Debian: DSA-2108-1: New cvsnt package fixes arbitrary code execution

    Date14 Sep 2010
    CategoryDebian
    56
    Posted ByLinuxSecurity Advisories
    It has been discovered that in cvsnt, a multi-platform version of the original source code versioning system CVS, an error in the authentication code allows a malicious, unprivileged user, through the use of a specially crafted branch name, to gain write access to any
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - - ------------------------------------------------------------------------
    Debian Security Advisory DSA-2108-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                       Sébastien Delafond
    Sep 14, 2010                          http://www.debian.org/security/faq
    - - ------------------------------------------------------------------------
    
    Package        : cvsnt
    Vulnerability  : programming error
    Problem type   : remote
    Debian-specific: no
    CVE Id         : CVE-2010-1326
    Debian Bug     : 593884
    
    It has been discovered that in cvsnt, a multi-platform version of the
    original source code versioning system CVS, an error in the
    authentication code allows a malicious, unprivileged user, through the
    use of a specially crafted branch name, to gain write access to any
    module or directory, including CVSROOT itself. The attacker can then
    execute arbitrary code as root by modifying or adding administrative
    scripts in that directory.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 2.5.03.2382-3.3+lenny1.
    
    We recommend that you upgrade your cvsnt package.
    
    Upgrade instructions
    - ---------------------
    
    wget url
    will fetch the file for you
    dpkg -i file.deb
    will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
    will update the internal database
    apt-get upgrade
    will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian GNU/Linux 5.0 alias lenny
    - ---------------------------------
    
    Debian (stable)
    - ----------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1.dsc
        Size/MD5 checksum:     1214 753ba20f4b7c368e962eb304807241ba
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
        Size/MD5 checksum:   124606 f55d905fa0273040e2b3cd85896fb783
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382.orig.tar.gz
        Size/MD5 checksum:  6804247 c50c2d82aeb274a664d8d1cf53ccd0da
    
    Alpha architecture (DEC Alpha):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_alpha.deb
        Size/MD5 checksum:  1212408 2dbee6ffffe6801f2e3615ca7568cc59
    
    AMD64 architecture (AMD x86_64 (AMD64)):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_amd64.deb
        Size/MD5 checksum:  1131270 14e47c6454415fc3ca7d1ed19b7f8499
    
    ARM architecture (ARM):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_arm.deb
        Size/MD5 checksum:  1103540 0ea1b86c48efeefac554fa776d6d7579
    
    ARMEL architecture (ARM EABI):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_armel.deb
        Size/MD5 checksum:  1033786 7e67f45614b6f8e80c3fbef32fe9c218
    
    HP Precision architecture (HP PA RISC):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_hppa.deb
        Size/MD5 checksum:  1219736 96275b11153eb2744aa7d0af8d7b5484
    
    Intel IA-32 architecture (Intel ia32):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
        Size/MD5 checksum:  1085060 b6149560ad1931a5a6283d7263e3f41b
    
    Intel IA-64 architecture (Intel ia64):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_ia64.deb
        Size/MD5 checksum:  1503346 e29376097899808b63cc5b84bb1fd92c
    
    Big endian MIPS architecture (MIPS (Big Endian)):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_mips.deb
        Size/MD5 checksum:  1112122 6e21379182d6954685e411407662aca5
    
    Little endian MIPS architecture (MIPS (Little Endian)):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_mipsel.deb
        Size/MD5 checksum:  1115528 d276bde92371cde5b9a237d5f42514ca
    
    PowerPC architecture (PowerPC):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_powerpc.deb
        Size/MD5 checksum:  1219262 d4dacc1a62e87f4a0163047cadbcf2d9
    
    IBM S/390 architecture (IBM S/390):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_s390.deb
        Size/MD5 checksum:  1129298 7770a4dffef3c09c6352e63cd81442d7
    
    Sun Sparc architecture (Sun SPARC/UltraSPARC):
    
      http://security.debian.org/pool/updates/main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_sparc.deb
        Size/MD5 checksum:  1090472 210e12635e2f3fe27408d7021bddb4ea
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":16,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":32,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.