FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

cvs -- numerous vulnerabilities

Affected packages
cvs+ipv6 < 1.11.17
5.2 <= FreeBSD < 5.2.1_10
4.10 <= FreeBSD < 4.10_3
4.9 <= FreeBSD < 4.9_12
4.8 <= FreeBSD < 4.8_25

Details

VuXML ID d2102505-f03d-11d8-81b0-000347a4fa7d
Discovery 2004-05-20
Entry 2004-08-17
Modified 2004-09-19

A number of vulnerabilities were discovered in CVS by Stefan Esser, Sebastian Krahmer, and Derek Price.

Additionally, iDEFENSE reports an undocumented command-line flag used in debugging does not perform input validation on the given path names.

CVS servers ("cvs server" or :pserver: modes) are affected by these vulnerabilities. They vary in impact but include information disclosure (the iDEFENSE-reported bug), denial-of-service (CVE-2004-0414, CVE-2004-0416, CVE-2004-0417 and other bugs), or possibly arbitrary code execution (CVE-2004-0418). In very special situations where the attacker may somehow influence the contents of CVS configuration files in CVSROOT, additional attacks may be possible.

References

Bugtraq ID 10499
CVE Name CVE-2004-0414
CVE Name CVE-2004-0416
CVE Name CVE-2004-0417
CVE Name CVE-2004-0418
CVE Name CVE-2004-0778
FreeBSD Advisory SA-04:14.cvs
URL http://secunia.com/advisories/11817
URL http://secunia.com/advisories/12309
URL http://security.e-matters.de/advisories/092004.html
URL http://www.idefense.com/application/poi/display?id=130&type=vulnerabilities&flashstatus=false
URL http://www.osvdb.org/6830
URL http://www.osvdb.org/6831
URL http://www.osvdb.org/6832
URL http://www.osvdb.org/6833
URL http://www.osvdb.org/6834
URL http://www.osvdb.org/6835
URL http://www.osvdb.org/6836
URL https://ccvs.cvshome.org/source/browse/ccvs/NEWS?rev=1.116.2.104