Bug 24468

Summary: CVE-2010-3846: Heap-based buffer overflow by applying RCS file changes
Product: Sisyphus Reporter: Vladimir Lettiev <crux>
Component: cvsAssignee: Dmitry V. Levin <ldv>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: blocker    
Priority: P3 CC: ldv
Version: unstableKeywords: security
Hardware: all   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=642146

Description Vladimir Lettiev 2010-11-01 09:06:12 MSK 
An array index error, leading to heap-based buffer overflow was found
in the way CVS version control system applied certain delta fragments
changes from input file in the RCS (Revision Control System file)
format. A local attacker could store a specially-crafted RCS file into
the CVS repository and trick the remote victim to checkout (update their
CVS repository tree) with this file, which could lead to arbitrary code
execution with the privileges of the user running cvs client executable.

References:
[1] http://www.gnu.org/software/rcs/

Upstream changeset:
[2]
http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/rcs.c?r1=1.262.4.65&r2=1.262.4.66&sortby=rev
Comment 1 Repository Robot 2010-12-04 03:25:15 MSK 
cvs-1.11.23-alt4 -> sisyphus:

* Fri Dec 03 2010 Dmitry V. Levin <ldv@altlinux> 1.11.23-alt4
- Applied upstream fix to an array index error, leading to a heap-based
  buffer overflow, found in the way CVS applied certain delta fragment
  changes from input files in the RCS (Revision Control System) file
  format.  If an attacker in control of a CVS repository stored a
  specially-crafted RCS file in that repository, this could result in
  arbitrary code execution with the privileges of the CVS server process
  on the system hosting the CVS repository when a remote user eventually
  checks out a revision of the affected file.
  Special thanks to Owl for the description.
  (CVE-2010-3846; closes: #24468).