Bug 152656 - cvs security patches
cvs security patches
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
rh72, rh73, rh80
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-12 09:25 EST by David Lawrence
Modified: 2014-01-21 17:51 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:22:58 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We have a src.rpm to fix two vulnerabilities in cvs.  The first is that it's 
possible to have cvs attempt to create directories in the system root with 
malformed module requests.  The second has to do with a switch_to_user 
routine that did not check to make sure it wasn't the root user.

https://mail.codegrinder.com/www/cvs/cvs-1.11.1p1-9.7.legacy.src.rpm
https://mail.codegrinder.com/www/cvs/md5sum.asc

* Mon Jan 12 2004 Jason Rohwedder <rohwedde@codegrinder.com> 1.11.1p1-9.7.legacy
- - applied cvs-1.11.9-absolute-modules.patch
- - to make Seth's previous changelog true :)
- - He actually patched
- - http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88

* Mon Jan 12 2004 Seth Vidal <skvidal@phy.duke.edu>
- - apply security patch for CAN-2003-0977

* Tue Dec 30 2003 Seth Vidal <skvidal@phy.duke.edu> 1.11.1p1-8.7.duke.1
- - apply security patch for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
- - second patch to make the above build

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAAvRMw2QEY5tkPw0RAsxRAJ4xMwrskp8kLZOBmF16Z6fhn86keQCfYZid
GEKCAnvi+eQFqUSKEPSDJk4=
=o3/b
-----END PGP SIGNATURE-----



------- Additional Comments From pearcec@commnav.com 2004-01-12 12:02:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
7c914923c3847ca914c521559d3747cf  cvs-1.11.1p1.tar.gz
  
6cb3b1b25bcb33c5ea9c1b4da12fec6f  cvs-1.11.10-1.11.11.patch
44e464f33945d0dd22dc0d8d706d0e39  cvs-1.11.9-absolute-modules.patch
  
de8f66312f6bd4c15912cf5ccc721b38  cvs-1.11.1p1-9.7.legacy.src.rpm
  
* Spec looks good.
* Verified cvs patches came from RedHat 9 src rpm
* Built fine for 7.3 and 7.2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
 
iD4DBQFAAxnvdlzgVFWktjoRAhl5AJ9LGKQlVkXieXd6dI96CeS02ry7igCYrGHG
mUUGre6Km95hcNFd9GULzQ==
=Um1u
-----END PGP SIGNATURE-----




------- Additional Comments From pearcec@commnav.com 2004-01-12 12:09:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I took the two patches from the RedHat 9 src rpm.  I added them as patches
to the last src rpm from RedHat 8.0.  It compiles and runs.
                                                                                
Details at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972
http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2
                                                                                
RH80: http://www.commnav.com/~pearcec/cvs-1.11.2-9.legacy.src.rpm
MD5SUM: http://www.commnav.com/~pearcec/cvs-1.11.2-9.legacy.md5sum
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
 
iD8DBQFAAxtZdlzgVFWktjoRAm3yAJ4jSclsFjNhQCvAUhAst9akdau7JACdHFBb
PFlKCAf9QprPypVBYWGNSqw=
=6DV6
-----END PGP SIGNATURE-----




------- Additional Comments From warren@togami.com 2004-01-13 01:44:15 ----

What is the SRPM name-version-release of RH9's latest errata of this?  Please
supply any link to it.




------- Additional Comments From andy.henson.fedora@zexia.co.uk 2004-01-13 04:50:00 ----

-----BEGIN PGP SIGNED MESSAGE-----

cvs-1.11.1p1-9.7.legacy.i386.rpm builds from .src.rpm : OK

Package contains same file list as previous cvs-1.11.1p1-8.7 : OK

Checked the source files against those provided by Seth Vidal: OK
Checked the source files against RedHat's cvs-1.11.1p1-8.7.src.rpm: OK
"absolute-modules.patch" was newly added as expected.

I've installed and briefly tested it on 2 machines: OK

Vote PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQCVAwUBQAP7Gn3q1WHh7ixZAQEjlQP+Ng31wuTDXJOjgj2cP41Fd1RCh/Pd6qmL
DU5HX4rUeYVoJ6s1PMBkiYEf0ifdifD7a3bQtUAIGtXQNcubuglUZUAXMrxCOsU/
+vg7NlSJqifVsC+zcZkWHyC1J7E0/afH0Ek7tTmgWudqpzLakoF3rNPt/OcdsyWU
zpdi8Z1ziPs=
=nm/8
-----END PGP SIGNATURE-----



------- Additional Comments From pearcec@commnav.com 2004-01-13 05:11:23 ----

Here is the link to the RedHat errata.  The SRPM is linked from this page.

https://rhn.redhat.com/errata/RHSA-2004-003.html

Here is a link to the SRPM.

