Home > Security > Advisories


Mandriva Advisories

Package name cvs
Date January 20th, 2003
Advisory ID MDKSA-2003:009
Affected versions 7.2, 8.0, 8.1, 8.2, 9.0
Synopsis Updated cvs packages fix multiple vulnerabilities

Problem Description

Two vulnerabilities were discoverd by Stefen Esser in the cvs program.
The first is an exploitable double free() bug within the server, which
can be used to execute arbitray code on the CVS server. To accomplish
this, the attacker must have an anonymous read-only login to the CVS
server. The second vulnerability is with the Checkin-prog and
Update-prog commands. If a client has write permission, he can use
these commands to execute programs outside of the scope of CVS, the
output of which will be sent as output to the client.

This update fixes the double free() vulnerability and removes the
Checkin-prog and Update-prog commands from CVS.

Updated Packages

Mandrakelinux 7.2

 00c5fa0ceb118e8945e19fc232dfbedc  7.2/RPMS/cvs-1.11.4-2.2mdk.i586.rpm
3555ee8fcbb21c5c7954c3cc0fe9cf4d  7.2/SRPMS/cvs-1.11.4-2.2mdk.src.rpm

Mandrakelinux 8.0

 bfcbd6affe1d5e3d6c67f3aedca5b03b  8.0/RPMS/cvs-1.11.4-2.2mdk.i586.rpm
3555ee8fcbb21c5c7954c3cc0fe9cf4d  8.0/SRPMS/cvs-1.11.4-2.2mdk.src.rpm

Mandrakelinux 8.0/PPC

 7e11ceed860517f48e8bd574f852f05f  ppc/8.0/RPMS/cvs-1.11.4-2.2mdk.ppc.rpm
3555ee8fcbb21c5c7954c3cc0fe9cf4d  ppc/8.0/SRPMS/cvs-1.11.4-2.2mdk.src.rpm

Mandrakelinux 8.1

 241c53a0b942290653ae85c3b577777c  8.1/RPMS/cvs-1.11.4-2.2mdk.i586.rpm
3555ee8fcbb21c5c7954c3cc0fe9cf4d  8.1/SRPMS/cvs-1.11.4-2.2mdk.src.rpm

Mandrakelinux 8.1/IA64

 85da2f450c0e1f5d6cb68f6930ffdb04  ia64/8.1/RPMS/cvs-1.11.4-2.2mdk.ia64.rpm
3555ee8fcbb21c5c7954c3cc0fe9cf4d  ia64/8.1/SRPMS/cvs-1.11.4-2.2mdk.src.rpm

Mandrakelinux 8.2

 e9f65908d466277ccff091613dc9884d  8.2/RPMS/cvs-1.11.4-2.2mdk.i586.rpm
3555ee8fcbb21c5c7954c3cc0fe9cf4d  8.2/SRPMS/cvs-1.11.4-2.2mdk.src.rpm

Mandrakelinux 8.2/PPC

 a3c6bd3cf63d1595303f6084c02132ec  ppc/8.2/RPMS/cvs-1.11.4-2.2mdk.ppc.rpm
3555ee8fcbb21c5c7954c3cc0fe9cf4d  ppc/8.2/SRPMS/cvs-1.11.4-2.2mdk.src.rpm

Mandrakelinux 9.0

 1099ed2410db9d689c1001ce2c8faf64  9.0/RPMS/cvs-1.11.4-2.2mdk.i586.rpm
3555ee8fcbb21c5c7954c3cc0fe9cf4d  9.0/SRPMS/cvs-1.11.4-2.2mdk.src.rpm




To upgrade automatically, use MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.