Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» NetBSD » CVS multiple vulnerabilities

CVS multiple vulnerabilities

CVS has multiple vulnerabilities, ranging from remote execution of arbitrary code to denial of service. Most of the issues are when the CVS server is running in pserver mode.

  • Vendor: NetBSD
  • Vendor ID: 2005-006
  • Date: November 08, 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Advisory 2005-006
=================================

Topic: Multiple vulnerabilities in CVS

Version: NetBSD-current: source prior to August 26, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected
pkgsrc: CVS packages prior to 1.11.20nb2

Severity: Remote execution of arbitrary code, denial of service and
local privilege escalation

Fixed: NetBSD-current: August 26, 2005
NetBSD-3 branch: August 26, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: August 26, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: August 26, 2005
(2.1 includes the fix)
NetBSD-1.6 branch: August 26, 2005
(1.6.3 will include the fix)
pkgsrc: cvs-1.11.20nb2 or higher
correct the issues


Abstract
========

CVS has multiple vulnerabilities, ranging from remote execution of
arbitrary code to denial of service. Most of the issues are when the
CVS server is running in pserver mode.


Technical Details
=================

There are multiple issues, summarised in the following list:

* A heap overflow is present in the handling of "Entry" lines for CVS
servers running in pserver mode. An attacker would require write
access to the repository to exploit this.

* Problem handling malformed "Entry" lines and empty data lines,
which could lead to a denial of service (crash), modification of
critical program data or arbitrary code execution.

* Double-free vulnerability in "error_prog_name" string leading to
remote execution of arbitrary code.

* Integer overflow in the "Max-dotdot" CVS protocol command resulting
in denial of service.

* The "serve_notify" function does not correctly handle empty data
lines. Using a crafted request an attacker could potentially
execute arbitrary system commands.

* An unspecified buffer overflow leading to remote execution of
arbitrary code.

* Insecure temporary file handling in cvsbug script which can lead to
local privilege escalation.

Most of the issues are enabled when running CVS server mode (e.g. pserver).

CVE: CAN-2004-0396, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417,
CAN-2004-0418, CAN-2005-2693 and CAN-2005-0753


Solutions and Workarounds
=========================

If you run a CVS server we highly recommend you to upgrade your CVS
binary to 1.11.20, or 1.12.12 or higher. This can be accomplished by
upgrading CVS in the base distribution or alternatively, deleting your
CVS binaries and updating from pkgsrc. pkgsrc sources from 2005-08-27
in both HEAD and pkgsrc-2005Q2 contain the fix.

To check which version of CVS you are running enter "cvs -v" and look
for the version string.

The following instructions describe how to upgrade your CVS
binaries by updating your source tree and rebuilding and
installing a new version of CVS.

* NetBSD-current:

Systems running NetBSD-current dated from before 2005-08-25
should be upgraded to NetBSD-current dated 2005-08-26 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
gnu/dist/cvs
gnu/usr.bin/cvs

To update from CVS, re-build, and re-install CVS:
# cd src
# cvs update -d -P gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 2.0:

The binary distribution of NetBSD 2.0 is vulnerable.

NetBSD 2.1 and 2.0.3 include the fix.

Systems running NetBSD 2.0 sources dated from before
2005-08-25 should be upgraded from NetBSD 2.0 sources dated
2005-08-26 or later.

The following directories need to be updated from the
netbsd-2-0 CVS branch:
gnu/dist/cvs
gnu/usr.bin/cvs

To update from CVS, re-build, and re-install CVS:

# cd src
# cvs update -d -P -r netbsd-2-0 gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 1.6, 1.6.1, 1.6.2:

The binary distributions of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.

NetBSD 1.6.3 will include the fix.

Systems running NetBSD 1.6 sources dated from before
2005-08-25 should be upgraded from NetBSD 1.6 sources dated
2005-08-26 or later.

NetBSD 1.6.3 will include the fix.

The following directories need to be updated from the
netbsd-1-6 CVS branch:
gnu/dist/cvs
gnu/usr.bin/cvs

To update from CVS, re-build, and re-install CVS:

# cd src
# cvs update -d -P -r netbsd-1-6 gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


Thanks To
=========

Sebastian Krahmer and
Stefan Esser Discovery and notification

Jun-ichiro "itojun" Hagino Initial research, fix and documentation

Matthias Scheler and
Takahiro Kambe Further fixes


Revision History
================

2005-10-31 Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-006.txt,v 1.7 2005/10/31 06:40:04 gendalia Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKaj5Ru2/4N2IFAQKE4wP+KuycCCEBHqibLLE2k/Cv0RjDN3F9Ld9M
gLFySxpFwfYVkHAqs9J8A37qf6e07LbPQah8k89Rcy1lxhjKYzKXRsTWScLtZJcN
aZwGspv8lKQ5NUs+mWsf3FG1nSicroLgVwDbqOOQGp21zgPIGYecUnLfZ8vuD2jI
/XHPuVAQVsk=
=PcVV
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »