Debian Security Advisory

DSA-117-1 cvs -- improper variable initialization

Date Reported:
05 Mar 2002
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2002-0092.
More information:

Kim Nielsen recently found an internal problem with the CVS server and reported it to the vuln-dev mailing list. The problem is triggered by an improperly initialized global variable. A user exploiting this can crash the CVS server, which may be accessed through the pserver service and running under a remote user id. It is not yet clear if the remote account can be exposed, though.

This problem has been fixed in version 1.10.7-9 for the stable Debian distribution with help of Niels Heinen and in versions newer than 1.11.1p1debian-3 for the testing and unstable distribution of Debian (not yet uploaded, though).

We recommend that you upgrade your CVS package.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Architecture-independent component:
Intel ia32:
Motorola 680x0:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.