--- a/src/rsh-client.c.orig	2005-10-02 17:17:21.000000000 +0200
+++ b/src/rsh-client.c	2017-11-07 16:56:06.957370469 +0100
@@ -53,7 +53,7 @@
     char *cvs_server = (root->cvs_server != NULL
 			? root->cvs_server : getenv ("CVS_SERVER"));
     int i = 0;
-    /* This needs to fit "rsh", "-b", "-l", "USER", "host",
+    /* This needs to fit "rsh", "-b", "-l", "USER", "--", "host",
        "cmd (w/ args)", and NULL.  We leave some room to grow. */
     char *rsh_argv[10];
 
@@ -97,6 +97,9 @@
 	rsh_argv[i++] = root->username;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     rsh_argv[i++] = "server";
@@ -171,6 +174,7 @@
 	    *p++ = root->username;
 	}
 
+	*p++ = "--";
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;