From http://www.securityfocus.com/bid/44528/discuss: CVS is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer. A local attacker can exploit this issue by storing a malicious RCS file in the CVS repository, and enticing an unsuspecting user to update their CVS repository tree with the file. Successful exploitation allows the attacker to execute arbitrary code with the privileges of the user running the vulnerable application. Failed attempts will result in denial-of-service conditions.
I'll get it right sooner or later... Sorry for the spam.
This looks to be an issue we'll need to patch ourselves. The upstream commit is at $URL.
- The securityfocus report says only CVS-1.11.23, and nothing about CVS-1.12.12. - The patch linked here IS only for 1.11.23, none of the variables or code it touches even exist in the 1.12.x series. The code also didn't exist in 1.11.22.
Thanks, Robin, for looking into this. Closing this bug as INVALID since it doesn't appear that we had the vulnerable package in the tree.