FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

cvs -- Remote code execution via ssh command injection

Affected packages
cvs < 1.20120905_5

Details

VuXML ID d9fe59ea-1940-11e8-9eb8-5404a68ad561
Discovery 2017-08-10
Entry 2018-02-24

Hank Leininger reports:

Bugs in Git, Subversion, and Mercurial were just announced and patched which allowed arbitrary local command execution if a malicious name was used for the remote server, such as starting with - to pass options to the ssh client: git clone ssh://-oProxyCommand=some-command... CVS has a similar problem with the -d option:

Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11.

References

CVE Name CVE-2017-12836
FreeBSD PR ports/226088
URL http://lists.nongnu.org/archive/html/bug-cvs/2017-08/msg00000.html
URL https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810#10