CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly
handle malformed “Entry” lines, which prevents a NULL terminator from being
used and may lead to a denial of service (crash), modification of critical
program data, or arbitrary code execution.