Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386305 - dev-vcs/cvs: heap-based buffer overflow (CVE-2010-3846)
Summary: dev-vcs/cvs: heap-based buffer overflow (CVE-2010-3846)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-08 13:54 UTC by GLSAMaker/CVETool Bot
Modified: 2014-06-19 16:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 13:54:24 UTC 
CVE-2010-3846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3846):
  Array index error in the apply_rcs_change function in rcs.c in CVS 1.11.23
  allows local users to gain privileges via an RCS file containing crafted
  delta fragment changes that trigger a heap-based buffer overflow.


Please punt vulnerable versions.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-10-08 19:10:51 UTC 
cvs-1.11 is kept in the tree for users in environments where the server has not been upgraded to cvs-1.12. 

I can p.mask it if that's acceptable?
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:33:08 UTC 
Sure.
Comment 3 Agostino Sarubbo gentoo-dev 2013-08-29 16:10:36 UTC 
1.11 is masked. Could this go to the glsa request?
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-03-31 16:36:22 UTC 
Ago not ignoring you, we (Security) are evaluating Legacy GLSA requests.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2014-06-19 16:24:33 UTC 
This was actually patched long before this bug was ever opened.
Please change your security flags on it. I only noticed now when I was about to treeclean this version that it was never vulnerable in the first place.

*cvs-1.11.23 (10 Feb 2011)

  10 Feb 2011; Fabian Groffen <grobian@gentoo.org> +cvs-1.11.23.ebuild,
  +files/cvs-1.11.23-CVE-2010-3846.patch, +files/cvs-1.11.23-getline64.patch:
  Add latest officially released version of CVS. The 1.11 branch is the only
  that actually behaves on most Prefix platforms, all other versions are 
  masked. For this reason, only Prefix keywords have been added, as it is
  mainly intended for them.  Bug #313799
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2014-06-19 16:29:12 UTC 
Okay then. Closing.