http://updates.redhat.com/9/en/os/SRPMS/cvs-1.11.2-13.src.rpm



------- Additional Comments From drees@greenhydrant.com 2004-01-19 23:44:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My first attempt at some real QA for RH73:

Using:
https://mail.codegrinder.com/www/cvs/cvs-1.11.1p1-9.7.legacy.src.rpm

* md5 check and gpg sig check OK
* Builds OK on RH73
* Changes diffed against
  ftp://updates.redhat.com/7.3/en/os/SRPMS/cvs-1.11.1p1-8.7.src.rpm
  - Found expected changes to .spec file
  - Found expected two additional patch files:
    Patch10: cvs-1.11.10-1.11.11.patch
    Patch11: cvs-1.11.9-absolute-modules.patch
    Both patches verified against CVS http://ccvs.cvshome.org/source/browse/ccvs/
    as well as RH9 srpms and appear sane.
* Passes basic functionality tests on two machines.

Let me know if I missed anything.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFADPlLNTjPeWOqtfsRAkpxAKDLpRVvdGflvQk3onzUeF5z0ixyygCgiwkG
auJlF7DJ60BeePDgc9hbOE0=
=XYSB
-----END PGP SIGNATURE-----



------- Additional Comments From drees@greenhydrant.com 2004-01-20 22:41:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did miss something in my previous message:

Vote PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFADjw+NTjPeWOqtfsRAg+tAJoD4jLbJN/S2JA8BuFbmuin68sfaACgljnJ
7WST8OaiJUACI+vAMp9MsQ0=
=zkUf
-----END PGP SIGNATURE-----




------- Additional Comments From drees@greenhydrant.com 2004-01-21 08:13:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fixing my "replay attack" vulnerable message above:

RH73 8bb1efc887159af9f79508887835d6542294d425  cvs-1.11.1p1-9.7.legacy.src.rpm

Vote PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFADsIqNTjPeWOqtfsRAs//AJkBu4c+N3558FZ743gZeEG1He1mswCfdEhG
wbIV5jowS0DUaMK4gruBEGw=
=vEo2
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-01-23 21:48:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


7.2
de8f66312f6bd4c15912cf5ccc721b38  ../cvs-1.11.1p1-9.7.legacy.src.rpm

Patch looks good, package builds, upgrades cleanly, ldd output is the same.

Vote PUBLISH.  With the other votes for the other releases, I'll publish tonight.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAEiRs4v2HLvE71NURAkaBAJwIDpdJj6kXkw+xzO1h1BeUReDj7gCghyYG
44ZWg4LpNzPEsoZ2pqxaZWs=
=sW8U
-----END PGP SIGNATURE-----



------- Additional Comments From jkeating@j2solutions.net 2004-01-23 23:15:45 ----

Posted to updates-testing.



------- Additional Comments From drees@greenhydrant.com 2004-01-25 11:05:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RH73 1dfba0ce740a20bd0977eede82f606ea2f907b00  cvs-1.11.1p1-9.7.legacy.i386.rpm

rpm --checksig is good
ldd of new cvs binary matches previous RedHat version.
File list of new binary matches old list
Passes basic functionality tests

VERIFIED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAFDDpNTjPeWOqtfsRAnV3AJ4o4P9Ddf+ZpiEqBp2LXv86pWditQCgrgve
W9zQ8H6V4CqzYpY52OAGX5Q=
=wnIN
-----END PGP SIGNATURE-----




------- Additional Comments From pearcec@commnav.com 2004-01-28 07:44:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
RH72: 8aef6ba5cbd1d4a2e37a29d7df615916  cvs-1.11.1p1-9.7.legacy.i386.rpm
RH80: 0f1917284f8537647adfa4ca07f04b01  cvs-1.11.2-9.legacy.i386.rpm
 
rpm --checksig is good
ldd of new cvs binary matches previous RedHat version.
File list of new binary matches old list
Passes basic functionality tests
 
VERIFIED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFAF/Y6dlzgVFWktjoRAldlAJ9tGfH3gNOPrSBMshKVY2aLiHXi7wCfWjj/
wGF7aNgkjpxJAPLamkieNcc=
=uvZ0
-----END PGP SIGNATURE-----




------- Additional Comments From pearcec@commnav.com 2004-01-28 08:29:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I didn't match the SHA1SUM's with my previous post.  I am repost with a proper
match.
 
RH72: 469e08276fd61a06f816d4d7df68bc6c85a98560 
cvs-1.11.1p1-9.7.legacy.i386.rpmRH80: e415df08fdfd35216c68651aa5214e7ecdb04268 
cvs-1.11.2-9.legacy.i386.rpm
 
VERIFIED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFAGAEYdlzgVFWktjoRAqUkAJ9MK9Gv5VxxCdj4Y3ia3VW+53WbsQCfdOcU
lrCcsiRLwLHR2+EsPt9Gs4U=
=VspS
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:22 -------

This bug previously known as bug 1207 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1207
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P1. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was rohwedde@codegrinder.com.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.