SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
(OpenBSD Issues Fix) Re: Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1005956
SecurityTracker URL:  http://securitytracker.com/id/1005956
CVE Reference:   CVE-2003-0015   (Links to External Site)
Date:  Jan 21 2003
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.11.4 and prior versions
Description:   A vulnerability was reported in Concurrent Versions System (CVS). A remote user can execute arbitrary code on the system to gain access to the server.

e-matters reported that a remote user can send a malformed directory name as part of a Directory request to cause a global pointer variable to be freed with no value subsequently assigned to the variable. When the next Directory request is processed, the unassigned variable may be freed.

A remote user can exploit this to execute arbitrary code or shell commands. The privileges that the code will execute with depend on the configuration of the server. In some cases, the code may run with root privileges. According to the report, if the CVSROOT/passwd is left writeable to the CVS user, a remote root compromise can occur.

It is also reported that a remote authenticated user with write access can invoke the Update-prog and Checkin-prog commands to execute arbitrary shell commands on the server. According to the report, this feature is not well documented and may be unknown to most administrators. In addition, it reportedly cannot be disabled in the configuration files.

Impact:   A remote user may be able to execute arbitrary code on the system. The code will run with privileges that depend on the configuration of the system.
Solution:   OpenBSD has issued the following patches:

OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/006_cvs.patch


OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/020_cvs.patch

Vendor URL:  ccvs.cvshome.org/servlets/NewsItemView?newsID=51 (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.1, 3.2

Message History:   This archive entry is a follow-up to the message listed below.
Jan 20 2003 Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System



 Source Message Contents

Subject:  OpenBSD cvs patch


SECURITY FIX: January 20, 2003

A double free in cvs(1) could allow an attacker to execute code with the privileges of the user
running cvs. This is only an issue when the cvs command is being run on a user's behalf as a
different user. This means that, in most cases, the issue only exists for cvs configurations that
use the pserver client/server connection method. A source code patch exists which remedies the
problem:

OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/006_cvs.patch


OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/020_cvs.patch


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC