|Summary:||dev-util/cvs several vulnerabilities|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||critical||CC:||corsair, gustavoz, kugelfang, pylon, sejo, tester|
|Whiteboard:||B1 [glsa] jaervosz|
|Package list:||Runtime testing required:||---|
Description Sune Kloppenborg Jeppesen (RETIRED) 2005-03-23 23:59:36 UTC
Remote DoS and other issues are reported.
Comment 1 solar (RETIRED) 2005-03-24 09:45:46 UTC
Created attachment 54351 [details, diff] cvs-1.11.18-kclockwork.patch
Comment 2 solar (RETIRED) 2005-03-24 09:46:46 UTC
Created attachment 54352 [details, diff] cvs-1.12.11-klocwork.patch
Comment 3 solar (RETIRED) 2005-03-24 09:47:47 UTC
cvs-1.11.18-kclockwork.patch should be renamed to klocwork vs kclockwork
Comment 4 solar (RETIRED) 2005-03-24 10:05:17 UTC
Created attachment 54354 [details] cvs-1.12.11-r1.ebuild
Comment 5 solar (RETIRED) 2005-03-24 10:05:55 UTC
Created attachment 54355 [details] cvs-1.11.18-r1.ebuild
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2005-03-28 21:16:10 UTC
Please test and report results back on this bug. Do NOT commit anything yet. Calling specific testers as this bug is still not open. If anyone is not able to do it soon, please point at another tester from your arch team. alpha -> kloeri amd64 -> blubb ppc -> SeJo ppc64 -> corsair sparc -> gustavoz x86 -> tester Also note that we have no maintainer for this package atm.
Comment 7 Olivier Crete (RETIRED) 2005-03-28 21:43:39 UTC
Btw, is it pserver related, client/server? What parts needs testing? I haven't found any problem on x86 in my basic general testing.
Comment 8 Thierry Carrez (RETIRED) 2005-03-29 03:39:26 UTC
AFAICT it's various null dereferences fixes and mostly a buffer overflow in rcs.c when asking for a strange version or author. So general testing should be sufficient ?
Comment 9 Markus Rothe (RETIRED) 2005-03-29 05:09:47 UTC
looks good on ppc64.
Comment 10 Gustavo Zacarias (RETIRED) 2005-03-29 06:36:16 UTC
sparc looks good too.
Comment 11 Simon Stelling (RETIRED) 2005-03-29 07:20:20 UTC
too busy at the moment, sorry. have fun, kugelfang :)
Comment 12 solar (RETIRED) 2005-03-29 08:39:27 UTC
We patched up lark on the 24th for those of you wondering about our own cvs server using cvs-1.11.18-r1 (that will be the initial desired stable one) if I'm not mistaken upstream has these fixes in cvs already and the comments in the log note the problems. https://ccvs.cvshome.org/servlets/NewsItemView?newsItemID=133 1.11.19 should fix this (and we could almost push that to stable asap)
Comment 13 Bryan Østergaard (RETIRED) 2005-03-29 10:44:16 UTC
Alpha is good.
Comment 14 Jochen Maes (RETIRED) 2005-03-29 22:20:54 UTC
both look good on ppc
Comment 15 Danny van Dyk (RETIRED) 2005-03-30 09:01:17 UTC
fine on amd64 :-) sorry for the delay
Comment 16 Thierry Carrez (RETIRED) 2005-03-30 10:24:36 UTC
All supported arches reported it stable, waiting for disclosure date to commit it directly with KEYWORDS="x86 ppc sparc ~mips alpha ~arm ~hppa amd64 ~ia64 ppc64 ~s390"
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) 2005-04-13 10:42:17 UTC
disclosure date passed with no advisories. New disclosure date unknown. Solar judging from CVS Changelog entries for 2005-03-17 some of the initial issues reported are not fixed in kclockwork patch but in the public CVS tree. https://ccvs.cvshome.org/source/browse/ccvs/src/ChangeLog?rev=1.3170&content-type=text/vnd.viewcvs-markup
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) 2005-04-15 09:11:46 UTC
Pylon please advise on comment #17.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) 2005-04-15 09:16:11 UTC
Pylon, when you're at it, please also take a look at the following bug: https://ccvs.cvshome.org/issues/show_bug.cgi?id=224
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) 2005-04-15 14:17:06 UTC
Use CAN-2005-0753 for the buffer overflow issue.
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) 2005-04-18 09:15:36 UTC
This is public with SUSE-SA:2005:024. Solar/vapier/Pylon please commit.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) 2005-04-18 13:49:10 UTC
Thx to tigger we now have the fixed ebuild in Portage. GLSA 200504-16 released. mips, arm, hppa, ia64, s390 please remember to mark stable to benefit from GLSA.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) 2005-04-18 22:04:08 UTC
Handling remaining DoS issues from comment #17 and comment #19 on bug #89579.
Comment 24 René Nussbaumer (RETIRED) 2005-06-26 07:24:10 UTC
Already a newer version stable on hppa
Comment 25 Joshua Kinard 2005-06-29 19:17:57 UTC
cvs-1.11.20 stable on mips.