From 0c84e8679c6d41e46416cfe97d63221a64beee55 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 3 Jan 2018 14:15:20 -0500 Subject: gnu: fossil: Fix CVE-2017-17459. * gnu/packages/patches/fossil-CVE-2017-17459.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/version-control.scm (fossil)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/fossil-CVE-2017-17459.patch | 57 ++++++++++++++++++++++++ gnu/packages/version-control.scm | 2 + 3 files changed, 60 insertions(+) create mode 100644 gnu/packages/patches/fossil-CVE-2017-17459.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index afa25e8c06..6f540731e2 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -639,6 +639,7 @@ dist_patch_DATA = \ %D%/packages/patches/fltk-xfont-on-demand.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8560.patch \ + %D%/packages/patches/fossil-CVE-2017-17459.patch \ %D%/packages/patches/freeimage-CVE-2015-0852.patch \ %D%/packages/patches/freeimage-CVE-2016-5684.patch \ %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch \ diff --git a/gnu/packages/patches/fossil-CVE-2017-17459.patch b/gnu/packages/patches/fossil-CVE-2017-17459.patch new file mode 100644 index 0000000000..e566235b4e --- /dev/null +++ b/gnu/packages/patches/fossil-CVE-2017-17459.patch @@ -0,0 +1,57 @@ +Fix CVE-2017-17459: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459 + +Patch copied from upstream source repository: + +https://www.fossil-scm.org/xfer/info/1f63db591c77108c + +Index: src/http_transport.c +================================================================== +--- src/http_transport.c ++++ src/http_transport.c +@@ -73,10 +73,23 @@ + if( resetFlag ){ + transport.nSent = 0; + transport.nRcvd = 0; + } + } ++ ++/* ++** Remove leading "-" characters from the input string. ++** ++** This prevents attacks that try to trick a victim into using ++** a ssh:// URI with a carefully crafted hostname of other ++** parameter that ends up being interpreted as a command-line ++** option by "ssh". ++*/ ++static const char *stripLeadingMinus(const char *z){ ++ while( z[0]=='-' ) z++; ++ return z; ++} + + /* + ** Default SSH command + */ + #ifdef _WIN32 +@@ -116,17 +129,17 @@ + }else{ + zHost = mprintf("%s", pUrlData->name); + } + n = blob_size(&zCmd); + blob_append(&zCmd, " ", 1); +- shell_escape(&zCmd, zHost); ++ shell_escape(&zCmd, stripLeadingMinus(zHost)); + blob_append(&zCmd, " ", 1); + shell_escape(&zCmd, mprintf("%s", pUrlData->fossil)); + blob_append(&zCmd, " test-http", 10); + if( pUrlData->path && pUrlData->path[0] ){ + blob_append(&zCmd, " ", 1); +- shell_escape(&zCmd, mprintf("%s", pUrlData->path)); ++ shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path))); + } + if( g.fSshTrace ){ + fossil_print("%s\n", blob_str(&zCmd)+n); /* Show tail of SSH command */ + } + free(zHost); + diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index cbf5ce7d87..d400afd6ef 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -1503,6 +1503,8 @@ repository\" with git-annex.") (string-append "https://www.fossil-scm.org/index.html/uv/" "fossil-src-" version ".tar.gz"))) + (patches (search-patches "fossil-CVE-2017-17459.patch")) + (patch-flags '("-p0")) (sha256 (base32 "0wfgacfg29dkl0c3l1rp5ji0kraa64gcbg5lh8p4m7mqdqcq53wv")))) -- cgit 1.4.1