CVS: Command injection — GLSA 201709-17

A command injection vulnerability in CVS may allow remote attackers to execute arbitrary code.

Affected packages

dev-vcs/cvs on all architectures
Affected versions < 1.12.12-r12
Unaffected versions >= 1.12.12-r12

Background

CVS (Concurrent Versions System) is an open-source network-transparent version control system. It contains both a client utility and a server.

Description

It was discovered that when CVS is configured to use SSH for remote repositories it allows remote attackers to execute arbitrary code through a repository URL with a specially crafted hostname.

Impact

A remote attacker, by enticing a user to clone a specially crafted repository, could possibly execute arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All CVS users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-vcs/cvs-1.12.12-r12"
 

References

Release date
September 24, 2017

Latest revision
September 24, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries