GLSA-200404-13 : CVS Server and Client Vulnerabilities

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200404-13
(CVS Server and Client Vulnerabilities)

There are two vulnerabilities in CVS
one in the server and one in the
client. The server vulnerability allows a malicious client to request
the contents of any RCS file to which the server has permission, even
those not located under $CVSROOT. The client vulnerability allows a
malicious server to overwrite files on the client machine anywhere the
client has permissions.

Impact :

Arbitrary files may be read or written on CVS clients and servers by
anybody with access to the CVS tree.

Workaround :

There is no known workaround at this time. All users are encouraged to
upgrade to the latest stable version of CVS.

See also :

http://www.nessus.org/u?a3f99663
http://www.gentoo.org/security/en/glsa/glsa-200404-13.xml

Solution :

All CVS users should upgrade to the latest stable version.
# emerge sync
# emerge -pv '>=dev-util/cvs-1.11.15'
# emerge '>=dev-util/cvs-1.11.15'

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14478 (gentoo_GLSA-200404-13.nasl)

Bugtraq ID:

CVE ID: CVE-2004-0180
CVE-2004-0405