Summary: | <dev-util/subversion-1.6.4 Remote code execution in server and client (CVE-2009-2411) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | critical | CC: | arfrever, chainsaw, klieber, robbat2 | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt | ||||||||
Whiteboard: | A1 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Alex Legler (RETIRED)
2009-08-05 19:29:16 UTC
An updated ebuild is being prepared, we'll prestable after that. As usual, no commits to CVS please. Created attachment 200289 [details]
subversion-1.6.4.ebuild
Created attachment 200290 [details]
subversion-1.6.4-r10.ebuild
The tarball can be downloaded from https://orac.ece.utexas.edu/pub/svn/1.6.4/ Username: svn Password: KEnuprE3 Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : fauli, maekke Comment on attachment 200290 [details]
subversion-1.6.4-r10.ebuild
Target is -r0.
in case it is not clear from above, the distfile can be fetched via wget --no-check-certificate https://svn:KEnuprE3@orac.ece.utexas.edu/pub/svn/1.6.4/moonlight/to-tigris/subversion-1.6.4.tar.bz2 Please handle this ASAP. Also cc'ing Kurt and Robin from infra. amd64 ok x86 looks ok to (the same tests fail as in the previous version) HPPA is OK. Public via $URL. Arches: Please allow me to reiterate the urgency of this bug. dev-util/subversion-1.6.4{,-r10} is now in the tree. ppc64 done CVE-2009-2411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2411): Multiple integer overflows in the libsvn_delta library in Subversion before 1.5.7, and 1.6.x before 1.6.4, allow remote authenticated users and remote Subversion servers to execute arbitrary code via an svndiff stream with large windows that trigger a heap-based buffer overflow, a related issue to CVE-2009-2412. ppc stable alpha/arm/ia64/s390/sh/sparc stable GLSA request filed. GLSA 200908-05 |