cvs: CVE-2017-12836: CVS and ssh command injection

Debian Bug report logs - #871810
cvs: CVE-2017-12836: CVS and ssh command injection

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Fri, 11 Aug 2017 21:39:16 +0200

Source: cvs
Version: 2:1.12.13+real-9
Severity: grave
Tags: upstream security
Justification: user security hole

Hi,

the following vulnerability was published for cvs.

CVE-2017-12836[0]:
CVS and ssh command injection

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12836
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
[1] http://www.openwall.com/lists/oss-security/2017/08/11/1

Regards,
Salvatore

Message #10 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 871810@bugs.debian.org

Cc: control@bugs.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Fri, 11 Aug 2017 21:22:44 +0000 (UTC)

tags 871810 + patch pending
thanks

Salvatore Bonaccorso dixit:

>Severity: grave

Probably not as severe, the attack vector seems minimal.

>[0] https://security-tracker.debian.org/tracker/CVE-2017-12836
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
>[1] http://www.openwall.com/lists/oss-security/2017/08/11/1

Thanks for the heads-up. I’ve got a working patch, but I’ll also
work some more on sanitising username (if possible) and port (not
really necessary but still) parsing and test the changes before
I’ll upload.

For {,{,old}old}stable-security, this should suffice:



Index: src/gnu/usr.bin/cvs/src/rsh-client.c
diff -up src/gnu/usr.bin/cvs/src/rsh-client.c:1.6 src/gnu/usr.bin/cvs/src/rsh-client.c:1.7
--- src/gnu/usr.bin/cvs/src/rsh-client.c:1.6	Sun Mar 26 15:54:10 2017
+++ src/gnu/usr.bin/cvs/src/rsh-client.c	Fri Aug 11 20:41:40 2017
@@ -55,8 +55,9 @@ start_rsh_server (cvsroot_t *root, struc
     char *cvs_server = (root->cvs_server != NULL
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+       "--", "host", "cvs", "-R", "server", and NULL.
+       We leave some room to grow. */
     char *rsh_argv[16];
     char argvport[16];
 
@@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -191,6 +195,8 @@ start_rsh_server (cvsroot_t *root, struc
 		*p++ = argvport;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;



Thanks,
//mirabilos
-- 
13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜<Draget:#cvs> Thank god I found you =)   20:03│«bioe007:#cvs» mira2k: ty
17:14⎜<ldiain:#cvs> Thanks big help you are :-)   <bioe007> mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW!  23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜<bhuey:#cvs> yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou            18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜<paolo:#cvs> i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD.     18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh.  Okay.  Sorry for the dumb question.  Thank you
21:34⎜<centosian:#cvs> mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated  «garrett__:#cvs» thanks for your time
23:39⎜<symons:#cvs> this worked, thank you very much 16:26⎜<schweizer:#cvs> ok
thx, i'll try that     20:00⎜«stableable:#cvs» Thank you.    20:50⎜«s833:#cvs»
mirabilos: thanks a lot.        19:34⎜<bobbytek:#cvs> Thanks for confirming :)
20:08⎜<tsolox:#cvs> ...works like a charm.. thanks mirabilos

Message #17 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Thorsten Glaser <tg@mirbsd.de>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 871810@bugs.debian.org, control@bugs.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 00:02:07 +0200

On Aug/11, Thorsten Glaser wrote:
> For {,{,old}old}stable-security, this should suffice:
> [...]

Would you be able to produce debdiffs for jessie and stretch, so we can
review them and give you the go-ahead to upload to security-master ?

Cheers,

--Seb

Message #22 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Sébastien Delafond <seb@debian.org>, 871810@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Fri, 11 Aug 2017 22:12:52 +0000 (UTC)

Sébastien Delafond dixit:

>On Aug/11, Thorsten Glaser wrote:
>> For {,{,old}old}stable-security, this should suffice:
>> [...]
>
>Would you be able to produce debdiffs for jessie and stretch, so we can
>review them and give you the go-ahead to upload to security-master ?

Yes, although they’d look like the patch I showed plus changelog.

But let me take care of sid first please, I also implement hostname
checking to be on the safe side, since other VCSes do so, too.

bye,
//mirabilos
-- 
18:47⎜<mirabilos:#!/bin/mksh> well channels… you see, I see everything in the
same window anyway      18:48⎜<xpt:#!/bin/mksh> i know, you have some kind of
telnet with automatic pong         18:48⎜<mirabilos:#!/bin/mksh> haha, yes :D
18:49⎜<mirabilos:#!/bin/mksh> though that's more tinyirc – sirc is more comfy

Message #27 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Sébastien Delafond <seb@debian.org>, 871810@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 01:32:48 +0000 (UTC)

[Message part 1 (text/plain, inline)]

Sébastien Delafond dixit:

>Would you be able to produce debdiffs for jessie and stretch, so we can
>review them and give you the go-ahead to upload to security-master ?

OK, now that I’m waiting on the multi-hour testsuite results on sid.
(It’s mostly that, due to the extra checks, the testsuite needs changes,
not the code.)

I’m attaching one for stretch, and if it pleases you, I’ll do them in
the same vain for jessie and wheezy and upload them. (As I said, they
will all look identical, the code has not changed in quite a while…
the file in question did not change *at all*, and it’s not affected
by the other code changes since then.)

Since I do not upload to past releases often: do I just dput them,
or do I put them on a different upload server/queue?

Thanks,
//mirabilos
-- 
> emacs als auch vi zum Kotzen finde (joe rules) und pine für den einzig
> bedienbaren textmode-mailclient halte (und ich hab sie alle ausprobiert). ;)
Hallooooo, ich bin der Holger ("Hallo Holger!"), und ich bin ebenfalls
... pine-User, und das auch noch gewohnheitsmäßig ("Oooooooohhh").  [aus dasr]

[cvs_1.12.13+real-22+deb9u1.debdiff (text/plain, attachment)]

Message #32 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Thorsten Glaser <tg@mirbsd.de>

Cc: 871810@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 12:36:57 +0200

On Aug/12, Thorsten Glaser wrote:
> I’m attaching one for stretch, and if it pleases you, I’ll do them in
> the same vain for jessie and wheezy and upload them. (As I said, they
> will all look identical, the code has not changed in quite a while…
> the file in question did not change *at all*, and it’s not affected
> by the other code changes since then.)
> 
> Since I do not upload to past releases often: do I just dput them,
> or do I put them on a different upload server/queue?

Thank you, the stretch one looks alright. You can simply upload it to
security-master[0]. Don't forget to build with -sa as the package will
be new there.

Please do the same for the jessie fix (targetting jessie-security of
course), including -sa.

For wheezy, you'll need to check directly with the Debian LTS team, that
can be reached via debian-lts@lists.debian.org.

Cheers,

--Seb

[0] https://www.debian.org/security/faq.html#SecurityUploadQueue

Message #37 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Sébastien Delafond <seb@debian.org>

Cc: Thorsten Glaser <tg@mirbsd.de>, 871810@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 15:34:41 +0200

On Sat, Aug 12, 2017 at 12:36:57PM +0200, Sébastien Delafond wrote:
> On Aug/12, Thorsten Glaser wrote:
> > I’m attaching one for stretch, and if it pleases you, I’ll do them in
> > the same vain for jessie and wheezy and upload them. (As I said, they
> > will all look identical, the code has not changed in quite a while…
> > the file in question did not change *at all*, and it’s not affected
> > by the other code changes since then.)
> > 
> > Since I do not upload to past releases often: do I just dput them,
> > or do I put them on a different upload server/queue?
> 
> Thank you, the stretch one looks alright. You can simply upload it to
> security-master[0]. Don't forget to build with -sa as the package will
> be new there.

The attached debdiff targets "stretch", though. That needs to be
stretch-security.

