diff -u cvs-1.12.13+real/debian/changelog cvs-1.12.13+real/debian/changelog
--- cvs-1.12.13+real/debian/changelog
+++ cvs-1.12.13+real/debian/changelog
@@ -1,3 +1,11 @@
+cvs (2:1.12.13+real-22ubuntu0.1) zesty-security; urgency=medium
+
+  * SECURITY UPDATE: SSH command injection via -o
+    - src/rsh-client.c: fix argument parsing
+    - CVE-2017-12836
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Thu, 17 Aug 2017 13:04:31 -0300
+
 cvs (2:1.12.13+real-22) unstable; urgency=low
 
   * cvs init: Change default history logging configuration
diff -u cvs-1.12.13+real/debian/control cvs-1.12.13+real/debian/control
--- cvs-1.12.13+real/debian/control
+++ cvs-1.12.13+real/debian/control
@@ -1,7 +1,8 @@
 Source: cvs
 Section: vcs
 Priority: optional
-Maintainer: Thorsten Glaser <tg@mirbsd.de>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Thorsten Glaser <tg@mirbsd.de>
 Homepage: http://www.nongnu.org/cvs/
 Build-Depends: debhelper (>= 10), autotools-dev, bsdmainutils,
  ghostscript, groff, libbsd-dev, libkrb5-dev | heimdal-dev, procps,
diff -u cvs-1.12.13+real/src/rsh-client.c cvs-1.12.13+real/src/rsh-client.c
--- cvs-1.12.13+real/src/rsh-client.c
+++ cvs-1.12.13+real/src/rsh-client.c
@@ -53,8 +53,9 @@
     char *cvs_server = (root->cvs_server != NULL
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port, "host",
-       "cmd (w/ args)", and NULL.  We leave some room to grow. */
+    /* This needs to fit "rsh", "-b", "-l", "USER", "-p", port,
+       "--", "host", "cvs", "-R", "server", and NULL.
+       We leave some room to grow. */
     char *rsh_argv[16];
     char argvport[16];
 
@@ -105,6 +106,9 @@
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -189,6 +193,8 @@
 		*p++ = argvport;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;