Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 47800

Summary: dev-util/cvs : 1.11.15 update contains security fixes
Product: Gentoo Security Reporter: gen2daniel <gen2daniel>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Severity: normal CC: condordes, scandium
Priority: High Flags: condordes: Assigned_To? (condordes)
Version: unspecified   
Hardware: All   
OS: All   
Package list:
Runtime testing required: ---

Description gen2daniel 2004-04-14 08:35:46 UTC
Changes since 1.11.14:


* Piped checkouts of paths above $CVSROOT no longer work.  Previously, clients
  could have requested the contents of RCS archive files anywhere on a CVS


* Clients now check paths from the server to verify that they are within one of
  the sandboxes the user requested be updated.  Previously, a trojan server
  could have written or overwritten files anywhere the user had access,
  presenting a serious security risk.
Comment 1 Rainer Größlinger (RETIRED) gentoo-dev 2004-04-14 08:47:21 UTC
Hi, I already committed a cvs-1.11.15 ebuild about 5 minutes ago ;)
I was going to report this to our security guys but then I saw this bug already

I'd like to mark it stable on all archs later today if there are no objections.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-04-14 08:52:57 UTC
OK -- waiting for stable
Comment 3 Rainer Größlinger (RETIRED) gentoo-dev 2004-04-14 11:48:40 UTC
after doing the usual testing, it's now stable on all architectures
Comment 4 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-14 12:00:35 UTC
Excellent ... I'll start drafting a GLSA for this.
Comment 5 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-14 15:19:29 UTC
GLSA 200404-13.

Thanks Kurt for sending this one out, since I'm having problems with full-disclosure.