From a7831a16c3e0e1463d5eb08a58af152cb75ca976 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 15 Apr 2019 06:05:58 +0000
Subject: [PATCH] Fix CVE-2019-7282 and CVE-2019-7283

Description: Fix CVE-2018-20685 and CVE-2019-6111
Bug-Debian: https://bugs.debian.org/920486
Origin: https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2#diff-9f340c228413d5a9a9206ea2ed2bc624R1114

Upstream-Status: Backport [Debian]
[https://sources.debian.org/src/netkit-rsh/0.17-20/debian/patches/fix-CVE-2018-20685-and-CVE-2019-6111.patch]

CVE: CVE-2019-7282 CVE-2019-7283

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 rcp/rcp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rcp/rcp.c b/rcp/rcp.c
index ca61c18..77d8ff8 100644
--- a/rcp/rcp.c
+++ b/rcp/rcp.c
@@ -740,6 +740,11 @@ sink(int argc, char *argv[])
 			size = size * 10 + (*cp++ - '0');
 		if (*cp++ != ' ')
 			SCREWUP("size not delimited");
+		if (*cp == '\0' || strchr(cp, '/') != NULL ||
+		    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+			error("error: unexpected filename: %s", cp);
+			exit(1);
+		}
 		if (targisdir) {
 			static char *namebuf;
 			static int cursize;