Cheers,
        Moritz

Message #42 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thorsten Glaser <tg@mirbsd.de>

Cc: Sébastien Delafond <seb@debian.org>, 871810@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 16:16:35 +0200

Hi

On Sat, Aug 12, 2017 at 12:36:57PM +0200, Sébastien Delafond wrote:
> On Aug/12, Thorsten Glaser wrote:
> > I’m attaching one for stretch, and if it pleases you, I’ll do them in
> > the same vain for jessie and wheezy and upload them. (As I said, they
> > will all look identical, the code has not changed in quite a while…
> > the file in question did not change *at all*, and it’s not affected
> > by the other code changes since then.)
> > 
> > Since I do not upload to past releases often: do I just dput them,
> > or do I put them on a different upload server/queue?
> 
> Thank you, the stretch one looks alright. You can simply upload it to
> security-master[0]. Don't forget to build with -sa as the package will
> be new there.
> 
> Please do the same for the jessie fix (targetting jessie-security of
> course), including -sa.

Actually please do only the first one with -sa, then wait for the
ACCEPTED mail into the embargoed queue, then the second one without
-sa (preferably, otherwise this would cause potential issues when
uploading the packages from security-master to ftp-master for the
proposed-updates queues).

For the security-upload s/stretch/stretch-security/ but that was
already commented by Moritz :)

Thanks a lot for your work!

Regards,
Salvatore

Message #47 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Sébastien Delafond <seb@debian.org>, 871810@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 16:25:24 +0000 (UTC)

Salvatore Bonaccorso dixit:

>For the security-upload s/stretch/stretch-security/ but that was
>already commented by Moritz :)

OK, will do.

>On Sat, Aug 12, 2017 at 12:36:57PM +0200, SC)bastien Delafond wrote:
>>
>> > Since I do not upload to past releases often: do I just dput them,
>> > or do I put them on a different upload server/queue?
>>
>> Thank you, the stretch one looks alright. You can simply upload it to
>> security-master[0]. Don't forget to build with -sa as the package will
>> be new there.

That would be “dput security-master *.changes”, for future reference.

>Actually please do only the first one with -sa, then wait for the
>ACCEPTED mail into the embargoed queue, then the second one without
>-sa (preferably, otherwise this would cause potential issues when
>uploading the packages from security-master to ftp-master for the
>proposed-updates queues).

OK, I understand.

>> Please do the same for the jessie fix (targetting jessie-security of
>> course), including -sa.

>>For wheezy, you'll need to check directly with the Debian LTS team, that
>>can be reached via debian-lts@lists.debian.org.

Will do.

>Thanks a lot for your work!

Thanks for guiding me through it, as well.

bye,
//mirabilos
-- 
Solange man keine schmutzigen Tricks macht, und ich meine *wirklich*
schmutzige Tricks, wie bei einer doppelt verketteten Liste beide
Pointer XORen und in nur einem Word speichern, funktioniert Boehm ganz
hervorragend.		-- Andreas Bogk über boehm-gc in d.a.s.r

Message #52 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@debian.org>

To: debian-lts@lists.debian.org

Cc: 871810@bugs.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 17:26:22 +0000 (UTC)

[Message part 1 (text/plain, inline)]

Hi LTS team,

>>On Sat, Aug 12, 2017 at 12:36:57PM +0200, SC)bastien Delafond wrote:

>>>For wheezy, you'll need to check directly with the Debian LTS team, that
>>>can be reached via debian-lts@lists.debian.org.

is the attached debdiff ok to upload? (Specifically, is the distribution
in the changelog set correctly?) Obviously, I’ll build it in a wheezy
cowbuilder first.

How do I upload, i.e. to what queue do I dput, and do I use -sa?

Thanks,
//mirabilos
-- 
11:56⎜«liwakura:#!/bin/mksh» also, i wanted to add mksh to my own distro │
i was disappointed that there is no makefile │ but somehow the Build.sh is
the least painful built system i've ever seen │ honours CC, {CPP,C,LD}FLAGS
properly │ looks cleary like done by someone who knows what they are doing

[cvs_1.12.13+real-9+deb7u1.debdiff (text/plain, attachment)]

Message #57 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Thorsten Glaser <tg@debian.org>, debian-lts@lists.debian.org

Cc: 871810@bugs.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 13:44:31 -0400

Hi Thorsten,

> is the distribution in the changelog set correctly

Yep.

> How do I upload, i.e. to what queue do I dput, and do I use -sa?

