rebuild ffmpeg for libvpx-1.15.0; fix gcc-14 problem; add patch for new

[oi-userland.git] / components / developer / cvs / patches / 01-CVE-2017-12836.patch

Fix is taken from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810

--- cvs-1.12.13/src/rsh-client.c.~1~    2005-10-02 19:17:21.000000000 +0000
+++ cvs-1.12.13/src/rsh-client.c        2017-08-21 22:02:48.504540428 +0000
@@ -53,8 +53,9 @@
     char *cvs_server = (root->cvs_server != NULL
                        ? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+    /* This needs to fit "rsh", "-b", "-l", "USER",
+       "--", "host", "cmd (w/ args)", and NULL.
+       We leave some room to grow. */
     char *rsh_argv[10];
 
     if (!cvs_rsh)
@@ -97,6 +98,9 @@
        rsh_argv[i++] = root->username;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     rsh_argv[i++] = "server";
@@ -171,6 +175,8 @@
            *p++ = root->username;
        }
 
+       *p++ = "--";
+
        *p++ = root->hostname;
        *p++ = command;
        *p++ = NULL;