Fix for CVE-2017-12836, extracted from MirBSD repository.

--- a/src/rsh-client.c
+++ b/src/rsh-client.c
@@ -97,6 +97,9 @@ start_rsh_server (cvsroot_t *root, struc
 	rsh_argv[i++] = root->username;
     }
 
+    /* Only non-option arguments from here. (CVE-2017-12836) */
+    rsh_argv[i++] = "--";
+
     rsh_argv[i++] = root->hostname;
     rsh_argv[i++] = cvs_server;
     rsh_argv[i++] = "server";
@@ -171,6 +174,8 @@ start_rsh_server (cvsroot_t *root, struc
 	    *p++ = root->username;
 	}
 
+	*p++ = "--";
+
 	*p++ = root->hostname;
 	*p++ = command;
 	*p++ = NULL;