CVS Client RCS Diff File Corruption Vulnerability

CVS Client RCS Diff File Corruption Vulnerability

Solution:
The vendor has released updates to address this and other issues. Fixes are linked below.

SGI has released an advisory 20040404-01-U and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes. Fixes are linked below.

FreeBSD has released an advisory (FreeBSD-SA-04:07.cvs) and patches to address this issue. FreeBSD users are advised to apply these patches as soon as possible. Further information regarding obtaining and applying patches can be found in the referenced advisory. Patches are linked below.

Red Hat has released an advisory (RHSA-2004:154-06) and fixes to address this issue. Red Hat users are advised to apply these fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory.

OpenPKG has released an advisory (OpenPKG-SA-2004.013) and fixes to address this issue. OpenPKG users are advised to apply these fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory. Fixes are linked below.

Red Hat has released an advisory (RHSA-2004:153-07) and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

SuSE has released an advisory (SuSE-SA:2004:008) and fixes to address this issue. SuSE users are advised to apply these fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory.

Red Hat has released an advisory (RHSA-2004:154-01) and fixes to address this issue. Red Hat users are advised to apply these fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory.

Mandrake has released an advisory (MDKSA-2004:028) and fixes to address this issue. Mandrake users are advised to apply these fixes as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory.

Gentoo has released an advisory GLSA 200404-13 to address this and another issue. Please see the referenced advisory for more information.

Gentoo users are advised to carry out the following commands to update their systems:
# emerge sync
# emerge -pv ">=dev-util/cvs-1.11.15"
# emerge ">=dev-util/cvs-1.11.15"

Debian has released advisory DSA 486-1 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Netwosix has released an advisory LNSA-#2004-0011 with fix information to address this and another issue in CVS. Please see the referenced advisory for more information.

Slackware has released an advisory SSA:2004-108-02 with fix information to address this and another issue in CVS. Please see the referenced advisory for more information.

Red Hat has released advisory RHSA-2004:153-09 for their enterprise distribution dealing with this and other issues. Please see the referenced advisory for more information and details on obtaining fixes.

OpenBSD users are urged to follow the instructions contained in the patch files to update their CVS binaries.

Red Hat Fedora has released advisory FEDORA-2004-110 dealing with this issue. Please see the referenced advisory for further information.

SGI has released an advisory (20040506-01-U) with Patch 10075 for SGI
ProPack 3 to address this and other issues. Please see the referenced
advisory for more information.

Turbolinux has released advisory TLSA-2004-15 dealing with this issue. Please see the referenced advisory for further information.

Red Hat Fedora Legacy advisory FLSA-2004:1620 has been released dealing with this and other issues for Red Hat 7.3 and 9.0. Please see the referenced advisory for more information.

An upgrade for CVS on the Immunix Linux platform has been released.

Red Hat Fedora Core1

Fedora cvs-1.11.15-1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /cvs-1.11.15-1.i386.rpm

Fedora cvs-1.11.15-1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_ 64/cvs-1.11.15-1.x86_64.rpm

Fedora cvs-debuginfo-1.11.15-1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /debug/cvs-debuginfo-1.11.15-1.i386.rpm

Fedora cvs-debuginfo-1.11.15-1.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_ 64/debug/cvs-debuginfo-1.11.15-1.x86_64.rpm

CVS CVS 1.11

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

CVS CVS 1.11.1 p1

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

Debian cvs_1.11.1p1debian-9woody2_alpha.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_alpha.deb

Debian cvs_1.11.1p1debian-9woody2_arm.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_arm.deb

Debian cvs_1.11.1p1debian-9woody2_hppa.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_hppa.deb

Debian cvs_1.11.1p1debian-9woody2_i386.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_i386.deb

Debian cvs_1.11.1p1debian-9woody2_ia64.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_ia64.deb

Debian cvs_1.11.1p1debian-9woody2_m68k.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_m68k.deb

Debian cvs_1.11.1p1debian-9woody2_mips.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_mips.deb

Debian cvs_1.11.1p1debian-9woody2_mipsel.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_mipsel.deb

Debian cvs_1.11.1p1debian-9woody2_powerpc.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_powerpc.deb

Debian cvs_1.11.1p1debian-9woody2_s390.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_s390.deb

Debian cvs_1.11.1p1debian-9woody2_sparc.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9woody2_sparc.deb

