Openwall GNU/*/Linux Information for VU#650937
Concurrent Versions System (CVS) server improperly deallocates memory
- Vendor Information Help Date Notified: 20 Jan 2003
- Statement Date:
- Date Updated: 04 Feb 2003
We don't yet re-distribute CVS in Openwall GNU/*/Linux.
We do, however, provide public anonymous CVS access to a copy of our repository, hosted off a separate machine and in a chroot jail. This kind of vulnerabilities in CVS was expected, and our anoncvs setup is mostly resistant to them: read-only access to the repository is achieved primarily with the use of regular Unix permissions, not controls built into CVS. CVS LockDir option is used to direct CVS lock files to a separate directory tree, actually writable to the pseudo-user. Nevertheless, the anoncvs server has been upgraded to CVS 1.11.5 a few hours after it was released.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.