Andreas Tscharner
2010-Aug-21 20:48 UTC
[Secure-testing-team] Bug#593884: cvsnt: Bug in branch ACLs may allow a remote attacker to execute arbitrary code
Package: cvsnt Version: 2.5.04.3236-1.2 Severity: critical Tags: security upstream Justification: root security hole March Hare Software CVSNT contains a branch name ACL vulnerability or exposure in the cvs.exe, cvsnt.exe or /usr/bin/cvs file, which may allow a remote, unauthorised attacker to execute arbitrary code on any installed operating system. See: http://march-hare.com/cvspro/vuln.htm and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1326 -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: i386 (i686) Kernel: Linux 2.6.32 (SMP w/2 CPU cores) Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8) (ignored: LC_ALL set to de_CH.utf8) Shell: /bin/sh linked to /bin/dash Versions of packages cvsnt depends on: ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-2 common error description library ii libgcc1 1:4.4.4-9 GCC support library ii libgssapi-krb5-2 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries - k ii libk5crypto3 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries - C ii libkrb5-3 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries ii libltdl7 2.2.6b-2 A system independent dlopen wrappe ii libpam0g 1.1.1-4 Pluggable Authentication Modules l ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi ii libpq5 8.4.4-2 PostgreSQL C client library ii libsqlite3-0 3.7.0.1-1 SQLite 3 shared library ii libssl0.9.8 0.9.8o-1 SSL shared libraries ii libstdc++6 4.4.4-9 The GNU Standard C++ Library v3 ii libxml2 2.7.7.dfsg-4 GNOME XML library ii unixodbc 2.2.14p2-2 ODBC tools libraries ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages cvsnt recommends: ii libiodbc2 3.52.6-4 iODBC Driver Manager cvsnt suggests no packages. -- no debconf information