Mandrake Linux Security Advisory : cvs (MDKSA-2004:058)

Critical Nessus Plugin ID 14157


The remote Mandrake Linux host is missing a security update.


Another vulnerability was discovered related to 'Entry' lines in cvs, by the development team (CVE-2004-0414).

As well, Stefan Esser and Sebastian Krahmer performed an audit on the cvs source code and discovered a number of other problems, including :

A double-free condition in the server code is exploitable (CVE-2004-0416).

By sending a large number of arguments to the CVS server, it is possible to cause it to allocate a huge amount of memory which does not fit into the address space, causing an error (CVE-2004-0417).

It was found that the serve_notify() function would write data out of bounds (CVE-2004-0418).

The provided packages update cvs to 1.11.16 and include patches to correct all of these problems.


Update the affected cvs package.

Plugin Details

Severity: Critical

ID: 14157

File Name: mandrake_MDKSA-2004-058.nasl

Version: $Revision: 1.17 $

Type: local

Published: 2004/07/31

Modified: 2016/01/14

Dependencies: 12634

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:cvs, cpe:/o:mandrakesoft:mandrake_linux:10.0, cpe:/o:mandrakesoft:mandrake_linux:9.1, cpe:/o:mandrakesoft:mandrake_linux:9.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2004/06/09

Reference Information

CVE: CVE-2004-0414, CVE-2004-0416, CVE-2004-0417, CVE-2004-0418

MDKSA: 2004:058

CWE: 119