nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

gnu: fossil: Fix CVE-2017-17459. 

* gnu/packages/patches/fossil-CVE-2017-17459.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/version-control.scm (fossil)[source]: Use it.
This commit is contained in:
Leo Famulari 2018-01-03 14:15:20 -05:00
parent 1ee750ba4c
commit 0c84e8679c
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
3 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
gnu/local.mk
View File

@ -639,6 +639,7 @@ dist_patch_DATA = \
%D%/packages/patches/fltk-xfont-on-demand.patch \ %D%/packages/patches/fltk-xfont-on-demand.patch \
%D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch \
%D%/packages/patches/foomatic-filters-CVE-2015-8560.patch \ %D%/packages/patches/foomatic-filters-CVE-2015-8560.patch \
%D%/packages/patches/fossil-CVE-2017-17459.patch \
%D%/packages/patches/freeimage-CVE-2015-0852.patch \ %D%/packages/patches/freeimage-CVE-2015-0852.patch \
%D%/packages/patches/freeimage-CVE-2016-5684.patch \ %D%/packages/patches/freeimage-CVE-2016-5684.patch \
%D%/packages/patches/freeimage-fix-build-with-gcc-5.patch \ %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch \

57
gnu/packages/patches/fossil-CVE-2017-17459.patch Normal file
View File

@ -0,0 +1,57 @@
Fix CVE-2017-17459:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459
Patch copied from upstream source repository:
https://www.fossil-scm.org/xfer/info/1f63db591c77108c
Index: src/http_transport.c
==================================================================
--- src/http_transport.c
+++ src/http_transport.c
@@ -73,10 +73,23 @@
if( resetFlag ){
transport.nSent = 0;
transport.nRcvd = 0;
}
}
+
+/*
+** Remove leading "-" characters from the input string.
+**
+** This prevents attacks that try to trick a victim into using
+** a ssh:// URI with a carefully crafted hostname of other
+** parameter that ends up being interpreted as a command-line
+** option by "ssh".
+*/
+static const char *stripLeadingMinus(const char *z){
+ while( z[0]=='-' ) z++;
+ return z;
+}
/*
** Default SSH command
*/
#ifdef _WIN32
@@ -116,17 +129,17 @@
}else{
zHost = mprintf("%s", pUrlData->name);
}
n = blob_size(&zCmd);
blob_append(&zCmd, " ", 1);
- shell_escape(&zCmd, zHost);
+ shell_escape(&zCmd, stripLeadingMinus(zHost));
blob_append(&zCmd, " ", 1);
shell_escape(&zCmd, mprintf("%s", pUrlData->fossil));
blob_append(&zCmd, " test-http", 10);
if( pUrlData->path && pUrlData->path[0] ){
blob_append(&zCmd, " ", 1);
- shell_escape(&zCmd, mprintf("%s", pUrlData->path));
+ shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path)));
}
if( g.fSshTrace ){
fossil_print("%s\n", blob_str(&zCmd)+n); /* Show tail of SSH command */
}
free(zHost);

2
gnu/packages/version-control.scm
View File

@ -1503,6 +1503,8 @@ repository\" with git-annex.")
(string-append (string-append
"https://www.fossil-scm.org/index.html/uv/" "https://www.fossil-scm.org/index.html/uv/"
"fossil-src-" version ".tar.gz"))) "fossil-src-" version ".tar.gz")))
(patches (search-patches "fossil-CVE-2017-17459.patch"))
(patch-flags '("-p0"))
(sha256 (sha256
(base32 (base32
"0wfgacfg29dkl0c3l1rp5ji0kraa64gcbg5lh8p4m7mqdqcq53wv")))) "0wfgacfg29dkl0c3l1rp5ji0kraa64gcbg5lh8p4m7mqdqcq53wv"))))