Bug 344057 (CVE-2010-3846)

Summary:	dev-vcs/cvs: Heap Overflow Vulnerability (CVE-2010-3846)
Product:	Gentoo Security	Reporter:	Tim Sammut (RETIRED) <underling>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	blueness, cvs-utils+obsolete
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/rcs.c?r1=1.262.4.65&r2=1.262.4.66&sortby=rev
Whiteboard:
Package list:		Runtime testing required:	---

Description Tim Sammut (RETIRED) gentoo-dev

2010-11-04 00:56:39 UTC

From http://www.securityfocus.com/bid/44528/discuss:

CVS is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

A local attacker can exploit this issue by storing a malicious RCS file in the CVS repository, and enticing an unsuspecting user to update their CVS repository tree with the file.

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the user running the vulnerable application. Failed attempts will result in denial-of-service conditions.

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2010-11-04 01:00:36 UTC

I'll get it right sooner or later... Sorry for the spam.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2010-12-03 07:48:30 UTC

This looks to be an issue we'll need to patch ourselves. The upstream commit is at $URL.

Comment 3 Robin Johnson archtester

2010-12-06 20:29:19 UTC

- The securityfocus report says only CVS-1.11.23, and nothing about CVS-1.12.12.
- The patch linked here IS only for 1.11.23, none of the variables or code it touches even exist in the 1.12.x series. The code also didn't exist in 1.11.22.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2010-12-07 02:25:56 UTC

Thanks, Robin, for looking into this. Closing this bug as INVALID since it doesn't appear that we had the vulnerable package in the tree.