• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

CVS Malformed Request System Root File Creation Vulnerability

Solution:
Version 1.11.10 has been released to address this issue.

SGI has released an advisory 20040202-01-U to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information. Fixes are available below.

Red Hat has released security advisory RHSA-2004:003-01 and fixes to address this issue. See referenced advisory for additional details.

Gentoo has released an advisory (200312-04) to address this issue. All Gentoo Linux systems that have cvs installed should be updated to use cvs-1.11.10 or higher as follows:
emerge sync
emerge -pv '>=dev-util/cvs-1.11.10'
emerge '>=dev-util/cvs-1.11.10'
emerge clean

Mandrake has released security advisory MDKSA-2003:112-1 to address this issue as well as a problem in the updates included in MDKSA-2003:112. See referenced advisory for additional details.

Slackware has released security advisory SSA:2003-345-01 to address this issue. See referenced advisory for additional details.

OpenPKG has released security advisory OpenPKG-SA-2003.052 to address this issue. See referenced advisory for additional details.

TurboLinux has released advisory TLSA-2003-69 with fixes to address this issue.

Debian has released advisory DSA-422-1 with fixes to address this issue.

RedHat has released advisory RHSA-2004:003-04 with fixes to address this issue. Please see the web reference for more information.

Conectiva has issued advisory CLA-2004:808 to address this issue.

RedHat has released advisory RHSA-2004:004-05 with fixes to address this issue. Please see the web reference for more information.

SGI has released an advisory 20040103-01-U with fixes to address this and other issues. Please see the referenced advisory for more information.

RedHat has released an advisory FLSA:1207 with fixes to address this issue. Please see the referenced advisory for more information.

OpenBSD users are urged to follow the instructions contained in the patch files to update their CVS binaries.


RedHat cvs-1.11.2-10.i386.rpm

• Red Hat cvs-1.11.2-13.i386.rpm
  ftp://updates.redhat.com/9/en/os/i386/cvs-1.11.2-13.i386.rpm

CVS CVS 1.10.6

• TurboLinux cvs-1.12.4-1.i386.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/ updates/RPMS/cvs-1.12.4-1.i386.rpm


• TurboLinux cvs-1.12.4-1.i386.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/upd ates/RPMS/cvs-1.12.4-1.i386.rpm


• TurboLinux cvs-1.12.4-1.i386.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6. 0/ja/updates/RPMS/cvs-1.12.4-1.i386.rpm

CVS CVS 1.10.7

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384

CrossWind CyberScheduler 1.10.7

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384

CVS CVS 1.10.8

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384

CVS CVS 1.11

• Conectiva cvs-1.11-22818U90_2cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/cvs-1.11-22818U90_2cl.i386. rpm


• Conectiva cvs-1.11-9U80_5cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-1.11-9U80_5cl.i386.rpm


• Conectiva cvs-doc-1.11-22818U90_2cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/9/RPMS/cvs-doc-1.11-22818U90_2cl.i 386.rpm


• Conectiva cvs-doc-1.11-9U80_5cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-doc-1.11-9U80_5cl.i386. rpm


• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384

CVS CVS 1.11.1 p1

• Conectiva cvs-1.11.1p1-306.i586.rpm
  ftp://ul.conectiva.com.br/updates/1.0/RPMS.core/cvs-1.11.1p1-306.i586. rpm


• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384


• Debian cvs_1.11.1p1debian-9_alpha.deb
  Fix for alpha architecture (DEC Alpha).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_alpha.deb


• Debian cvs_1.11.1p1debian-9_arm.deb
  Fix for arm architecture (ARM).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_arm.deb


• Debian cvs_1.11.1p1debian-9_hppa.deb
  Fix for hppa architecture (HP PA RISC).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_hppa.deb


• Debian cvs_1.11.1p1debian-9_i386.deb
  Fix for i386 architecture (Intel ia32).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_i386.deb


• Debian cvs_1.11.1p1debian-9_ia64.deb
  Fix for ia64 architecture (Intel ia64).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_ia64.deb


• Debian cvs_1.11.1p1debian-9_m68k.deb
  Fix for m68k architecture (Motorola Mc680x0).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_m68k.deb


• Debian cvs_1.11.1p1debian-9_mips.deb
  Fix for mips architecture (MIPS (Big Endian)).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_mips.deb


