[Secure-testing-team] Bug#593884: cvsnt: Bug in branch ACLs may allow a remote attacker to execute arbitrary code
Andreas Tscharner
andy at vis.ethz.ch
Sat Aug 21 20:48:21 UTC 2010
Package: cvsnt
Version: 2.5.04.3236-1.2
Severity: critical
Tags: security upstream
Justification: root security hole
March Hare Software CVSNT contains a branch name ACL vulnerability or
exposure in the cvs.exe, cvsnt.exe or /usr/bin/cvs file, which may allow a
remote, unauthorised attacker to execute arbitrary code on any installed
operating system.
See: http://march-hare.com/cvspro/vuln.htm
and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1326
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32 (SMP w/2 CPU cores)
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8) (ignored: LC_ALL set to de_CH.utf8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cvsnt depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgcc1 1:4.4.4-9 GCC support library
ii libgssapi-krb5-2 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries
ii libltdl7 2.2.6b-2 A system independent dlopen wrappe
ii libpam0g 1.1.1-4 Pluggable Authentication Modules l
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libpq5 8.4.4-2 PostgreSQL C client library
ii libsqlite3-0 3.7.0.1-1 SQLite 3 shared library
ii libssl0.9.8 0.9.8o-1 SSL shared libraries
ii libstdc++6 4.4.4-9 The GNU Standard C++ Library v3
ii libxml2 2.7.7.dfsg-4 GNOME XML library
ii unixodbc 2.2.14p2-2 ODBC tools libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages cvsnt recommends:
ii libiodbc2 3.52.6-4 iODBC Driver Manager
cvsnt suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list