summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2018-01-03 14:15:20 -0500
committerLeo Famulari <leo@famulari.name>2018-01-03 14:16:29 -0500
commit0c84e8679c6d41e46416cfe97d63221a64beee55 (patch)
tree9ee57dc15d92b50cd093739dbba416a712e41427 /gnu/packages/patches
parent1ee750ba4c76d9eff248b0f0657e0d8f119607ff (diff)
downloadguix-0c84e8679c6d41e46416cfe97d63221a64beee55.tar.gz
gnu: fossil: Fix CVE-2017-17459.
* gnu/packages/patches/fossil-CVE-2017-17459.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/version-control.scm (fossil)[source]: Use it.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/fossil-CVE-2017-17459.patch57
1 files changed, 57 insertions, 0 deletions
diff --git a/gnu/packages/patches/fossil-CVE-2017-17459.patch b/gnu/packages/patches/fossil-CVE-2017-17459.patch
new file mode 100644
index 0000000000..e566235b4e
--- /dev/null
+++ b/gnu/packages/patches/fossil-CVE-2017-17459.patch
@@ -0,0 +1,57 @@
+Fix CVE-2017-17459:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459
+
+Patch copied from upstream source repository:
+
+https://www.fossil-scm.org/xfer/info/1f63db591c77108c
+
+Index: src/http_transport.c
+==================================================================
+--- src/http_transport.c
++++ src/http_transport.c
+@@ -73,10 +73,23 @@
+   if( resetFlag ){
+     transport.nSent = 0;
+     transport.nRcvd = 0;
+   }
+ }
++
++/*
++** Remove leading "-" characters from the input string.
++**
++** This prevents attacks that try to trick a victim into using
++** a ssh:// URI with a carefully crafted hostname of other
++** parameter that ends up being interpreted as a command-line
++** option by "ssh".
++*/
++static const char *stripLeadingMinus(const char *z){
++  while( z[0]=='-' ) z++;
++  return z;
++}
+ 
+ /*
+ ** Default SSH command
+ */
+ #ifdef _WIN32
+@@ -116,17 +129,17 @@
+   }else{
+     zHost = mprintf("%s", pUrlData->name);
+   }
+   n = blob_size(&zCmd);
+   blob_append(&zCmd, " ", 1);
+-  shell_escape(&zCmd, zHost);
++  shell_escape(&zCmd, stripLeadingMinus(zHost));
+   blob_append(&zCmd, " ", 1);
+   shell_escape(&zCmd, mprintf("%s", pUrlData->fossil));
+   blob_append(&zCmd, " test-http", 10);
+   if( pUrlData->path && pUrlData->path[0] ){
+     blob_append(&zCmd, " ", 1);
+-    shell_escape(&zCmd, mprintf("%s", pUrlData->path));
++    shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path)));
+   }
+   if( g.fSshTrace ){
+     fossil_print("%s\n", blob_str(&zCmd)+n);  /* Show tail of SSH command */
+   }
+   free(zHost);
+