CVE-2010-3846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3846): Array index error in the apply_rcs_change function in rcs.c in CVS 1.11.23 allows local users to gain privileges via an RCS file containing crafted delta fragment changes that trigger a heap-based buffer overflow. Please punt vulnerable versions.
cvs-1.11 is kept in the tree for users in environments where the server has not been upgraded to cvs-1.12. I can p.mask it if that's acceptable?
Sure.
1.11 is masked. Could this go to the glsa request?
Ago not ignoring you, we (Security) are evaluating Legacy GLSA requests.
This was actually patched long before this bug was ever opened. Please change your security flags on it. I only noticed now when I was about to treeclean this version that it was never vulnerable in the first place. *cvs-1.11.23 (10 Feb 2011) 10 Feb 2011; Fabian Groffen <grobian@gentoo.org> +cvs-1.11.23.ebuild, +files/cvs-1.11.23-CVE-2010-3846.patch, +files/cvs-1.11.23-getline64.patch: Add latest officially released version of CVS. The 1.11 branch is the only that actually behaves on most Prefix platforms, all other versions are masked. For this reason, only Prefix keywords have been added, as it is mainly intended for them. Bug #313799
Okay then. Closing.