Bug 24468 - CVE-2010-3846: Heap-based buffer overflow by applying RCS file changes
Summary: CVE-2010-3846: Heap-based buffer overflow by applying RCS file changes
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: cvs (show other bugs)
Version: unstable
Hardware: all Linux
: P3 blocker
Assignee: Dmitry V. Levin
QA Contact: qa-sisyphus
URL: https://bugzilla.redhat.com/show_bug....
Keywords: security
Depends on:
Blocks:
 
Reported: 2010-11-01 09:06 MSK by Vladimir Lettiev
Modified: 2010-12-04 03:25 MSK (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2010-11-01 09:06:12 MSK
An array index error, leading to heap-based buffer overflow was found
in the way CVS version control system applied certain delta fragments
changes from input file in the RCS (Revision Control System file)
format. A local attacker could store a specially-crafted RCS file into
the CVS repository and trick the remote victim to checkout (update their
CVS repository tree) with this file, which could lead to arbitrary code
execution with the privileges of the user running cvs client executable.

References:
[1] http://www.gnu.org/software/rcs/

Upstream changeset:
[2]
http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/rcs.c?r1=1.262.4.65&r2=1.262.4.66&sortby=rev
Comment 1 Repository Robot 2010-12-04 03:25:15 MSK
cvs-1.11.23-alt4 -> sisyphus:

* Fri Dec 03 2010 Dmitry V. Levin <ldv@altlinux> 1.11.23-alt4
- Applied upstream fix to an array index error, leading to a heap-based
  buffer overflow, found in the way CVS applied certain delta fragment
  changes from input files in the RCS (Revision Control System) file
  format.  If an attacker in control of a CVS repository stored a
  specially-crafted RCS file in that repository, this could result in
  arbitrary code execution with the privileges of the CVS server process
  on the system hosting the CVS repository when a remote user eventually
  checks out a revision of the affected file.
  Special thanks to Owl for the description.
  (CVE-2010-3846; closes: #24468).