Debian Bug report logs - #325106
cvs: cvsbug temporary file bug CAN-2005-2693

version graph

Package: cvs; Maintainer for cvs is Thorsten Glaser <>; Source for cvs is src:cvs.

Reported by: Javier Fernández-Sanguino Peña <>

Date: Fri, 26 Aug 2005 07:33:03 UTC

Severity: wishlist

Tags: patch

Found in version cvs/1:1.12.9-14

Fixed in version cvs/1:1.12.9-15

Done: Steve McIntyre <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Steve McIntyre <>:
Bug#325106; Package cvs. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <>:
New Bug report received and forwarded. Copy sent to Steve McIntyre <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Javier Fernández-Sanguino Peña <>
Subject: cvs: cvsbug temporary file bug CAN-2005-2693
Date: Fri, 26 Aug 2005 09:18:28 +0200
[Message part 1 (text/plain, inline)]
Package: cvs
Version: 1:1.12.9-14
Priority: wishlist
Tags: patch

Cvsbug has a temporary file handling issue as reported by Fedora [1]
even though this bug does not apply to the Debian package (cvsbug
is not distributed) it would be nice if it where applied anyway
to the sources (to avoid people from picking up this script with
this vulnerability, like gcvs seems to have done).

Attached is the patch based on the Bugzilla report [2]

Also, note that even if cvsbug is not installed its manpage is. You
might want to remove it.



[ (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steve McIntyre <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Javier Fernández-Sanguino Peña <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Steve McIntyre <>
Subject: Bug#325106: fixed in cvs 1:1.12.9-15
Date: Wed, 31 Aug 2005 17:02:05 -0700
Source: cvs
Source-Version: 1:1.12.9-15

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive:

  to pool/main/c/cvs/cvs_1.12.9-15.diff.gz
  to pool/main/c/cvs/cvs_1.12.9-15.dsc
  to pool/main/c/cvs/cvs_1.12.9-15_alpha.deb
  to pool/main/c/cvs/cvs_1.12.9-15_hppa.deb
  to pool/main/c/cvs/cvs_1.12.9-15_i386.deb
  to pool/main/c/cvs/cvs_1.12.9-15_ia64.deb
  to pool/main/c/cvs/cvs_1.12.9-15_mips.deb
  to pool/main/c/cvs/cvs_1.12.9-15_powerpc.deb
  to pool/main/c/cvs/cvs_1.12.9-15_sparc.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Steve McIntyre <> (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Wed, 31 Aug 2005 23:06:00 +0100
Source: cvs
Binary: cvs
Architecture: alpha hppa i386 ia64 mips powerpc source sparc 
Version: 1:1.12.9-15
Distribution: unstable
Urgency: low
Maintainer: Steve McIntyre <>
Changed-By: Steve McIntyre <>
 cvs        - Concurrent Versions System
Closes: 168163 324965 325106
 cvs (1:1.12.9-15) unstable; urgency=low
   * Print a clearer message if ~/.cvspass does not exist when cvs login is
     called. Closes: #168163.
   * Updated debconf dependency to allow debconf-2.0 also.
   * Make sure we don't install the cvsbug man page. Closes: #324965
   * Patch for a tmp race in cvsbug (in the source package; we don't ship
     the script as part of the package). Closes: #325106
 149b7347400ff690c8ecb67ced05f8ba 1450712 devel optional cvs_1.12.9-15_sparc.deb
 3088558c76677247ab843ca956ebaf01 1489000 devel optional cvs_1.12.9-15_hppa.deb
 393df85fdf5836bee5438a8d7de41eea 1538396 devel optional cvs_1.12.9-15_alpha.deb
 462fe4241cfe7a2bce3cb9adba20e666 1655770 devel optional cvs_1.12.9-15_ia64.deb
 4a46e89884402e7c26e075d282f4cd5e 1481782 devel optional cvs_1.12.9-15_mips.deb
 5fd3275aec401d726220501aab64e344 1469674 devel optional cvs_1.12.9-15_powerpc.deb
 6d8d5cf7fb9029ec558b1b2102dd3c9f 1444564 devel optional cvs_1.12.9-15_i386.deb
 790544575f9c54dabbead723437ccf5b 68346 devel optional cvs_1.12.9-15.diff.gz
 4ae97aee67fe59a702b1af0f89e01f29 710 devel optional cvs_1.12.9-15.dsc

Version: GnuPG v1.4.1 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 24 Jun 2007 11:22:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 19:21:36 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.