GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Sep 24, 2017 6:26 pm Post subject: [ GLSA 201709-17 ] cvs |
 |
|
Gentoo Linux Security Advisory
Title: CVS: Command injection (GLSA 201709-17)
Severity: normal
Exploitable: remote
Date: 2017-09-24
Bug(s): #627498
ID: 201709-17
Synopsis
A command injection vulnerability in CVS may allow remote attackers
to execute arbitrary code.
Background
CVS (Concurrent Versions System) is an open-source network-transparent
version control system. It contains both a client utility and a server.
Affected Packages
Package: dev-vcs/cvs
Vulnerable: < 1.12.12-r12
Unaffected: >= 1.12.12-r12
Architectures: All supported architectures
Description
It was discovered that when CVS is configured to use SSH for remote
repositories it allows remote attackers to execute arbitrary code through
a repository URL with a specially crafted hostname.
Impact
A remote attacker, by enticing a user to clone a specially crafted
repository, could possibly execute arbitrary code with the privileges of
the process.
Workaround
There is no known workaround at this time.
Resolution
All CVS users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/cvs-1.12.12-r12"
|
References
CVE-2017-12836
|
|
News & Announcements