OpenBSD 002_cvs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch

OpenBSD 017_cvs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/017_cvs.patch

OpenBSD 022_cvs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/022_cvs.patch

RedHat cvs-1.11.1p1-14.legacy.3.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cvs-1.11.1p1- 14.legacy.3.i386.rpm

SuSE cvs-1.11.1p1-326.i386.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/cvs-1.11.1p1-326.i386.p atch.rpm

SuSE cvs-1.11.1p1-326.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cvs-1.11.1p1-326. i586.patch.rpm

SuSE cvs-1.11.1p1-326.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/cvs-1.11.1p1-326.i386.r pm

SuSE cvs-1.11.1p1-326.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cvs-1.11.1p1-326. i586.rpm

CVS CVS 1.11.1

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

CVS CVS 1.11.10

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

CVS CVS 1.11.11

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

Mandrake cvs-1.11.14-0.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php

CVS CVS 1.11.14

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

CVS CVS 1.11.2

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

RedHat cvs-1.11.2-23.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cvs-1.11.2-23.l egacy.i386.rpm

CVS CVS 1.11.3

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

CVS CVS 1.11.4

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

CVS CVS 1.11.5

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

Mandrake cvs-1.11.14-0.1.91mdk.i586.rpm
Mandrake Linux 9.1
http://www.mandrakesecure.net/en/ftp.php

Mandrake cvs-1.11.14-0.1.91mdk.ppc.rpm
Mandrake Linux 9.1/PPC
http://www.mandrakesecure.net/en/ftp.php

Mandrake cvs-1.11.14-0.1.C21mdk.i586.rpm
Mandrake Corporate Server 2.1
http://www.mandrakesecure.net/en/ftp.php

Mandrake cvs-1.11.14-0.1.C21mdk.x86_64.rpm
Mandrake Corporate Server 2.1/X86_64
http://www.mandrakesecure.net/en/ftp.php

Slackware cvs-1.11.15-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/c vs-1.11.15-i386-1.tgz

SuSE cvs-1.11.5-103.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cvs-1.11.5-103.i5 86.patch.rpm

SuSE cvs-1.11.5-103.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cvs-1.11.5-103.i5 86.rpm

CVS CVS 1.11.6

CVS cvs-1.11.15.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=466

Mandrake cvs-1.11.14-0.1.92mdk.amd64.rpm
Mandrake Linux 9.2/AMD64
http://www.mandrakesecure.net/en/ftp.php

Mandrake cvs-1.11.14-0.1.92mdk.i586.rpm
Mandrake Linux 9.2
http://www.mandrakesecure.net/en/ftp.php

Slackware cvs-1.11.15-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/c vs-1.11.15-i486-1.tgz

SuSE cvs-1.11.6-78.x86_64.patch.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cvs-1.11.6-78 .x86_64.patch.rpm

SuSE cvs-1.11.6-79.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvs-1.11.6-79.i58 6.patch.rpm

SuSE cvs-1.11.6-78.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cvs-1.11.6-78 .x86_64.rpm

SuSE cvs-1.11.6-79.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvs-1.11.6-79.i58 6.rpm

CVS CVS 1.12.1

CVS cvs-1.12.7.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=468

CVS CVS 1.12.2

CVS cvs-1.12.7.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=468

CVS CVS 1.12.5

CVS cvs-1.12.7.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=468

OpenPKG cvs-1.12.5-2.0.1.src.rpm
OpenPKG 2.0
ftp://ftp.openpkg.org/release/2.0/UPD/cvs-1.12.5-2.0.1.src.rpm

SGI ProPack 2.3

SGI patch10067.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/patch1 0067.tar.gz

SGI ProPack 2.4

SGI patch10067.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/patch1 0067.tar.gz

SGI ProPack 3.0

SGI patch10075.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/3/

FreeBSD FreeBSD 4.8 -RELENG

FreeBSD cvs.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch

FreeBSD FreeBSD 4.8 -PRERELEASE

FreeBSD cvs.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch

FreeBSD FreeBSD 4.8 -RELEASE-p7

FreeBSD cvs.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch

FreeBSD FreeBSD 4.8

FreeBSD cvs.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch

FreeBSD FreeBSD 4.9

FreeBSD cvs.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch

FreeBSD FreeBSD 4.9 -PRERELEASE

FreeBSD cvs.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch