Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 86476 - dev-util/cvs several vulnerabilities
Summary: dev-util/cvs several vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-23 23:59 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-05-31 10:53 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
cvs-1.11.18-kclockwork.patch (cvs-1.11.18-kclockwork.patch,2.92 KB, patch)
2005-03-24 09:45 UTC, solar (RETIRED)
no flags Details | Diff
cvs-1.12.11-klocwork.patch (cvs-1.12.11-klocwork.patch,2.76 KB, patch)
2005-03-24 09:46 UTC, solar (RETIRED)
no flags Details | Diff
cvs-1.12.11-r1.ebuild (cvs-1.12.11-r1.ebuild,1.87 KB, text/plain)
2005-03-24 10:05 UTC, solar (RETIRED)
no flags Details
cvs-1.11.18-r1.ebuild (cvs-1.11.18-r1.ebuild,1.59 KB, text/plain)
2005-03-24 10:05 UTC, solar (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-23 23:59:36 UTC
Remote DoS and other issues are reported.
Comment 1 solar (RETIRED) gentoo-dev 2005-03-24 09:45:46 UTC
Created attachment 54351 [details, diff]
cvs-1.11.18-kclockwork.patch
Comment 2 solar (RETIRED) gentoo-dev 2005-03-24 09:46:46 UTC
Created attachment 54352 [details, diff]
cvs-1.12.11-klocwork.patch
Comment 3 solar (RETIRED) gentoo-dev 2005-03-24 09:47:47 UTC
cvs-1.11.18-kclockwork.patch  should be renamed to klocwork vs kclockwork
Comment 4 solar (RETIRED) gentoo-dev 2005-03-24 10:05:17 UTC
Created attachment 54354 [details]
cvs-1.12.11-r1.ebuild
Comment 5 solar (RETIRED) gentoo-dev 2005-03-24 10:05:55 UTC
Created attachment 54355 [details]
cvs-1.11.18-r1.ebuild
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-28 21:16:10 UTC
Please test and report results back on this bug. Do NOT commit anything yet. Calling specific testers as this bug is still not open. If anyone is not able to do it soon, please point at another tester from your arch team.

alpha -> kloeri
amd64 -> blubb
ppc -> SeJo
ppc64 -> corsair
sparc -> gustavoz
x86 -> tester

Also note that we have no maintainer for this package atm.
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2005-03-28 21:43:39 UTC
Btw, is it pserver related, client/server? What parts needs testing? I haven't found any problem on x86 in my basic general testing.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-03-29 03:39:26 UTC
AFAICT it's various null dereferences fixes and mostly a buffer overflow in rcs.c when asking for a strange version or author. So general testing should be sufficient ?
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2005-03-29 05:09:47 UTC
looks good on ppc64.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-03-29 06:36:16 UTC
sparc looks good too.
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2005-03-29 07:20:20 UTC
too busy at the moment, sorry. have fun, kugelfang :)
Comment 12 solar (RETIRED) gentoo-dev 2005-03-29 08:39:27 UTC
We patched up lark on the 24th for those of you wondering about our own cvs 
server using cvs-1.11.18-r1 (that will be the initial desired stable one)

if I'm not mistaken upstream has these fixes in cvs already and the comments in the log note the problems.

https://ccvs.cvshome.org/servlets/NewsItemView?newsItemID=133
1.11.19 should fix this (and we could almost push that to stable asap)
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-29 10:44:16 UTC
Alpha is good.
Comment 14 Jochen Maes (RETIRED) gentoo-dev 2005-03-29 22:20:54 UTC
both look good on ppc
Comment 15 Danny van Dyk (RETIRED) gentoo-dev 2005-03-30 09:01:17 UTC
fine on amd64 :-) sorry for the delay
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-03-30 10:24:36 UTC
All supported arches reported it stable, waiting for disclosure date to commit it directly with KEYWORDS="x86 ppc sparc ~mips alpha ~arm ~hppa amd64 ~ia64 ppc64 ~s390"
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-13 10:42:17 UTC
disclosure date passed with no advisories. New disclosure date unknown.

Solar judging from CVS Changelog entries for 2005-03-17 some of the initial issues reported are not fixed in kclockwork patch but in the public CVS tree.

https://ccvs.cvshome.org/source/browse/ccvs/src/ChangeLog?rev=1.3170&content-type=text/vnd.viewcvs-markup
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-15 09:11:46 UTC
Pylon please advise on comment #17.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-15 09:16:11 UTC
Pylon, when you're at it, please also take a look at the following bug:

https://ccvs.cvshome.org/issues/show_bug.cgi?id=224
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-15 14:17:06 UTC
Use CAN-2005-0753 for the buffer overflow issue.
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-18 09:15:36 UTC
This is public with SUSE-SA:2005:024.

Solar/vapier/Pylon please commit.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-18 13:49:10 UTC
Thx to tigger we now have the fixed ebuild in Portage.

GLSA 200504-16 released.

mips, arm, hppa, ia64, s390 please remember to mark stable to benefit from GLSA.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-18 22:04:08 UTC
Handling remaining DoS issues from comment #17 and comment #19 on bug #89579.
Comment 24 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 07:24:10 UTC
Already a newer version stable on hppa
Comment 25 Joshua Kinard gentoo-dev 2005-06-29 19:17:57 UTC
cvs-1.11.20 stable on mips.