[blfs-book] [BLFS Trac] #3396: CVS needs to be patched

BLFS Trac trac at linuxfromscratch.org
Mon Jun 4 15:17:45 PDT 2012


#3396: CVS needs to be patched
---------------------+------------------------------------------------------
 Reporter:  thofram  |        Owner:  blfs-book@…                   
     Type:  task     |       Status:  closed                        
 Priority:  normal   |    Milestone:  current                       
Component:  BOOK     |      Version:  SVN                           
 Severity:  normal   |   Resolution:  invalid                       
 Keywords:           |  
---------------------+------------------------------------------------------
Changes (by bdubbs@…):

  * status:  new => closed
  * resolution:  => invalid


Comment:

 I'm marking this as invalid.   The announcement revers to CVE-2012-0804.
 That advisory says "Heap-based buffer overflow in the proxy_connect
 function in src/client.c in CVS 1.11 and 1.12"

 There is no function proxy_connect() in cvs-1.11.23.  The Debian entry
 indicates several changes to the base system (a 10K patch) and RedHat
 indicates several changes to the base system:

 https://bugzilla.redhat.com/show_bug.cgi?id=784141

 Note that at http://ftp.gnu.org/non-gnu/cvs/source the most recent
 versions are:

 {{{
 http://ftp.gnu.org/non-gnu/cvs/source/feature/1.12.13/  03-Oct-2005
 http://ftp.gnu.org/non-gnu/cvs/source/stable/1.11.23/   08-May-2008
 }}}

 We use the stable version.  The vulnerability is in the patches made by
 others after the stable release.

-- 
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/3396#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch



More information about the blfs-book mailing list