SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
(OpenBSD Issues Fix) CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010454
SecurityTracker URL:  http://securitytracker.com/id/1010454
CVE Reference:   CVE-2004-0414, CVE-2004-0416, CVE-2004-0417, CVE-2004-0418   (Links to External Site)
Date:  Jun 10 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): stable release 1.11.16 and prior versions; feature release 1.12.8 and prior versions
Description:   Several vulnerabilities were reported in CVS. A remote user can execute arbitrary code on the target system.

Stefan Esser of e-matters reported that an audit performed by e-matters and by Sebastian Krahmer from SuSE has uncovered several flaws.

The report also indicated that Derek Robert Price discovered a null-termination issue regarding "Entry" lines [CVE: CVE-2004-0414] that was introduced by a previous CVS security patch. A remote user can execute arbitrary code on the target system.

It is reported that the error_prog_name() function contains a double-free bug [CVE: CVE-2004-0416]. A remote user can invoke the 'Argumentx' command on an empty list to trigger the flaw and potentially execute arbitrary code.

It is also reported that the serve_notify() function does not properly process empty data lines [CVE: CVE-2004-0418]. A remote user can reportedly supply an empty data line to cause a buffer boundary error and possibly write a single byte outside of the buffer. Arbitrary code execution may be possible, the report said.

It is also reported that there are a variety of integer multiplication overflows [CVE: CVE-2004-0417].

Several other bugs were reported that can only be triggered by an authenticated user with CVSROOT commit access.

It is also reported that there is an integer overflow in serve_max_dotdot() that may allow a remote user to crash a forked CVS process. This may cause data to remain in the temporary file directory. On non-partitioned servers, a remote user may be able to consume all available disk space.

The vendor was reportedly notified on May 27, 2004.

The original advisory is available at:

http://security.e-matters.de/advisories/092004.txt

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause CVS to crash.

Solution:   OpenBSD has released a fix for OpenBSD-current and the 3.4 and 3.5 -stable branches.

Patches for OpenBSD 3.4 and 3.5 are also available at:

ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/023_cvs3.patch
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.5/common/011_cvs3.patch

Vendor URL:  www.cvshome.org/ (Links to External Site)
Cause:   Boundary error, Input validation error, State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.4, 3.5

Message History:   This archive entry is a follow-up to the message listed below.
Jun 9 2004 CVS Has NULL Termination, Integer Overflow, and Double Free Bugs That Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  new CVS remote vulnerabilities


An audit of the cvs codebase performed by Stefan Esser and Sebastian
Krahmer has found some potential remote vulnerabilities in cvs.

While no exploits are known to exist for these bugs under OpenBSD
at this time, some of the bugs have proven exploitable on other
operating systems.  Therefore, we encourage users running cvs servers
to patch their systems.  Users running cvs clients (but not servers)
do not need to update.

The fixes have been committed to OpenBSD-current as well as the
3.4 and 3.5 -stable branches.

Patches against OpenBSD 3.4 and 3.5 are also available:
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.4/common/023_cvs3.patch
    ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.5/common/019_cvs3.patch

For more details, please see:
    http://security.e-matters.de/advisories/092004.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC