Mandrake Linux Security Advisory : cvs (MDKSA-2004:028)

Low Nessus Plugin ID 14127


The remote Mandrake Linux host is missing a security update.


Sebastian Krahmer from the SUSE security team discovered a remotely exploitable vulnerability in the CVS client. When doing a cvs checkout or update over a network, the client accepts absolute pathnames in the RCS diff files. A maliciously configured server could then create any file with content on the local user's disk. This problem affects all versions of CVS prior to 1.11.15 which has fixed the problem.

The updated packages provide 1.11.14 with the pertinent fix for the problem.


Update the affected cvs package.

Plugin Details

Severity: Low

ID: 14127

File Name: mandrake_MDKSA-2004-028.nasl

Version: $Revision: 1.14 $

Type: local

Published: 2004/07/31

Modified: 2013/05/31

Dependencies: 12634

Risk Information

Risk Factor: Low


Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:cvs, cpe:/o:mandrakesoft:mandrake_linux:10.0, cpe:/o:mandrakesoft:mandrake_linux:9.1, cpe:/o:mandrakesoft:mandrake_linux:9.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2004/04/14

Reference Information

CVE: CVE-2004-0180

MDKSA: 2004:028