Can I link you to:

  https://wiki.debian.org/LTS/Development

If there is something missing there let us know and we'll add it; thus
saving the "next" person a question :)



Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #62 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Roberto C. Sánchez <roberto@debian.org>

To: Thorsten Glaser <tg@debian.org>

Cc: debian-lts@lists.debian.org, 871810@bugs.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sat, 12 Aug 2017 13:43:35 -0400

[Message part 1 (text/plain, inline)]

Hi Thorsten,

On Sat, Aug 12, 2017 at 05:26:22PM +0000, Thorsten Glaser wrote:
> Hi LTS team,
> 
> >>On Sat, Aug 12, 2017 at 12:36:57PM +0200, SC)bastien Delafond wrote:
> 
> >>>For wheezy, you'll need to check directly with the Debian LTS team, that
> >>>can be reached via debian-lts@lists.debian.org.
> 
> is the attached debdiff ok to upload? (Specifically, is the distribution
> in the changelog set correctly?) Obviously, I’ll build it in a wheezy
> cowbuilder first.

Yes, that looks correct.  You could also do a source-only upload
(assuming that you have otherwise built/tested in a wheezy environment).

> 
> How do I upload, i.e. to what queue do I dput, and do I use -sa?
> 
You can dput to security-master like a normal security update and -sa
would likely get the upload rejected as the .orig.tar.gz is already in
the archive.

Regards,

-Roberto

-- 
Roberto C. Sánchez

[signature.asc (application/pgp-signature, inline)]

Message #67 received at 871810-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: 871810-close@bugs.debian.org

Subject: Bug#871810: fixed in cvs 2:1.12.13+real-24

Date: Sat, 12 Aug 2017 21:19:02 +0000

Source: cvs
Source-Version: 2:1.12.13+real-24

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871810@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 12 Aug 2017 22:18:41 +0200
Source: cvs
Binary: cvs
Architecture: source
Version: 2:1.12.13+real-24
Distribution: unstable
Urgency: high
Maintainer: Thorsten Glaser <tg@mirbsd.de>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description:
 cvs        - Concurrent Versions System
Closes: 871810
Changes:
 cvs (2:1.12.13+real-24) unstable; urgency=high
 .
   * Update from MirBSD
     - fix for CVE-2017-12836 (Closes: #871810)
     - more robust $CVSROOT parsing
   * Policy 4.0.1
     - add nodoc build option
       ‣ I’m unclear on how this mixes with build profiles and/or
         Build-Depends exclusion; should I exclude ghostscript,
         groff, texinfo, texlive-* with <!nodocs> now, or are
         DEB_BUILD_OPTIONS=nodoc and the profile independent of
         each other? Info and patches welcome.
   * Drop explicit (thus redundant) autotools-dev B-D (lintian)
   * Update lintian overrides
Checksums-Sha1:
 85f024f04c53d4290658ff1a4e6baab8b1e512f2 2011 cvs_1.12.13+real-24.dsc
 d8c087ff4d0b61056d58719d37bad9cdc3a265cb 138310 cvs_1.12.13+real-24.diff.gz
Checksums-Sha256:
 cad964354a526ec9b5da0d1711def6f6ca54ab640fee0599b8410312f6ab9ec8 2011 cvs_1.12.13+real-24.dsc
 77f9e0c2921b180829cce3bfd15a709ab59efdf4c4fa619510c3a12700df3c25 138310 cvs_1.12.13+real-24.diff.gz
Files:
 1e8dc16f9c7aa0f81666537d630a92c8 2011 vcs optional cvs_1.12.13+real-24.dsc
 e4c6162b1d97edc7a0b806ea1f4da9e6 138310 vcs optional cvs_1.12.13+real-24.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
Comment: ☃ ЦΤℱ—８　☕☂☄

iQIcBAEBCQAGBQJZj2b0AAoJEHa1NLLpkAfgJssP/jd1qbNAGcF60MiUXqLA7nXo
uz2lmRfesxWynpaqWpt5HdLN3wmGTx8U94wOFdvGubkbPJ1YPqSmgfRqIODKQc+Y
eYWRCnnZexTKRtoyuClVgAj3PJyWGsGdw0aFXBYBjFpvpn6BS/6ziX8Kn9oiu1/f
NHrQEWutfute7Vp7b9nhmulg//0dhOkjH21o1t0PaJRIwesEU1JnxeyiAEvM63IZ
IQ1pfcU+r9nWt+xN/n13Itsbx3zUcZEs50mg2OJ4ubx87I9XEJaBAMGNbPG/q5mQ
fHuG/3D1FroGZRVMLfDZA7PEI4tT2YfpxstfSemlLJUFdloU8TDcqZCzdj+c1rwB
TB+2Qrqid7v3AOeUsWtmRANPULPr0PWbUmayaQaM6Ub8a5kulxuUAh5S7xsFL65Z
iNng+q8GqHTgZyXryJHiUMELCR+7tVIOMlx2kI9l0JnKSHRul4sXhy7ahQSBF20h
sGeL2e64gUd/sGTKosDQoqyRp8uGaUQ1k3VpqPZp9BJ08RSfDK26FaQpz+XdAE0C
SEray97gc77NLikJZIogyeFfC7PRw0dTy5Hi39GaM3R/63+YXQ069rniHm6e9WQl
MLLSduIZagJq2KgGclTkDAM/4hayCjX6Yjpyy2uCwd5kpduccBrWKHhvKkxFsYxg
gg/vy6DsopATR4/nXOIE
=Pj7h
-----END PGP SIGNATURE-----

Message #72 received at 871810@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Thorsten Glaser <tg@debian.org>, debian-lts@lists.debian.org

Cc: 871810@bugs.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Sun, 13 Aug 2017 14:23:21 -0400

Hi Thorsten,

> […]

Thanks for uploading. I'll send the DLA announcement out now…


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #77 received at 871810-quiet@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Thorsten Glaser <tg@mirbsd.de>, Sébastien Delafond <seb@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, 871810-quiet@bugs.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Mon, 14 Aug 2017 10:24:49 -0400

Hi Thorsten,

> >Thanks for uploading. I'll send the DLA announcement out now…
> 
> Thanks for that. I spent yesterday mostly offline.

That's what Sundays are for. :)  For completeness, here was what was
sent:

  https://lists.debian.org/debian-lts-announce/2017/08/msg00008.html

Thanks again :)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #82 received at 871810-quiet@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Sébastien Delafond <seb@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, Chris Lamb <lamby@debian.org>, 871810-quiet@bugs.debian.org

Subject: Re: Bug#871810: cvs: CVE-2017-12836: CVS and ssh command injection

Date: Mon, 14 Aug 2017 14:11:56 +0000 (UTC)

Hi,

>As you have seen, Seb took the coordination for jessie- and
>stretch-security.

… and…

>Thanks for uploading. I'll send the DLA announcement out now…

Thanks for that. I spent yesterday mostly offline.

bye,
//mirabilos
-- 
<diogenese> Beware of ritual lest you forget the meaning behind it.
<igli> yeah but it means if you really care about something, don't
    ritualise it, or you will lose it. don't fetishise it, don't
    obsess. or you'll forget why you love it in the first place.

Message #87 received at 871810-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: 871810-close@bugs.debian.org

