gnu: fossil: Fix CVE-2017-17459.

* gnu/packages/patches/fossil-CVE-2017-17459.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/version-control.scm (fossil)[source]: Use it.
2018-01-03 14:15:20 -05:00 · 2018-01-03 14:15:20 -05:00 · 0c84e8679c
parent 1ee750ba4c
commit 0c84e8679c
3 changed files with 60 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -639,6 +639,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/fltk-xfont-on-demand.patch		\
  %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch	\
  %D%/packages/patches/foomatic-filters-CVE-2015-8560.patch	\
+  %D%/packages/patches/fossil-CVE-2017-17459.patch		\
  %D%/packages/patches/freeimage-CVE-2015-0852.patch		\
  %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
  %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch	\
--- a/gnu/packages/patches/fossil-CVE-2017-17459.patch
+++ b/gnu/packages/patches/fossil-CVE-2017-17459.patch
@ -0,0 +1,57 @@
+Fix CVE-2017-17459:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459
+
+Patch copied from upstream source repository:
+
+https://www.fossil-scm.org/xfer/info/1f63db591c77108c
+
+Index: src/http_transport.c
+==================================================================
+--- src/http_transport.c
+++ src/http_transport.c
+@@ -73,10 +73,23 @@
+   if( resetFlag ){
+     transport.nSent = 0;
+     transport.nRcvd = 0;
+   }
+ }
+
+/*
+** Remove leading "-" characters from the input string.
+**
+** This prevents attacks that try to trick a victim into using
+** a ssh:// URI with a carefully crafted hostname of other
+** parameter that ends up being interpreted as a command-line
+** option by "ssh".
+*/
+static const char *stripLeadingMinus(const char *z){
+  while( z[0]=='-' ) z++;
+  return z;
+}
+ 
+ /*
+ ** Default SSH command
+ */
+ #ifdef _WIN32
+@@ -116,17 +129,17 @@
+   }else{
+     zHost = mprintf("%s", pUrlData->name);
+   }
+   n = blob_size(&zCmd);
+   blob_append(&zCmd, " ", 1);
+-  shell_escape(&zCmd, zHost);
+  shell_escape(&zCmd, stripLeadingMinus(zHost));
+   blob_append(&zCmd, " ", 1);
+   shell_escape(&zCmd, mprintf("%s", pUrlData->fossil));
+   blob_append(&zCmd, " test-http", 10);
+   if( pUrlData->path && pUrlData->path[0] ){
+     blob_append(&zCmd, " ", 1);
+-    shell_escape(&zCmd, mprintf("%s", pUrlData->path));
+    shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path)));
+   }
+   if( g.fSshTrace ){
+     fossil_print("%s\n", blob_str(&zCmd)+n);  /* Show tail of SSH command */
+   }
+   free(zHost);
+
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@ -1503,6 +1503,8 @@ repository\" with git-annex.")
             (string-append
              "https://www.fossil-scm.org/index.html/uv/"
              "fossil-src-" version ".tar.gz")))
+       (patches (search-patches "fossil-CVE-2017-17459.patch"))
+       (patch-flags '("-p0"))
       (sha256
        (base32
         "0wfgacfg29dkl0c3l1rp5ji0kraa64gcbg5lh8p4m7mqdqcq53wv"))))