• Debian cvs_1.11.1p1debian-9_mipsel.deb
  Fix for mipsel architecture (MIPS (Little Endian)).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_mipsel.deb


• Debian cvs_1.11.1p1debian-9_powerpc.deb
  Fix for powerpc architecture (PowerPC).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_powerpc.deb


• Debian cvs_1.11.1p1debian-9_s390.deb
  Fix for s390 architecture (IBM S/390).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_s390.deb


• Debian cvs_1.11.1p1debian-9_sparc.deb
  Fix for sparc architecture (Sun SPARC/UltraSPARC).
  http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian- 9_sparc.deb


• OpenBSD 002_cvs.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch


• OpenBSD 017_cvs.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/017_cvs.patch


• OpenBSD 022_cvs.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/022_cvs.patch


• RedHat cvs-1.11.1p1-9.7.legacy.i386.rpm
  http://download.fedoralegacy.org/redhat/7.2/updates/i386/cvs-1.11.1p1- 9.7.legacy.i386.rpm


• RedHat cvs-1.11.1p1-9.7.legacy.i386.rpm
  http://download.fedoralegacy.org/redhat/7.3/updates/i386/cvs-1.11.1p1- 9.7.legacy.i386.rpm

CVS CVS 1.11.1

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384


• TurboLinux cvs-1.12.4-1.i386.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer /6/ja/updates/RPMS/cvs-1.12.4-1.i386.rpm


• TurboLinux cvs-1.12.4-1.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updat es/RPMS/cvs-1.12.4-1.i586.rpm


• TurboLinux cvs-1.12.4-1.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/ updates/RPMS/cvs-1.12.4-1.i586.rpm


• TurboLinux cvs-1.12.4-1.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/ updates/RPMS/cvs-1.12.4-1.i586.rpm

CVS CVS 1.11.2

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384


• Mandrake cvs-1.11.10-0.1.90mdk.i586.rpm
  Mandrake Linux 9.0
  http://www.linux-mandrake.com/en/ftp.php3


• Mandrake cvs-1.11.10-0.1.C21mdk.i586.rpm
  Mandrake Corporate Server 2.1
  http://www.linux-mandrake.com/en/ftp.php3


• Mandrake cvs-1.11.10-0.1.C21mdk.x86_64.rpm
  Mandrake Corporate Server 2.1/X86_64
  http://www.linux-mandrake.com/en/ftp.php3


• RedHat cvs-1.11.2-9.legacy.i386.rpm
  http://download.fedoralegacy.org/redhat/8.0/updates/i386/cvs-1.11.2-9. legacy.i386.rpm


• TurboLinux cvs-1.12.4-1.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updat es/RPMS/cvs-1.12.4-1.i586.rpm

CVS CVS 1.11.3

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384

CVS CVS 1.11.4

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384

CVS CVS 1.11.5

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384


• Mandrake cvs-1.11.10-0.2.91mdk.i586.rpm
  Mandrake Linux 9.1
  http://www.linux-mandrake.com/en/ftp.php3


• Mandrake cvs-1.11.10-0.2.91mdk.ppc.rpm
  Mandrake Linux 9.1/PPC
  http://www.linux-mandrake.com/en/ftp.php3


• TurboLinux cvs-1.12.4-1.i586.rpm
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/upd ates/RPMS/cvs-1.12.4-1.i586.rpm

CVS CVS 1.11.6

• CVS cvs-1.11.10.tar.bz2
  http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&d lID=384


• Mandrake cvs-1.11.10-0.2.92mdk.amd64.rpm
  Mandrake Linux 9.2/AMD64
  http://www.linux-mandrake.com/en/ftp.php3


• Mandrake cvs-1.11.10-0.2.92mdk.i586.rpm
  Mandrake Linux 9.2
  http://www.linux-mandrake.com/en/ftp.php3

SGI ProPack 2.3

• SGI patch10043.tar.gz
  ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/

SGI ProPack 2.4

• SGI patch10044.tar.gz
  ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/patch1 0044.tar.gz

Slackware Linux 8.1

• Slackware cvs-1.11.10-i386-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/c vs-1.11.10-i386-1.tgz

Slackware Linux 9.0

• Slackware cvs-1.11.10-i386-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/c vs-1.11.10-i386-1.tgz

Slackware Linux 9.1

• Slackware cvs-1.11.10-i486-1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/c vs-1.11.10-i486-1.tgz