Vigil@nce: CVS, integer overflow via RCS
November 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can upload a malicious RCS file in a CVS repository,
in order to execute code on computers of CVS clients.
– Severity: 2/4
– Creation date: 29/10/2010
DESCRIPTION OF THE VULNERABILITY
An RCS (Revision Control System) file describes changes which
occurred on a file.
When an RCS file is localed in a repository, if the CVS client
does a "checkout" to create a local copy, the CVS client analyzes
the RCS file. The rcs.c code then processes changed lines, and
stores them in an array. However, the index of this array can
overflow, which corrupts the memory.
An attacker can therefore upload a malicious RCS file in a CVS
repository, in order to execute code on computers of CVS clients.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/CVS-integer-overflow-via-RCS-10085