OSVDB ID: 6836 Title: CVS CVSROOT Configuration File Empty Line Underflow |
Info |
|
|
Dates |
||||
|
|
Description |
A local overflow exists in CVS stable and CVS feature. CVS fails to adequately handle configuration files stored in CVSROOT containing empty lines, resulting in a single byte underflow. By providing such a formatted configuration file, an attacker can trigger the issue, resulting in a loss of availability and possibly other effects. It should be noted that only users with the COMMIT privilege can properly exploit this issue. It is further reported that only big-endian architectures (eg, SPARC, as opposed to Intel) should be affected adversely by this problem. |
Classification |
Location:
Local Access Required
Attack Type: Input Manipulation Impact: Loss of Availability Exploit: Exploit Unknown Disclosure: OSVDB Verified |
Solution |
Upgrade to CVS stable 1.11.17, or CVS feature 1.12.9, or higher, as it has been reported to fix this vulnerability. Also, refrain from giving untrusted users COMMIT access to CVS. |
Products |
|
Credit |
Unknown or Incomplete |