Pull up following revision(s) (requested by christos in ticket #543):

external/gpl2/xcvs/dist/src/rsh-client.c: 1.3
Fix for CVE-2017-12836; (cvs command injection) from MirBSD.
This commit is contained in:
snj 2018-02-12 00:20:01 +00:00
parent c4616d3a1b
commit b74bc0c9a0
1 changed files with 10 additions and 5 deletions

View File

@ -10,7 +10,7 @@
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. */
#include <sys/cdefs.h>
__RCSID("$NetBSD: rsh-client.c,v 1.2 2016/05/17 14:00:09 christos Exp $");
__RCSID("$NetBSD: rsh-client.c,v 1.2.8.1 2018/02/12 00:20:01 snj Exp $");
#include <config.h>
@ -55,11 +55,11 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
char *cvs_server = (root->cvs_server != NULL
? root->cvs_server : getenv ("CVS_SERVER"));
int i = 0;
/* This needs to fit "rsh", "-b", "-l", "USER", "host",
/* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
"cmd (w/ args)", and NULL. We leave some room to grow. */
char *rsh_argv[10];
char *rsh_argv[16];
if (!cvs_rsh)
if (!cvs_rsh || !*cvs_rsh)
/* People sometimes suggest or assume that this should default
to "remsh" on systems like HPUX in which that is the
system-supplied name for the rsh program. However, that
@ -99,6 +99,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
rsh_argv[i++] = root->username;
}
/* Only non-option arguments from here. (CVE-2017-12836) */
rsh_argv[i++] = "--";
rsh_argv[i++] = root->hostname;
rsh_argv[i++] = cvs_server;
rsh_argv[i++] = "server";
@ -159,7 +162,7 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
command = Xasprintf ("%s server", cvs_server);
{
char *argv[10];
char *argv[16];
char **p = argv;
*p++ = cvs_rsh;
@ -173,6 +176,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p,
*p++ = root->username;
}
*p++ = "--";
*p++ = root->hostname;
*p++ = command;
*p++ = NULL;