Bug 103661

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2005-08-24 22:03:46 UTC

*** Bug 103303 has been marked as a duplicate of this bug. ***

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2005-08-24 22:04:01 UTC

cvs-utils please verify and bump as needed. 

Comment 3 Robin Johnson 2005-08-24 23:21:26 UTC

in cvs now.

Comment 4 Markus Rothe (RETIRED) 2005-08-25 04:04:36 UTC

stable on ppc64

Comment 5 Ian Leitch (RETIRED) 2005-08-25 05:28:23 UTC

Stable on x86.

Comment 6 Gustavo Zacarias (RETIRED) 2005-08-25 07:07:41 UTC

sparc stable.

Comment 7 René Nussbaumer (RETIRED) 2005-08-25 11:01:17 UTC

Stable on hppa

Comment 8 Michael Hanselmann (hansmi) (RETIRED) 2005-08-25 11:24:07 UTC

Stable on ppc.

Comment 9 Fernando J. Pereda (RETIRED) 2005-08-25 12:44:55 UTC

Stable on the shiny alpha architecture :)

Cheers,
Ferdy

Comment 10 Marcus D. Hanwell (RETIRED) 2005-08-27 17:08:54 UTC

Stable on amd64 - sorry about the delay. 

Comment 11 Thierry Carrez (RETIRED) 2005-08-28 00:56:58 UTC

CAN-2005-2693
"It is possible that a malicious user could leverage this issue to execute
arbitrary instructions as the user running cvsbug."

Time to vote, I tend to vote yes (more impact than just overwriting a file with
garbage, though cvsbug use is a little unlikely).

Comment 12 Tavis Ormandy (RETIRED) 2005-08-30 09:21:41 UTC

vote NO, difficult to exploit.

impossible to predict when someone is going to run cvsbug, and even if you could 
social engineer a situation when you knew the precise time that someone was 
going to execute it and convince them that they had found a bug that needed to 
be reported, you still need to win a race condition.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2005-08-30 12:24:48 UTC

I tend to vote NO. 

Comment 14 Thierry Carrez (RETIRED) 2005-08-31 00:30:04 UTC

Reversing YES to NO, and closing.

Comment 15 Hardave Riar (RETIRED) 2005-09-04 04:01:11 UTC

Stable on mips.