vulnerabilities in CVS?
Hi!
Are we affected by this? I haven't seen any DSA.
On Mon, Sep 20, 2004 at 01:50:33PM +0000, FreeBSD Security Advisories wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-04:14.cvs.asc Security Advisory
> The FreeBSD Project
>
> Topic: CVS
>
> Category: contrib
> Module: cvs
> Announced: 2004-09-19
> Credits: Stefan Esser, Sebastian Krahmer, Derek Price
> iDEFENSE
> Affects: All FreeBSD versions
> Corrected: 2004-06-29 16:10:50 UTC (RELENG_4)
> 2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3)
> 2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12)
> 2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25)
> 2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10)
> CVE Name: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418,
> CAN-2004-0778
> FreeBSD only: NO
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit
> <URL:http://www.freebsd.org/security/>.
>
> I. Background
>
> The Concurrent Versions System (CVS) is a version control system. It
> may be used to access a repository locally, or to access a `remote
> repository' using a number of different methods. When accessing a
> remote repository, the target machine runs the CVS server to fulfill
> client requests.
>
> II. Problem Description
>
> A number of vulnerabilities were discovered in CVS by Stefan Esser,
> Sebastian Krahmer, and Derek Price.
>
> . Insufficient input validation while processing "Entry" lines.
> (CAN-2004-0414)
>
> . A double-free resulting from erroneous state handling while
> processing "Argumentx" commands. (CAN-2004-0416)
>
> . Integer overflow while processing "Max-dotdot" commands.
> (CAN-2004-0417)
>
> . Erroneous handling of empty entries handled while processing
> "Notify" commands. (CAN-2004-0418)
>
> . A format string bug while processing CVS wrappers.
>
> . Single-byte buffer underflows while processing configuration files
> from CVSROOT.
>
> . Various other integer overflows.
>
> Additionally, iDEFENSE reports an undocumented command-line flag used
> in debugging does not perform input validation on the given path
> names.
>
> III. Impact
>
> CVS servers ("cvs server" or :pserver: modes) are affected by these
> vulnerabilities. They vary in impact but include information disclosure
> (the iDEFENSE-reported bug), denial-of-service (CAN-2004-0414,
> CAN-2004-0416, CAN-2004-0417 and other bugs), or possibly arbitrary code
> execution (CAN-2004-0418). In very special situations where the
> attacker may somehow influence the contents of CVS configuration files
> in CVSROOT, additional attacks may be possible.
>
> IV. Workaround
>
> Disable the use of remote CVS repositories.
>
> V. Solution
>
> Do one of the following:
>
> 1) Upgrade your vulnerable system to the RELENG_4 stable branch, or to
> the RELENG_5_2, RELENG_4_10, RELENG_4_9, or RELENG_4_8 security branch
> dated after the correction date.
>
> OR
>
> 2) Patch your present system:
>
> The following patches have been verified to apply to FreeBSD 4.8, 4.9,
> 4.10 and 5.2.1 systems. Note that one *must* have previously applied
> the patches pertaining to FreeBSD-SA-04:10.cvs in order to use these
> patches.
>
> Note that FreeBSD 4.10-STABLE systems built from sources dated
> 2004-06-29 16:20:00 UTC or later include cvs 1.11.17, which has all
> of these issues fixed. These patches should not be applied to those
> systems.
>
> a) Download the relevant patches from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:14/cvs.patch
> # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:14/cvs.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/gnu/usr.bin/cvs
> # make obj && make depend && make && make install
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_4_10
> src/UPDATING 1.73.2.90.2.4
> src/sys/conf/newvers.sh 1.44.2.34.2.5
> src/contrib/cvs/lib/xsize.h 1.1.1.1.6.1
> src/contrib/cvs/src/commit.c 1.8.2.5.6.1
> src/contrib/cvs/src/cvs.h 1.11.2.6.6.1
> src/contrib/cvs/src/filesubr.c 1.6.2.4.6.1
> src/contrib/cvs/src/history.c 1.1.1.6.2.4.6.1
> src/contrib/cvs/src/modules.c 1.1.1.5.2.4.2.1
> src/contrib/cvs/src/server.c 1.13.2.5.6.3
> src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.6.1
> src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.6.1
> RELENG_4_9
> src/UPDATING 1.73.2.89.2.13
> src/sys/conf/newvers.sh 1.44.2.32.2.13
> src/contrib/cvs/lib/xsize.h 1.1.1.1.8.1
> src/contrib/cvs/src/commit.c 1.8.2.5.4.1
> src/contrib/cvs/src/cvs.h 1.11.2.6.4.1
> src/contrib/cvs/src/filesubr.c 1.6.2.4.4.1
> src/contrib/cvs/src/history.c 1.1.1.6.2.4.4.1
> src/contrib/cvs/src/modules.c 1.1.1.5.2.3.4.2
> src/contrib/cvs/src/server.c 1.13.2.5.4.3
> src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.4.1
> src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.4.1
> RELENG_4_8
> src/UPDATING 1.73.2.80.2.28
> src/sys/conf/newvers.sh 1.44.2.29.2.26
> src/contrib/cvs/lib/xsize.h 1.1.1.1.10.1
> src/contrib/cvs/src/commit.c 1.8.2.5.2.1
> src/contrib/cvs/src/cvs.h 1.11.2.6.2.1
> src/contrib/cvs/src/filesubr.c 1.6.2.4.2.1
> src/contrib/cvs/src/history.c 1.1.1.6.2.4.2.1
> src/contrib/cvs/src/modules.c 1.1.1.5.2.3.2.2
> src/contrib/cvs/src/server.c 1.13.2.5.2.3
> src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.2.1
> src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.2.1
> RELENG_5_2
> src/UPDATING 1.282.2.18
> src/sys/conf/newvers.sh 1.56.2.17
> src/contrib/cvs/lib/xsize.h 1.1.1.1.12.1
> src/contrib/cvs/src/commit.c 1.13.4.1
> src/contrib/cvs/src/cvs.h 1.17.4.1
> src/contrib/cvs/src/filesubr.c 1.10.6.1
> src/contrib/cvs/src/history.c 1.1.1.10.6.1
> src/contrib/cvs/src/modules.c 1.1.1.8.6.3
> src/contrib/cvs/src/server.c 1.19.4.4
> src/contrib/cvs/src/wrapper.c 1.1.1.10.6.1
> src/gnu/usr.bin/cvs/lib/config.h.proto 1.17.2.1
> - -------------------------------------------------------------------------
>
> VII. References
>
> <URL: http://security.e-matters.de/advisories/092004.html >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (FreeBSD)
>
> iD8DBQFBTterFdaIBMps37IRAlkjAJ9jZ40PME0gr8b6DyS+h6zVHCxGTgCfdJN/
> JiKgPD2YDy378kBO3hYd8Ao=
> =qzxJ
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
--
.''`. Proudly running Debian GNU/kFreeBSD unstable/unreleased (on UFS2+S)
: :' :
`. `' http://www.debian.org/ports/kfreebsd-gnu
`-
Reply to: