Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 53408

Summary: dev-util/cvs More vulnerabilities
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: scandium, wschlich
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://security.e-matters.de/advisories/092004.html
Whiteboard: B1 [stable]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen gentoo-dev 2004-06-09 07:02:10 UTC
Stefan Esser discovered more bugs in CVS see link for further info.
Comment 1 solar (RETIRED) gentoo-dev 2004-06-09 07:06:41 UTC
    Advisory: More CVS remote vulnerabilities
 Release Date: 2004/06/09
Last Modified: 2004/06/09
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: CVS feature release <= 1.12.8
               CVS stable release  <= 1.11.16
     Severity: Vulnerabilities within CVS allow remote compromise of
               CVS servers.
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
    Reference: http://security.e-matters.de/advisories/092004.html
Comment 2 solar (RETIRED) gentoo-dev 2004-06-09 07:14:57 UTC
*** Bug 53411 has been marked as a duplicate of this bug. ***
Comment 3 solar (RETIRED) gentoo-dev 2004-06-09 08:37:48 UTC
From: 	Stefan Esser <s.esser@e-matters.de>
To: 	Ned Ludd <solar@gentoo.org>
Subject: 	Re: [Full-Disclosure] Advisory 09/2004: More CVS remote vulnerabilities
Date: 	Wed, 9 Jun 2004 17:19:11 +0200	
> For the sake of clarity could you state exactly which version(s) are
> fixed.
> 
> cvshome seems to have no >=1.11.17 for a stable branch.
> 

The problem is that a coordinated release was planned for today 13:00 GMT
but obvioulsy Derek Robert Price forgot to put them up. Meanwhile I have
heard that within the next 60 minutes the new versions are out.

Stefan Esser
Comment 4 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-09 08:41:34 UTC
I will immediatly test and put it into the tree then.
Comment 5 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-09 10:56:46 UTC
cvs-1.11.17 committed.
Stable on x86, ~ on all other architectures.

Please test and mark stable asap, I'd like to remove <=1.11.16 from the tree then.
Comment 6 Guy Martin (RETIRED) gentoo-dev 2004-06-09 11:28:30 UTC
Stable on hppa.
Comment 7 Ciaran McCreesh 2004-06-09 12:19:09 UTC
mips, sparc stable
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-06-09 12:23:16 UTC
CAN numbers :

CAN-2004-0414 - no-null-termination of "Entry" lines
CAN-2004-0416 - error_prog_name "double-free()"
CAN-2004-0417 - Argument integer overflow
CAN-2004-0418 - serve_notify() out of bounds writes
Comment 9 Jay Maynard (RETIRED) gentoo-dev 2004-06-09 12:34:25 UTC
Stable on Alpha.
Comment 10 Danny van Dyk (RETIRED) gentoo-dev 2004-06-09 12:53:52 UTC
stable on amd64.
Comment 11 Luca Barbato gentoo-dev 2004-06-09 14:12:21 UTC
Marked ppc
Comment 12 Jason Wever (RETIRED) gentoo-dev 2004-06-09 17:22:56 UTC
Note that if you have the doc useflag set, the ebuild will currently fail to download all of the files as the .ps version of the cederqvist doc redirects you to a secure website.  Even though wget was built with ssl support, it gives the following error;

>>> Downloading http://ccvs.cvshome.org/files/documents/19/196/cederqvist-1.11.17.ps
https: Unknown host


Granted this isn't a show stopper but I thought people should be aware.  I'm not on the CC so if you want to reply to me either add me or do it offline.  Cheers
Comment 13 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-09 17:36:28 UTC
wget http://ccvs.cvshome.org/files/documents/19/196/cederqvist-1.11.17.ps

The above works for me.
I also dislike cvs' new site which changed directory paths so each file has its own number and the redirect to https/443 but I'm afraid currently we can't do much about it.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-06-10 02:28:30 UTC
The ebuild in CVS is still ~amd64. I suppose the stable keyword was lost somewhere.
amd64 please confirm...

Once amd64 is confirmed the GLSA is ready to go.
Comment 15 Danny van Dyk (RETIRED) gentoo-dev 2004-06-10 03:14:43 UTC
Confirming... i'm just still wondering why and how i forgot to commit ?!?
[I double checked, it's really in now ;-) ]
Comment 16 Kurt Lieber (RETIRED) gentoo-dev 2004-06-10 12:55:49 UTC
glsa 200406-06
Comment 17 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-10 13:07:04 UTC
Still not stable on arm, ia64, ppc64 and s390.

Will hunt down some individuals now ;-)
Comment 18 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-10 13:16:46 UTC
stable on arm and ia64
Comment 19 Rainer Größlinger (RETIRED) gentoo-dev 2004-06-13 08:47:03 UTC
cvs-1.11.17 stable on all architectures now