Debian Security Advisory

DSA-117-1 cvs -- improper variable initialization

Date Reported:

05 Mar 2002

Affected Packages:

cvs

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2002-0092.

More information:

Kim Nielsen recently found an internal problem with the CVS server and reported it to the vuln-dev mailing list. The problem is triggered by an improperly initialized global variable. A user exploiting this can crash the CVS server, which may be accessed through the pserver service and running under a remote user id. It is not yet clear if the remote account can be exposed, though.

This problem has been fixed in version 1.10.7-9 for the stable Debian distribution with help of Niels Heinen and in versions newer than 1.11.1p1debian-3 for the testing and unstable distribution of Debian (not yet uploaded, though).

We recommend that you upgrade your CVS package.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:: http://security.debian.org/dists/stable/updates/main/source/cvs_1.10.7-9.dsc; http://security.debian.org/dists/stable/updates/main/source/cvs_1.10.7-9.diff.gz; http://security.debian.org/dists/stable/updates/main/source/cvs_1.10.7.orig.tar.gz
Architecture-independent component:: http://security.debian.org/dists/stable/updates/main/binary-all/cvs-doc_1.10.7-9_all.deb
Alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/cvs_1.10.7-9_alpha.deb
ARM:: http://security.debian.org/dists/stable/updates/main/binary-arm/cvs_1.10.7-9_arm.deb
Intel ia32:: http://security.debian.org/dists/stable/updates/main/binary-i386/cvs_1.10.7-9_i386.deb
Motorola 680x0:: http://security.debian.org/dists/stable/updates/main/binary-m68k/cvs_1.10.7-9_m68k.deb
PowerPC:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/cvs_1.10.7-9_powerpc.deb
Sun Sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/cvs_1.10.7-9_sparc.deb

MD5 checksums of the listed files are available in the original advisory.