Debian Bug report logs - #593884
cvsnt: Bug in branch ACLs may allow a remote attacker to execute arbitrary code

version graph

Package: cvsnt; Maintainer for cvsnt is (unknown);

Reported by: Andreas Tscharner <andy@vis.ethz.ch>

Date: Sat, 21 Aug 2010 21:00:01 UTC

Severity: critical

Tags: patch, security, upstream

Fixed in version cvsnt/2.5.03.2382-3.3+lenny1

Done: Sebastien Delafond <seb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#593884; Package cvsnt. (Sat, 21 Aug 2010 21:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Tscharner <andy@vis.ethz.ch>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org. (Sat, 21 Aug 2010 21:00:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andreas Tscharner <andy@vis.ethz.ch>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cvsnt: Bug in branch ACLs may allow a remote attacker to execute arbitrary code
Date: Sat, 21 Aug 2010 22:48:21 +0200
Package: cvsnt
Version: 2.5.04.3236-1.2
Severity: critical
Tags: security upstream
Justification: root security hole

March Hare Software CVSNT contains a branch name ACL vulnerability or
exposure in the cvs.exe, cvsnt.exe or /usr/bin/cvs file, which may allow a
remote, unauthorised attacker to execute arbitrary code on any installed
operating system.

See: http://march-hare.com/cvspro/vuln.htm
and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1326

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32 (SMP w/2 CPU cores)
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8) (ignored: LC_ALL set to de_CH.utf8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cvsnt depends on:
ii  libc6                 2.11.2-2           Embedded GNU C Library: Shared lib
ii  libcomerr2            1.41.12-2          common error description library
ii  libgcc1               1:4.4.4-9          GCC support library
ii  libgssapi-krb5-2      1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries - k
ii  libk5crypto3          1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries - C
ii  libkrb5-3             1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries
ii  libltdl7              2.2.6b-2           A system independent dlopen wrappe
ii  libpam0g              1.1.1-4            Pluggable Authentication Modules l
ii  libpcre3              8.02-1.1           Perl 5 Compatible Regular Expressi
ii  libpq5                8.4.4-2            PostgreSQL C client library
ii  libsqlite3-0          3.7.0.1-1          SQLite 3 shared library
ii  libssl0.9.8           0.9.8o-1           SSL shared libraries
ii  libstdc++6            4.4.4-9            The GNU Standard C++ Library v3
ii  libxml2               2.7.7.dfsg-4       GNOME XML library
ii  unixodbc              2.2.14p2-2         ODBC tools libraries
ii  zlib1g                1:1.2.3.4.dfsg-3   compression library - runtime

Versions of packages cvsnt recommends:
ii  libiodbc2                     3.52.6-4   iODBC Driver Manager

cvsnt suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Tscharner <andy@vis.ethz.ch>:
Bug#593884; Package cvsnt. (Thu, 09 Sep 2010 15:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sebastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Tscharner <andy@vis.ethz.ch>. (Thu, 09 Sep 2010 15:51:07 GMT) Full text and rfc822 format available.

Message #10 received at 593884@bugs.debian.org (full text, mbox):

From: Sebastien Delafond <seb@debian.org>
To: 593884@bugs.debian.org
Cc: control@bugs.debian.org
Subject: patch
Date: Thu, 9 Sep 2010 17:46:09 +0200
tag 593884 + patch
thanks

Direct link to the patch fixing this issue:
  
  http://customer.march-hare.com/webtools/bugzilla/ttshow_bug.cgi?id=5871&tt=1

Cheers,

--Seb




Added tag(s) patch. Request was from Sebastien Delafond <seb@debian.org> to control@bugs.debian.org. (Thu, 09 Sep 2010 15:51:08 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions cvsnt/2.5.04.3236-1.2. Request was from Sebastien Delafond <seb@debian.org> to control@bugs.debian.org. (Mon, 13 Sep 2010 09:45:04 GMT) Full text and rfc822 format available.

Reply sent to Sebastien Delafond <seb@debian.org>:
You have taken responsibility. (Tue, 14 Sep 2010 14:03:07 GMT) Full text and rfc822 format available.

Notification sent to Andreas Tscharner <andy@vis.ethz.ch>:
Bug acknowledged by developer. (Tue, 14 Sep 2010 14:03:07 GMT) Full text and rfc822 format available.

Message #19 received at 593884-close@bugs.debian.org (full text, mbox):

From: Sebastien Delafond <seb@debian.org>
To: 593884-close@bugs.debian.org
Subject: Bug#593884: fixed in cvsnt 2.5.03.2382-3.3+lenny1
Date: Tue, 14 Sep 2010 14:00:05 +0000
Source: cvsnt
Source-Version: 2.5.03.2382-3.3+lenny1

We believe that the bug you reported is fixed in the latest version of
cvsnt, which is due to be installed in the Debian FTP archive:

cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
  to main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
cvsnt_2.5.03.2382-3.3+lenny1.dsc
  to main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1.dsc
cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
  to main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 593884@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated cvsnt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Sep 2010 10:41:09 +0200
Source: cvsnt
Binary: cvsnt
Architecture: source i386
Version: 2.5.03.2382-3.3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Andreas Tscharner <andy@vis.ethz.ch>
Changed-By: Sebastien Delafond <seb@debian.org>
Description: 
 cvsnt      - A better CVS
Closes: 593884
Changes: 
 cvsnt (2.5.03.2382-3.3+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix branch name ACL vulnerability leading to arbitrary code execution
     (Closes: #593884).
     CVE-2010-1326
Checksums-Sha1: 
 d71de144f3953daa65102e2e7c5a9771cd522490 1214 cvsnt_2.5.03.2382-3.3+lenny1.dsc
 f499be0263195effa6e6ba82ea50a7507baf2ecf 6804247 cvsnt_2.5.03.2382.orig.tar.gz
 d8e1cc9b31932c17b70d787ab4953c2273114881 124606 cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
 635b006aa04db89915ffad08a498b01a146116f7 1085060 cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
Checksums-Sha256: 
 4e6d6d0889bd535fc44b86e6fd8d2a707c96366380a32c3e899a1fd1c3cd2234 1214 cvsnt_2.5.03.2382-3.3+lenny1.dsc
 b443a9beda1d87c31e07547d5cd68118153550f579ecb7ffcdfff8afaa6684b9 6804247 cvsnt_2.5.03.2382.orig.tar.gz
 fd0ffde5e2daef4537f017debf9781c700bd0399ea9793f9047539d5f7849395 124606 cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
 a9cd4ead8c13e6ef1f6e1c5929146153dda18a5422c548b85a23dc767d399763 1085060 cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
Files: 
 753ba20f4b7c368e962eb304807241ba 1214 devel optional cvsnt_2.5.03.2382-3.3+lenny1.dsc
 c50c2d82aeb274a664d8d1cf53ccd0da 6804247 devel optional cvsnt_2.5.03.2382.orig.tar.gz
 f55d905fa0273040e2b3cd85896fb783 124606 devel optional cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
 b6149560ad1931a5a6283d7263e3f41b 1085060 devel optional cvsnt_2.5.03.2382-3.3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyN55oACgkQiZgNKcDdyD9TzgCgv1Jxmpnu/uesk+TqUFKq1Oo7
faAAnAuRTo59ZI8NWLxDJc3tXcBJeBP5
=9aP0
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Nov 2010 07:33:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:12:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.