, 14 Aug 2017 21:45:55 +0200 Message-ID: <87lgmm0w7g.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Leo Famulari writes: > * gnu/packages/patches/cvs-2017-12836.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/version-control.scm (cvs)[source]: Use it. LGTM, thanks! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmR/fQACgkQoqBt8qM6 VPodAAf/WpncKxT0DBao4LvJowu08FUSAK5Ew3kCMF4a5rOt3HAIg4hxu6BRdHSH irnd/5JXaudZDb4gRpcHv+E77cvR8x6X14GATL1XutcGiwscrN4fCwa+9WkvDqdo Y88jLTUBEhjcDyqnde9SvN+DZkQNypWB/a2lB5n4nBCEuG8XxOinN9xT9K8Z92dT crDosFTMO6dmKaPrfIxa9ke1nBT4q3S6Qqh9vJ73jm+FooMBU0olShF/STaalXVd 1BaQkHx2Y8d3DMOn1QZg/GiwKLQWoUeEx96a1yuQmo/NQT6OTzspZDHLIIYxCnKg uHxmJhmi/1bUVP49TROW5wxef9QEoA== =Esqk -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 14 15:56:23 2017 Received: (at control) by debbugs.gnu.org; 14 Aug 2017 19:56:24 +0000 Received: from localhost ([127.0.0.1]:36633 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhLTL-0006Xe-PY for submit@debbugs.gnu.org; Mon, 14 Aug 2017 15:56:23 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:60975) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dhLTK-0006XY-7k for control@debbugs.gnu.org; Mon, 14 Aug 2017 15:56:22 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 13FDD20DA0; Mon, 14 Aug 2017 15:56:22 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Mon, 14 Aug 2017 15:56:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=yUB4UfJX33gwbtR IydqMxny7uKvYAEgwBGdye5oAPC4=; b=Q/BbLq/fPnjZLMUhXjcntr2W1blojPL KRTSRpoon7fD96ADvoVtgZ13jbkVgqpi9v+4VWRDXmrenDahcdpopJ8eEkCsyxf2 9nFz8Xz7BiScFwJCnxV5rnOcIwT5WYHrYpwOWWctMgJ3vMDkekjsYX/KRV/o1YC8 Os2+klry5CnQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=yUB4UfJX33gwbtRIydqMxny7uKvYAEgwBGdye5oAPC4=; b=d87iA BM7YLqxmz8/Ll+TeCE/iDz6Qj8WzchtnxzJkhw+bRbeNBH4tGkpVfI9D0Ps+oM7R T0ehVtdoO4MjyTTTVUirqZPUvB3TFL8HAnFFM/itrEL5bsES3C6bfbx1y86IKuf8 irFCu/EsNaNhsvd+zjDJScg2HLzGHvC4zBgm6MVN7qrnkW2Ti593R6tz5nvtvY0Q m8tN8K5+Q9zS1NpaDqGOn+QPIA5CnN/2mkViwHxHLao7+XVnD06h3KwDrtuj/kjr z8Zhpg8jOW6C+T6k5i08aU2M2Q/skN7d6YNgMjlgB3gwSrxI5TkbTj7DAejMW+T8 UCTuvsEonYXDiy7og== X-ME-Sender: X-Sasl-enc: PFJ1DvXZfCxsvzzO+9VSAyUBdGLbrFnNmppAt9n+B8P8 1502740581 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id BE1C27E3B8 for ; Mon, 14 Aug 2017 15:56:21 -0400 (EDT) Date: Mon, 14 Aug 2017 15:56:20 -0400 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: <20170814195620.GA6300@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: 28086 close close 28086 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.28 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.28 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: 28086 close close 28086 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.28 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.28 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 28086 close close 28086