Subject: Bug#871810: fixed in cvs 2:1.12.13+real-22+deb9u1

Date: Tue, 22 Aug 2017 21:32:15 +0000

Source: cvs
Source-Version: 2:1.12.13+real-22+deb9u1

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871810@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 12 Aug 2017 19:19:53 +0200
Source: cvs
Binary: cvs
Architecture: source i386
Version: 2:1.12.13+real-22+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Thorsten Glaser <tg@mirbsd.de>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description:
 cvs        - Concurrent Versions System
Closes: 871810
Changes:
 cvs (2:1.12.13+real-22+deb9u1) stretch-security; urgency=high
 .
   * Fix CVE-2017-12836 (Closes: #871810)
Checksums-Sha1:
 83f20b8d0e613d15af92c838210d7a399470927a 2054 cvs_1.12.13+real-22+deb9u1.dsc
 a868aaad46c54cb1f7510b79c8cb0b38534483ce 4737137 cvs_1.12.13+real.orig.tar.gz
 d2c68eab48de7fe0d3a41329051072967f1f484d 114637 cvs_1.12.13+real-22+deb9u1.diff.gz
 ecf7938cf6312024287ca8696b6062389775afbe 792316 cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb
 63478ddb25a555092a217becaf3a72212a4ea950 7987 cvs_1.12.13+real-22+deb9u1_i386.buildinfo
 87e764065d003867d354a88e409c7f7295ff83f6 2809120 cvs_1.12.13+real-22+deb9u1_i386.deb
Checksums-Sha256:
 6b949a1dfc77e523971a1607524718f6f5fe92c92fdc9fb022e34ed82e13dd96 2054 cvs_1.12.13+real-22+deb9u1.dsc
 4734971a59471744e4ad8665c1dca54cb3ebf9fc66ce9c2dff3d04670d3f7312 4737137 cvs_1.12.13+real.orig.tar.gz
 d7baf701538a9e5b6f97d5248ef1b61867113622ebe4250f6bdd3772e2012596 114637 cvs_1.12.13+real-22+deb9u1.diff.gz
 a250e9cffb04c20e97216da12f467155bb3b191ea5559192bbc0dd0fd49b1994 792316 cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb
 9599fa632bd5769b382145a08185ea9040ed0d1e2c236828d26e53366b75d394 7987 cvs_1.12.13+real-22+deb9u1_i386.buildinfo
 1650978a8f75d8ce32872280acb76418fe82fc37e202277cc4518393ba4aa7ce 2809120 cvs_1.12.13+real-22+deb9u1_i386.deb
Files:
 5bfca3ba05f848def66403bc880a7b60 2054 vcs optional cvs_1.12.13+real-22+deb9u1.dsc
 7a71a2e7a64973ecf255965956a1d338 4737137 vcs optional cvs_1.12.13+real.orig.tar.gz
 f579edf186184c3eff3a774f93952f82 114637 vcs optional cvs_1.12.13+real-22+deb9u1.diff.gz
 c4c796327a128a77b042ccc14610ac8b 792316 debug extra cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb
 dcbdd1b226477098017dc92958c6bb27 7987 vcs optional cvs_1.12.13+real-22+deb9u1_i386.buildinfo
 b6a30c12490dd29b6209b2ca85deb412 2809120 vcs optional cvs_1.12.13+real-22+deb9u1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
Comment: ☃ ЦΤℱ—８　☕☂☄

iQIcBAEBCQAGBQJZjz0oAAoJEHa1NLLpkAfgx0oP/3T2uiXTI2yz28h+PJvqgSwM
PLAiPUFu2Fez3a7NlIsePPPbGKO1nv6otTOyNS+QrjJKlSD3ZcXRKzrDO/9hRCN0
zrBpwNAUzgPJlutpX5aJrE67EYpeQ8iskMvaBEJqRA0gEcpHgkoAuDf/P71eTOqr
XtQqo0uZLsuSP9pdpQf4YJ7oTak5q9+8yW4Dzq5jneuPHiMv2stt515tWYhPgpJ0
35N04u+rOfJcimoz5iFkYa7dLBLPfHlWoZqipmPuGEn4z8yOoV7Cuh+xYaeM0UFd
Ym2v0KBO9aF4sx9sSFPg7jUgn/kICwHWWsXYXAMiePzB5Ux+vN6DI4OT6C1bnb6Q
WwGRd/yIzc/jXxEypl6KepgOjcc1NeoYjJ1RFbHI56gPzL6T4PeHt1cpb/OsaWQk
b/JCIdB/n0pTc0xWq0SYsVQK110TcQYM9uilKlFkCRmxIgQouptU+Choj8fuHwEQ
WB0a05um2tHdUL6R04C55kHaPRXFrtqjKL7EMLJJlvZ7byXB61BxVAFpJFTx8h4h
AwodkE0ONrAiqtaFq8eChXyPQFxms4ShqMS7A1OZ2Ktggf/a1wHiRyckmMF12Mnt
htUGZ/yg1EXf2cBYM1bKPWtiUz+yb0cQZhXFTbVWqRu3mQNK4BtIDFSA0YvUcsq0
iokoLzwBEdvJeqPp3RoX
=RcS5
-----END PGP SIGNATURE-----

Message #92 received at 871810-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: 871810-close@bugs.debian.org

Subject: Bug#871810: fixed in cvs 2:1.12.13+real-15+deb8u1

Date: Tue, 22 Aug 2017 21:48:25 +0000

Source: cvs
Source-Version: 2:1.12.13+real-15+deb8u1

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871810@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sat, 12 Aug 2017 19:22:05 +0200
Source: cvs
Binary: cvs
Architecture: source i386
Version: 2:1.12.13+real-15+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description:
 cvs        - Concurrent Versions System
Closes: 871810
Changes:
 cvs (2:1.12.13+real-15+deb8u1) jessie-security; urgency=high
 .
   * Fix CVE-2017-12836 (Closes: #871810)
Checksums-Sha1:
 6273e61f2eb17e6aad42f295aa4bbcc0f1736f29 2094 cvs_1.12.13+real-15+deb8u1.dsc
 4035e96f084517c7d6a71d35420876d508b00376 105645 cvs_1.12.13+real-15+deb8u1.diff.gz
 d13bb504d101e3f64926fed63fff5d7c409fe98c 2638090 cvs_1.12.13+real-15+deb8u1_i386.deb
Checksums-Sha256:
 5315f661fd8f8a5978106835aea6b7c33e7fef4a87a6564be986844bb17f6bb9 2094 cvs_1.12.13+real-15+deb8u1.dsc
 c39ca3d80b13265d3d8d7370148835b3f5892e0af8ae9c32d2cc34a945ec7585 105645 cvs_1.12.13+real-15+deb8u1.diff.gz
 7b8d16b8c93e6425a38d09454e69c69c50039a71f35311abea568e5a50a793e5 2638090 cvs_1.12.13+real-15+deb8u1_i386.deb
Files:
 451b3557f24de1b5160998e82dab44eb 2094 vcs optional cvs_1.12.13+real-15+deb8u1.dsc
 e20d975ba3aaf6b72e22bf7b55ff6292 105645 vcs optional cvs_1.12.13+real-15+deb8u1.diff.gz
 c9fd2d0366dca5aff0eb60cd1f7c05f1 2638090 vcs optional cvs_1.12.13+real-15+deb8u1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
Comment: ☃ ЦΤℱ—８　☕☂☄

iQIcBAEBCQAGBQJZj0KgAAoJEHa1NLLpkAfgPfcP+wQgWA/30xYSbaMZpKv2GSCt
AyzwZiHDvHar7BBxzAcS2FKwAROFl9zSOwPpfAAUZ0NHXanSzIIjcGzbXJMFLuPB
AbBJGC2bRQLEUbQbw/9G55mrTmpoRiyIdb1PNlyiVKVjzMvUD3U19X4e67BAt5xV
MBEkjuyePg6CvxKrNFVXlqBH331Ss+XMaVwWk96UhQ1i3YgWnTsVTtCqI1GfkWfI
asnEGor3sYvYoCZWC4S8zNC5J/7KmSqDbUSgOad5h4xE/1dtwVd1ytvw1CNgeVzu
/LQoukZFjS2SPzY9k52VROtid1SZb7CAoaMuuuZCsr1Tv4BO963X0tEv28oT2SsW
XUhToM4pMvTFG2QgtZNpuXxhALY2/qLZJHesS4eA+rdvAG/6Sihe5Qxkat7BnFbH
8rF+6PnT8sqLEJk+I10mV0wGAsvA45WQs+r7njyO7K/phWD57rlgfxeX+tzBY39G
J073o5B3+qJhk+xmepotiRXn6EWxyIN6yJY10dLwRrCTGd7hTZNVVJSVo2ZfV6if
jJggSye+srY1SR2xiRWMyDpVofVqW8G0wSIz3tBdryqAcSqcQfpVbQxcldi0BZ8Q
KgbqGOJFY8cFlFg08XwViY/A1f6RHM0eK/gft+LMMAsfrQcJJNLE8MGxZ5TWaWqr
KnxoPIPuoqlGgSFyl2rJ
=sU5L
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.