SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
(Vendor Issues Fix) Re: Concurrent Versions System (CVS) Off-by-one Buffer Overflow May Let Local Users Execute Arbitrary Code to Gain Elevated Privileges
SecurityTracker Alert ID:  1004380
SecurityTracker URL:  http://securitytracker.com/id/1004380
CVE Reference:   CVE-2002-0844   (Links to External Site)
Updated:  Jan 15 2004
Original Entry Date:  May 25 2002
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  
Version(s): 1.11
Description:   A buffer overflow vulnerability has been reported in the Concurrent Versions System (CVS) daemon. A local user may be able to execute arbitrary code with the privileges of the CVS process.

The flaw reportedly resides in the 'cvs-1.11/src/rcs.c' file, where a sscanf() call is made specifying that 16 bytes should be read from the 'info->data' variable into a 15 byte (plus NULL) variable 'devtype[16]'. The 'info->data' variable is apparently based on the contents of a symlinked file on the local system. A local user could create a special value for the contents of this file to trigger the CVS buffer overflow and execute arbitrary code.

Impact:   A local user could cause the CVS server to execute arbitrary code with the privileges of the CVS daemon.
Solution:   The author of the report indicates that this bug has been silently fixed in version 1.11.2.

[Editor's note: It appears that the change log for 1.11.2 does not mention this bug fix.]

Vendor URL:  www.gnu.org/software/cvs/cvs.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
May 25 2002 Concurrent Versions System (CVS) Off-by-one Buffer Overflow May Let Local Users Execute Arbitrary Code to Gain Elevated Privileges



 Source Message Contents

Subject:  addition: CVS off by one


silently fixed in 1-1.2.
must have applied the patch before even we knew about it. :>


_________________________________________________________________
http://www.hotmail.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC