SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   CVS Vendors:   GNU [multiple authors]
(OpenBSD Issues Fix) Re: Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1005956
SecurityTracker URL:  http://securitytracker.com/id/1005956
CVE Reference:   CAN-2003-0015   (Links to External Site)
Date:  Jan 21 2003
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.11.4 and prior versions
Description:   A vulnerability was reported in Concurrent Versions System (CVS). A remote user can execute arbitrary code on the system to gain access to the server.

e-matters reported that a remote user can send a malformed directory name as part of a Directory request to cause a global pointer variable to be freed with no value subsequently assigned to the variable. When the next Directory request is processed, the unassigned variable may be freed.

A remote user can exploit this to execute arbitrary code or shell commands. The privileges that the code will execute with depend on the configuration of the server. In some cases, the code may run with root privileges. According to the report, if the CVSROOT/passwd is left writeable to the CVS user, a remote root compromise can occur.

It is also reported that a remote authenticated user with write access can invoke the Update-prog and Checkin-prog commands to execute arbitrary shell commands on the server. According to the report, this feature is not well documented and may be unknown to most administrators. In addition, it reportedly cannot be disabled in the configuration files.
Impact:   A remote user may be able to execute arbitrary code on the system. The code will run with privileges that depend on the configuration of the system.
Solution:   OpenBSD has issued the following patches:

OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/006_cvs.patch


OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/020_cvs.patch
Vendor URL:  ccvs.cvshome.org/servlets/NewsItemView?newsID=51 (Links to External Site)
Cause:   Resource error, State error
Underlying OS:   UNIX (OpenBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 20 2003 Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System


 Source Message Contents
Date:  Tue, 21 Jan 2003 09:34:06 -0500
Subject:  OpenBSD cvs patch


SECURITY FIX: January 20, 2003

A double free in cvs(1) could allow an attacker to execute code with the privileges of the user
running cvs. This is only an issue when the cvs command is being run on a user's behalf as a
different user. This means that, in most cases, the issue only exists for cvs configurations that
use the pserver client/server connection method. A source code patch exists which remedies the
problem:

OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/006_cvs.patch


OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/020_cvs.patch


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC