SecurityTracker: (Slackware Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > CVS

Vendors: GNU [multiple authors]

(Slackware Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System

SecurityTracker Alert ID: 1005968

SecurityTracker URL: http://securitytracker.com/id/1005968

CVE Reference: CAN-2003-0015 (Links to External Site)

Date: Jan 23 2003

Impact: Execution of arbitrary code via network, Root access via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 1.11.4 and prior versions

Description: A vulnerability was reported in Concurrent Versions System (CVS). A remote user can execute arbitrary code on the system to gain access to the server.

e-matters reported that a remote user can send a malformed directory name as part of a Directory request to cause a global pointer variable to be freed with no value subsequently assigned to the variable. When the next Directory request is processed, the unassigned variable may be freed.

A remote user can exploit this to execute arbitrary code or shell commands. The privileges that the code will execute with depend on the configuration of the server. In some cases, the code may run with root privileges. According to the report, if the CVSROOT/passwd is left writeable to the CVS user, a remote root compromise can occur.

It is also reported that a remote authenticated user with write access can invoke the Update-prog and Checkin-prog commands to execute arbitrary shell commands on the server. According to the report, this feature is not well documented and may be unknown to most administrators. In addition, it reportedly cannot be disabled in the configuration files.

Impact: A remote user may be able to execute arbitrary code on the system. The code will run with privileges that depend on the configuration of the system.

Solution: Slackware has released a fix.

Updated cvs package for Slackware 8.1:

ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/cvs-1.11.5-i386-1.tgz

Updated cvs package for Slackware -current:

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/cvs-1.11.5-i386-1.tgz

The MD5 checksums are:

Slackware 8.1:

37d76c774c9474bf0117d429d6c3740e cvs-1.11.5-i386-1.tgz

Slackware -current:

c43d82187dfa695aa53aaf5b4d3050a1 cvs-1.11.5-i386-1.tgz

Vendor URL: ccvs.cvshome.org/servlets/NewsItemView?newsID=51 (Links to External Site)

Cause: Resource error, State error

Underlying OS: Linux (Slackware)

Message History: This archive entry is a follow-up to the message listed below.

Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System

Source Message Contents

Date: Tue, 21 Jan 2003 14:26:20 -0800 (PST)
Subject: [slackware-security] New CVS packages available



New cvs packages are available to fix a security vulnerability.

Here are the details from the Slackware 8.1 ChangeLog:

----------------------------
Tue Jan 21 13:12:20 PST 2003
patches/packages/cvs-1.11.5-i386-1.tgz:  Upgraded to cvs-1.11.5.
   This release fixes a major security vulnerability in the CVS server
   by which users with read only access could gain write access.
   Details should be available at this URL (but don't seem to be yet):
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015
   (* Security fix *)
----------------------------


WHERE TO FIND THE NEW PACKAGE:
------------------------------
Updated cvs package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/cvs-1.11.5-i386-1.tgz

Updated cvs package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/cvs-1.11.5-i386-1.tgz


MD5 SIGNATURE:
--------------

Here is the md5sum for the package:

Slackware 8.1:
37d76c774c9474bf0117d429d6c3740e  cvs-1.11.5-i386-1.tgz

Slackware -current:
c43d82187dfa695aa53aaf5b4d3050a1  cvs-1.11.5-i386-1.tgz


INSTALLATION INSTRUCTIONS:
--------------------------

As root, upgrade to the new cvs.tgz package:
# upgradepkg cvs.tgz

Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
  http://www.slackware.com


+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC