Summary: | dev-vcs/cvs: Heap Overflow Vulnerability (CVE-2010-3846) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | blueness, cvs-utils+obsolete |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/rcs.c?r1=1.262.4.65&r2=1.262.4.66&sortby=rev | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2010-11-04 00:56:39 UTC
I'll get it right sooner or later... Sorry for the spam. This looks to be an issue we'll need to patch ourselves. The upstream commit is at $URL. - The securityfocus report says only CVS-1.11.23, and nothing about CVS-1.12.12. - The patch linked here IS only for 1.11.23, none of the variables or code it touches even exist in the 1.12.x series. The code also didn't exist in 1.11.22. Thanks, Robin, for looking into this. Closing this bug as INVALID since it doesn't appear that we had the vulnerable package in the tree. |