MDKSA-2003:112-1

Package name

cvs

Date

2003-12-10

Advisory ID

MDKSA-2003:112-1

Affected versions

9.2 i586 , 9.1 i586 , 9.1 i586 , 9.2 amd64

Problem description

A vulnerability was discovered in the CVS server < 1.11.10 where a malformed module request could cause the CVS server to attempt to create directories and possibly files at the root of the filesystem holding the CVS repository. Updated packages are available that fix the vulnerability by providing CVS 1.11.10 on all supported distributions. Update: The previous updates had an incorrect temporary directory hard-coded in the cvs binary for 9.1 and 9.2. This update corrects the problem.

Updated packages

9.2 i586

 40cb9ef455fa6691dd83c825cb9b7187  9.2/RPMS/cvs-1.11.10-0.2.92mdk.i586.rpm
462be325ab3b81b3d66d3b50667299e0  9.2/SRPMS/cvs-1.11.10-0.2.92mdk.src.rpm

9.1 i586

 fe0c799fdb5958ff751550217049e8c1  ppc/9.1/RPMS/cvs-1.11.10-0.2.91mdk.ppc.rpm
23a8af158abeff53dee68134f1f74e9b  ppc/9.1/SRPMS/cvs-1.11.10-0.2.91mdk.src.rpm

9.1 i586

 e16e571b0c94bb8c90b2e3f620975845  9.1/RPMS/cvs-1.11.10-0.2.91mdk.i586.rpm
23a8af158abeff53dee68134f1f74e9b  9.1/SRPMS/cvs-1.11.10-0.2.91mdk.src.rpm

9.2 amd64

 240882a2e931d5aa7fd4df58470e0c42  amd64/9.2/RPMS/cvs-1.11.10-0.2.92mdk.amd64.rpm
462be325ab3b81b3d66d3b50667299e0  amd64/9.2/SRPMS/cvs-1.11.10-0.2.92mdk.src.rpm

References

• http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977