Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200404-13 ] CVS Server and Client Vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4078
Location: Barcelona, Spain

PostPosted: Wed Apr 14, 2004 10:11 pm    Post subject: [ GLSA 200404-13 ] CVS Server and Client Vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: CVS Server and Client Vulnerabilities (GLSA 200404-13)
Severity: normal
Exploitable: remote
Date: April 14, 2004
Updated: May 22, 2006
Bug(s): #47800
ID: 200404-13

Synopsis

There are two vulnerabilities in CVS; one in the server and one in the client. These vulnerabilities allow the reading and writing of arbitrary files on both client and server.

Background

CVS, which stands for Concurrent Versions System, is a client/server application which tracks changes to sets of files. It allows multiple users to work concurrently on files, and then merge their changes back into the main tree (which can be on a remote system). It also allows branching, or maintaining separate versions for files.

Affected Packages

Package: dev-util/cvs
Vulnerable: <= 1.11.14
Unaffected: >= 1.11.15
Architectures: All supported architectures


Description

There are two vulnerabilities in CVS; one in the server and one in the client. The server vulnerability allows a malicious client to request the contents of any RCS file to which the server has permission, even those not located under $CVSROOT. The client vulnerability allows a malicious server to overwrite files on the client machine anywhere the client has permissions.

Impact

Arbitrary files may be read or written on CVS clients and servers by anybody with access to the CVS tree.

Workaround

There is no known workaround at this time. All users are encouraged to upgrade to the latest stable version of CVS.

Resolution

All CVS users should upgrade to the latest stable version.
Code:
# emerge sync
# emerge -pv ">=dev-util/cvs-1.11.15"
# emerge ">=dev-util/cvs-1.11.15"


References

CVS commit log
CVE-2004-0180
CVE-2004-0405


Last edited by GLSA on Tue May 23, 2006 4:16 am; edited 2 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum