Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 51460

Summary: dev-util/cvs<=1.11.15 remote heap overflow
Product: Gentoo Security Reporter: Nilanjan De <n2n>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Severity: critical CC: scandium
Priority: High Flags: koon: Assigned_To? (koon)
Version: unspecified   
Hardware: All   
OS: All   
Package list:
Runtime testing required: ---

Description Nilanjan De 2004-05-19 08:50:38 UTC
Application:	CVS feature release <= 1.12.7
CVS stable release <= 1.11.15
Severity:	A vulnerability within CVS allows remote compromise of CVS servers.
Risk:	Critical
CVE Information: CAN-2004-0396

Workaround: Upstream vendor has supposedly released a patched version.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 08:56:16 UTC
Fix in 1.11.16
scandium : could you please bump to that version ? Thanks
Comment 2 Rainer Größlinger (RETIRED) gentoo-dev 2004-05-19 09:35:20 UTC
cvs-1.11.16 is in the tree now, but still ~ on all archs besides x86.
Comment 3 Rainer Größlinger (RETIRED) gentoo-dev 2004-05-19 09:40:28 UTC
Architecture people, please mark cvs-1.11.16 stable as soon as possible, thank you.
Comment 4 Guy Martin (RETIRED) gentoo-dev 2004-05-19 10:33:08 UTC
Marked stable on hppa.
Comment 5 Ciaran McCreesh 2004-05-19 12:57:21 UTC
sparc, mips done
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2004-05-19 13:04:43 UTC
Stable on alpha.
Comment 7 Jon Portnoy (RETIRED) gentoo-dev 2004-05-19 13:22:58 UTC
Stable on amd64
Comment 8 Lars Weiler (RETIRED) gentoo-dev 2004-05-19 14:21:12 UTC
Stable on ppc.

Our very own cvs-server got already updated, too.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 14:23:21 UTC
Ready for a GLSA
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-05-20 10:01:03 UTC
GLSA drafted
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-05-20 11:41:03 UTC
GLSA 200405-12
Comment 12 Michael McCabe (RETIRED) gentoo-dev 2004-05-20 18:03:51 UTC
Stable on s390
Comment 13 Rainer Größlinger (RETIRED) gentoo-dev 2004-05-21 05:00:24 UTC
missed ppc64 :)
Comment 14 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-02 14:17:07 UTC
It is still not stable on ia64, ppc64 and arm.

Would be nice if those people could look at it and mark >=1.11.16 stable
Comment 15 Tom Gall (RETIRED) gentoo-dev 2004-06-02 18:46:41 UTC
stable on ppc64
Comment 16 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-07 16:02:26 UTC
ppc64 stabled by tgall
arm stabled by vapier

ia64 still missing :(
Comment 17 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-09 08:15:33 UTC
stable on ia64 by agriffis
Comment 18 solar (RETIRED) gentoo-dev 2004-06-09 10:22:50 UTC
We might want to hold off on the GLSA on this one. More vulns were found in cvs see bug #53408
Comment 19 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-09 10:26:42 UTC
solar, the GLSA for this has already been sent out on May 20th.