SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
(Conectiva Issues Revised Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1005976
SecurityTracker URL:  http://securitytracker.com/id/1005976
CVE Reference:   CVE-2003-0015   (Links to External Site)
Updated:  Jan 23 2003
Original Entry Date:  Jan 23 2003
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.11.4 and prior versions
Description:   A vulnerability was reported in Concurrent Versions System (CVS). A remote user can execute arbitrary code on the system to gain access to the server.

e-matters reported that a remote user can send a malformed directory name as part of a Directory request to cause a global pointer variable to be freed with no value subsequently assigned to the variable. When the next Directory request is processed, the unassigned variable may be freed.

A remote user can exploit this to execute arbitrary code or shell commands. The privileges that the code will execute with depend on the configuration of the server. In some cases, the code may run with root privileges. According to the report, if the CVSROOT/passwd is left writeable to the CVS user, a remote root compromise can occur.

It is also reported that a remote authenticated user with write access can invoke the Update-prog and Checkin-prog commands to execute arbitrary shell commands on the server. According to the report, this feature is not well documented and may be unknown to most administrators. In addition, it reportedly cannot be disabled in the configuration files.

Impact:   A remote user may be able to execute arbitrary code on the system. The code will run with privileges that depend on the configuration of the system.
Solution:   Conectiva has released a revised fix. The previous fix described in CLA-2003:560 corrected the flaw but introduced other problems.

The new fixed files are:

ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/cvs-1.10.8-5U60_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-1.10.8-5U60_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-doc-1.10.8-5U60_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/cvs-1.11-7U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-1.11-7U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-doc-1.11-7U70_3cl.i386.r
ftp://atualizacoes.conectiva.com.br/8/SRPMS/cvs-1.11-9U80_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-1.11-9U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-doc-1.11-9U80_3cl.i386.rpm

Vendor URL:  ccvs.cvshome.org/servlets/NewsItemView?newsID=51 (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  Linux (Conectiva)
Underlying OS Comments:  6.0, 7.0, 8

Message History:   This archive entry is a follow-up to the message listed below.
Jan 20 2003 Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System



 Source Message Contents

Subject:  [conectiva-updates] [CLA-2003:561] Conectiva Linux Security Announcement - cvs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : cvs
SUMMARY   : Update: cvs remote double free() vulnerability
DATE      : 2003-01-23 10:54:00
ID        : CLA-2003:561
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

DESCRIPTION
 CVS is a version control system largely used in software projects.
 
 During a code audit, Stefan Esser discovered a double free()
 vulnerability[2][3] in the CVS code. This vulnerability can be
 exploited by remote users, authenticated or anonymous, to execute
 arbitrary commands on the server.
 
 Please note that users with write access to CVS (the so called
 "commiters") usually already have shell access on the server, or can
 easily get shell access as has already been discussed elsewhere[4].
 
 Besides fixing the double free vulnerability, the new packages
 provided with this update now have the Checkin-prog and Update-prog
 commands disabled.
 
 
 UPDATE
 The previous CVS update (CLSA-2003:560), while indeed fixing the
 security vulnerability, introduced problems which prevented it from
 being used due to the way the Checkin-prog and Update-prog commands
 where disabled. This has now been fixed.


SOLUTION
 It is recommended that all CVS administrators upgrade their packages
 immediately.
 
 
 REFERENCES
 1. http://www.cvshome.org/
 2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015
 3. http://security.e-matters.de/advisories/012003.html
 4. http://online.securityfocus.com/archive/1/72584
 5. http://bugzilla.conectiva.com/show_bug.cgi?id=7507


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/cvs-1.10.8-5U60_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-1.10.8-5U60_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/cvs-doc-1.10.8-5U60_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/cvs-1.11-7U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-1.11-7U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/cvs-doc-1.11-7U70_3cl.i386.r
ftp://atualizacoes.conectiva.com.br/8/SRPMS/cvs-1.11-9U80_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-1.11-9U80_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/cvs-doc-1.11-9U80_3cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+MBLu42jd0JmAcZARApo8AKDKkKCiakoMGN50SmS26obBUn2/VgCg4vAB
g4r9oSn0j9g4KTo3q2LQH98=
=rn0z
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC