FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

cvs -- Remote code execution via ssh command injection

Affected packages
cvs < 1.20120905_5


VuXML ID d9fe59ea-1940-11e8-9eb8-5404a68ad561
Discovery 2017-08-10
Entry 2018-02-24

Hank Leininger reports:

Bugs in Git, Subversion, and Mercurial were just announced and patched which allowed arbitrary local command execution if a malicious name was used for the remote server, such as starting with - to pass options to the ssh client: git clone ssh://-oProxyCommand=some-command... CVS has a similar problem with the -d option:

Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.


CVE Name CVE-2017-12836
FreeBSD PR ports/226088