49d8789e48
shells/rssh: Apply fixes for basename(3) handling and some security issues basename(3) has been changed to be POSIX compliant in r308264. This implies that it can possibly write to the passed string. shells/rssh passes a const string, so it always crashes on invocation with FreeBSD 12 and later. The new patches remedy this issue. [1] [2] During further tests and research came to light that there were also recently discovered security issues with the parsing of rsync/scp command line arguments and insufficient sanitization of environment variables when using rysnc. The corresponding fixes have been incorporated to the new patches and the already existing patch for the RSYNC option has been tightened for the argument parsing. Please note that with this patch the scp option "-3" can no longer be used. [3] Furthermore, another patch was applied to make this port a bit more secure. That patch handles a buffer allocation issue for an error message. [4] PR: 235121 Submitted by: topical@gmx.net (first version) [1], Jason Harris (maintainer) [2] Approved by: tcberner (mentor) Obtained from: Debian [3] [4] Security: d193aa9f-3f8c-11e9-9a24-6805ca0b38e8 Differential Revision: https://reviews.freebsd.org/D19474 Approved by: ports-secteam (riggs), mentors implicit |
||
---|---|---|
.. | ||
files | ||
distinfo | ||
Makefile | ||
pkg-descr | ||
pkg-plist |