(Immunix Issues Fix) Concurrent Versions System (CVS) Double-Free Bug Lets Remote Users Execute Arbitrary Code on the System
|
|
SecurityTracker Alert ID: 1006526 |
|
SecurityTracker URL: http://securitytracker.com/id/1006526
|
|
CVE Reference:
CAN-2003-0015
(Links to External Site)
|
Date: Apr 9 2003
|
Impact:
Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.11.4 and prior versions
|
Description:
A vulnerability was reported in Concurrent Versions System (CVS). A remote user can execute arbitrary code on the system to gain access to the server.
e-matters reported that a remote user can send a malformed directory name as part of a Directory request to cause a global pointer variable to be freed with no value subsequently assigned to the variable. When the next Directory request is processed, the unassigned variable may be freed.
A remote user can exploit this to execute arbitrary code or shell commands. The privileges that the code will execute with depend on the configuration of the server. In some cases, the code may run with root privileges. According to the report, if the CVSROOT/passwd is left writeable to the CVS user, a remote root compromise can occur.
It is also reported that a remote authenticated user with write access can invoke the Update-prog and Checkin-prog commands to execute arbitrary shell commands on the server. According to the report, this feature is not well documented and may be unknown to most administrators. In addition, it reportedly cannot be disabled in the configuration files.
|
Impact:
A remote user may be able to execute arbitrary code on the system. The code will run with privileges that depend on the configuration of the system.
|
Solution:
Immunix has released a fix for Immunix 7+, available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/cvs-1.11.1p1-4_imnx_2.i386.rpm
Immunix OS 7+ md5sums:
543c97b146ef652d2a8497e83822ffc2 cvs-1.11.1p1-4_imnx_2.i386.rpm
The vendor notes that ImmunixOS 6.2 and 7.0 are no longer officially supported.
|
Vendor URL: ccvs.cvshome.org/servlets/NewsItemView?newsID=51 (Links to External Site)
|
Cause:
Resource error, State error
|
Underlying OS:
Linux (Immunix)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 7 Apr 2003 12:25:31 -0700
Subject: [Immunix-announce] Immunix Secured OS 7+ cvs update
|
--===============72785467540597182==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO"
Content-Disposition: inline
--M9NhX3UHpAaciwkO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: cvs
Affected products: ImmunixOS 7.0, 7+
Bugs fixed: CAN-2003-0015
Date: Wed Apr 2 2003
Advisory ID: IMNX-2003-7+-004-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Stefan Esser discovered a double free() bug in CVS that can be
remotely exploited by anonymous users to gain write access to the CVS
repository. This write access can be converted into execute access
using the CVS protocol commands "Checkin-prog" and "Update-prog".
Igor Dobrovitski: "The impact of a successful exploitation is not
that great: an unprivileged access to the system, where your calls to
getuid() will return a number that's far from 0 (cvs drops provileges,
and does it right)."
We did not disable the Checkin-prog and Update-prog protocol commands;
be aware that granting CVS write access is tantamount to also giving
execute access on the repository.
References: http://security.e-matters.de/advisories/012003.html
http://www.securityfocus.com/archive/1/309913/2003-02-01/2003-02-04/0
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/cvs-1.11.1p1-4_imnx=
_2.i386.rpm
Immunix OS 7+ md5sums:
543c97b146ef652d2a8497e83822ffc2 cvs-1.11.1p1-4_imnx_2.i386.rpm
GPG verification: =
=20
Our public key is available at <http://wirex.com/security/GPG_KEY>. =
=20
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX=20
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--M9NhX3UHpAaciwkO
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj6R0KoACgkQVQcWL60UVMteagCfQjhkIKaFutcneCfVUFrI714g
AGIAn3vk+itixReDX88Fn3Loucx2DLWe
=5lLI
-----END PGP SIGNATURE-----
--M9NhX3UHpAaciwkO--
--===============72785467540597182==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce
--===============72785467540597182==--
|
|
