I found a heap buffer overflow in cvs client when parsing malformed proxy response on CONNECT request which triggers glibc internal memory check and SIGABRT, or causes segfault, or, under some circumstances, can lead to execute arbitrary code. Because HTTP proxy support has been added into cvs-1.12, older releases are not vulnerable. This vulnerability is known as CVE-2012-0804 and it's public since 2012-02-06. See <https://bugzilla.redhat.com/show_bug.cgi?id=784141> for more details. CVS developer is aware about this issue, he approved proposed patch, but not yet committed it into CVS development tree. I could provide reproducer if you wish. I confirmed this vulnerability on x86 with =dev-vcs/cvs-1.12.12-r6.
The proposed patch from the Red Hat bug: https://bugzilla.redhat.com/attachment.cgi?id=559993&action=diff&context=patch&collapsed=&headers=1&format=raw
CVE-2012-0804 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0804): Heap-based buffer overflow in the proxy_connect function in src/client.c in CVS 1.11 and 1.12 allows remote HTTP proxy servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP response.
We still don't seem to carry the patch for this issue, and I have been unavailable to discover a release containing it. I propose to patch the current CVS version to fix this issue as no new release seems likely at this point.
Redhat patch: https://bugzilla.redhat.com/show_bug.cgi?id=784141 Affected versions still in tree with no patch.
I've opened a pull request https://github.com/gentoo/gentoo/pull/2627 which in particular adds the redhat patch.
Thanks to Felix and everyone involved into the bump! @ Arches, please mark stable: =dev-vcs/cvs-1.12.12-r11 Stable target(s): alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
amd64 stable
x86 stable
Stable on alpha.
arm stable
ppc stable
ppc64 stable
Stable for HPPA.
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201701-44 at https://security.gentoo.org/glsa/201701-44 by GLSA coordinator Thomas Deutschmann (whissi).