shells/rssh: Apply fixes for basename(3) handling and some security issues
basename(3) has been changed to be POSIX compliant in r308264. This implies
that it can possibly write to the passed string. shells/rssh passes a const
string, so it always crashes on invocation with FreeBSD 12 and later. The
new patches remedy this issue. [1] [2]
During further tests and research came to light that there were also
recently discovered security issues with the parsing of rsync/scp command
line arguments and insufficient sanitization of environment variables when
using rysnc.
The corresponding fixes have been incorporated to the new patches and the
already existing patch for the RSYNC option has been tightened for the
argument parsing. Please note that with this patch the scp option "-3" can
no longer be used. [3]
Furthermore, another patch was applied to make this port a bit more secure.
That patch handles a buffer allocation issue for an error message. [4]
PR: 235121
Submitted by: topical@gmx.net (first version) [1], Jason Harris (maintainer) [2]
Approved by: tcberner (mentor)
Obtained from: Debian [3] [4]
Security: d193aa9f-3f8c-11e9-9a24-6805ca0b38e8
Differential Revision: https://reviews.freebsd.org/D19474
Approved by: ports-secteam (riggs), mentors implicit
49d8789e48