Fix for CVE-2017-12836, extracted from MirBSD repository.

--- src/rsh-client.c	2017/03/26 15:54:10	1.6
+++ src/rsh-client.c	2017/08/11 20:41:40	1.7
@@ -107,6 +108,9 @@ start_rsh_server (cvsroot_t *root, struc
 	rsh_argv[i++] = argvport;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     if (readonlyfs)
@@ -190,6 +194,8 @@ start_rsh_server (cvsroot_t *root, struc
 		*p++ = "-p";
 		*p++ = argvport;
 	}
+
+	*p++ = "--";
 
 	*p++ = root->hostname;
 	*p++ = command;