First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 86476
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
cvs-1.11.18-kclockwork.patch cvs-1.11.18-kclockwork.patch patch solar 2005-03-24 09:45 0000 2.92 KB Details | Diff
cvs-1.12.11-klocwork.patch cvs-1.12.11-klocwork.patch patch solar 2005-03-24 09:46 0000 2.76 KB Details | Diff
cvs-1.12.11-r1.ebuild cvs-1.12.11-r1.ebuild text/plain solar 2005-03-24 10:05 0000 1.87 KB Details
cvs-1.11.18-r1.ebuild cvs-1.11.18-r1.ebuild text/plain solar 2005-03-24 10:05 0000 1.59 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 86476 depends on: Show dependency tree
Bug 86476 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-03-23 23:59 0000 
Remote DoS and other issues are reported.

------- Comment #1 From solar 2005-03-24 09:45:46 0000 ------- 
Created an attachment (id=54351) [edit]
cvs-1.11.18-kclockwork.patch

------- Comment #2 From solar 2005-03-24 09:46:46 0000 ------- 
Created an attachment (id=54352) [edit]
cvs-1.12.11-klocwork.patch

------- Comment #3 From solar 2005-03-24 09:47:47 0000 ------- 
cvs-1.11.18-kclockwork.patch  should be renamed to klocwork vs kclockwork

------- Comment #4 From solar 2005-03-24 10:05:17 0000 ------- 
Created an attachment (id=54354) [edit]
cvs-1.12.11-r1.ebuild

------- Comment #5 From solar 2005-03-24 10:05:55 0000 ------- 
Created an attachment (id=54355) [edit]
cvs-1.11.18-r1.ebuild

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-03-28 21:16:10 0000 ------- 
Please test and report results back on this bug. Do NOT commit anything yet.
Calling specific testers as this bug is still not open. If anyone is not able
to do it soon, please point at another tester from your arch team.

alpha -> kloeri
amd64 -> blubb
ppc -> SeJo
ppc64 -> corsair
sparc -> gustavoz
x86 -> tester

Also note that we have no maintainer for this package atm.

------- Comment #7 From Olivier Crete 2005-03-28 21:43:39 0000 ------- 
Btw, is it pserver related, client/server? What parts needs testing? I haven't
found any problem on x86 in my basic general testing.

------- Comment #8 From Thierry Carrez (RETIRED) 2005-03-29 03:39:26 0000 ------- 
AFAICT it's various null dereferences fixes and mostly a buffer overflow in
rcs.c when asking for a strange version or author. So general testing should be
sufficient ?

------- Comment #9 From Markus Rothe 2005-03-29 05:09:47 0000 ------- 
looks good on ppc64.

------- Comment #10 From Gustavo Zacarias (RETIRED) 2005-03-29 06:36:16 0000 ------- 
sparc looks good too.

------- Comment #11 From Simon Stelling (RETIRED) 2005-03-29 07:20:20 0000 ------- 
too busy at the moment, sorry. have fun, kugelfang :)

------- Comment #12 From solar 2005-03-29 08:39:27 0000 ------- 
We patched up lark on the 24th for those of you wondering about our own cvs 
server using cvs-1.11.18-r1 (that will be the initial desired stable one)

if I'm not mistaken upstream has these fixes in cvs already and the comments in the log note the problems.

https://ccvs.cvshome.org/servlets/NewsItemView?newsItemID=133
1.11.19 should fix this (and we could almost push that to stable asap)

------- Comment #13 From Bryan Østergaard (RETIRED) 2005-03-29 10:44:16 0000 ------- 
Alpha is good.

------- Comment #14 From Jochen Maes (RETIRED) 2005-03-29 22:20:54 0000 ------- 
both look good on ppc

------- Comment #15 From Danny van Dyk (RETIRED) 2005-03-30 09:01:17 0000 ------- 
fine on amd64 :-) sorry for the delay

------- Comment #16 From Thierry Carrez (RETIRED) 2005-03-30 10:24:36 0000 ------- 
All supported arches reported it stable, waiting for disclosure date to commit
it directly with KEYWORDS="x86 ppc sparc ~mips alpha ~arm ~hppa amd64 ~ia64
ppc64 ~s390"

------- Comment #17 From Sune Kloppenborg Jeppesen 2005-04-13 10:42:17 0000 ------- 
disclosure date passed with no advisories. New disclosure date unknown.

Solar judging from CVS Changelog entries for 2005-03-17 some of the initial issues reported are not fixed in kclockwork patch but in the public CVS tree.

https://ccvs.cvshome.org/source/browse/ccvs/src/ChangeLog?rev=1.3170&content-type=text/vnd.viewcvs-markup

------- Comment #18 From Sune Kloppenborg Jeppesen 2005-04-15 09:11:46 0000 ------- 
Pylon please advise on comment #17.

------- Comment #19 From Sune Kloppenborg Jeppesen 2005-04-15 09:16:11 0000 ------- 
Pylon, when you're at it, please also take a look at the following bug:

https://ccvs.cvshome.org/issues/show_bug.cgi?id=224

------- Comment #20 From Sune Kloppenborg Jeppesen 2005-04-15 14:17:06 0000 ------- 
Use CAN-2005-0753 for the buffer overflow issue.

------- Comment #21 From Sune Kloppenborg Jeppesen 2005-04-18 09:15:36 0000 ------- 
This is public with SUSE-SA:2005:024.

Solar/vapier/Pylon please commit.

------- Comment #22 From Sune Kloppenborg Jeppesen 2005-04-18 13:49:10 0000 ------- 
Thx to tigger we now have the fixed ebuild in Portage.

GLSA 200504-16 released.

mips, arm, hppa, ia64, s390 please remember to mark stable to benefit from GLSA.

------- Comment #23 From Sune Kloppenborg Jeppesen 2005-04-18 22:04:08 0000 ------- 
Handling remaining DoS issues from comment #17 and comment #19 on bug #89579.

------- Comment #24 From René Nussbaumer 2005-06-26 07:24:10 0000 ------- 
Already a newer version stable on hppa

------- Comment #25 From Joshua Kinard 2005-06-29 19:17:57 0000 ------- 
cvs-1.11.20 stable on mips.
First Last Prev Next    No search results available      Search page      Enter new bug