(Slackware Issues Fix) CVS Server Piped Checkout Input Validation Flaw Discloses RCS Files to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1009859 |
|
SecurityTracker URL: http://securitytracker.com/id/1009859
|
|
CVE Reference:
CAN-2004-0405
(Links to External Site)
|
Date: Apr 19 2004
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.11.15
|
Description:
A vulnerability was reported in CVS. A remote authenticated user may be able to view arbitrary RCS files on the server.
It is reported that a remote authenticated user can invoke a piped checkout of paths above $CVSROOT to view the contents of RCS archive files anywhere on a CVS server. This flaw can reportedly be triggered using relative pathnames containing the '../' directory traversal strings.
Debian credited Derek Robert Price with discovering this flaw.
|
Impact:
A remote authenticated user can view RCS files located anywhere on the target system.
|
Solution:
Slackware has released a fix.
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/cvs-1.11.15-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/cvs-1.11.15-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/cvs-1.11.15-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/cvs-1.11.15-i486-1.tgz
The MD5 signatures are:
Slackware 8.1 package:
e8ba67add4c86d0bd8b7dc1ce265752a cvs-1.11.15-i386-1.tgz
Slackware 9.0 package:
177b19dd98655f6811053f29286e4ab7 cvs-1.11.15-i386-1.tgz
Slackware 9.1 package:
80a99f7f4e2606d6c45ad60614cef81b cvs-1.11.15-i486-1.tgz
Slackware -current package:
6e6cbad9deab1a53c1543c72d0acad1c cvs-1.11.15-i486-1.tgz
|
Vendor URL: www.cvshome.org/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Linux (Slackware)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sun, 18 Apr 2004 16:40:41 -0700 (PDT)
Subject: [slackware-security] cvs security update (SSA:2004-108-02)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] cvs security update (SSA:2004-108-02)
CVS is a client/server version control system. As a server, it
is used to host source code repositories. As a client, it is
used to access such repositories. This advisory affects both uses
of CVS.
A security problem which could allow a server to create arbitrary
files on a client machine, and another security problem which may
allow a client to view files outside of the CVS repository have
been fixed with the release of cvs-1.11.15.
Any sites running CVS should upgrade to the new CVS package.
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Sat Apr 17 14:09:23 PDT 2004
patches/packages/cvs-1.11.15-i486-1.tgz: Upgraded to cvs-1.11.15.
Fixes two security problems (server creating arbitrary files on a client
machine, and client viewing files outside of the CVS repository).
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0405
(* Security fix *)
+--------------------------+
WHERE TO FIND THE NEW PACKAGE:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/cvs-1.11.15-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/cvs-1.11.15-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/cvs-1.11.15-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/cvs-1.11.15-i486-1.tgz
MD5 SIGNATURES:
+-------------+
Slackware 8.1 package:
e8ba67add4c86d0bd8b7dc1ce265752a cvs-1.11.15-i386-1.tgz
Slackware 9.0 package:
177b19dd98655f6811053f29286e4ab7 cvs-1.11.15-i386-1.tgz
Slackware 9.1 package:
80a99f7f4e2606d6c45ad60614cef81b cvs-1.11.15-i486-1.tgz
Slackware -current package:
6e6cbad9deab1a53c1543c72d0acad1c cvs-1.11.15-i486-1.tgz
INSTALLATION INSTRUCTIONS:
+------------------------+
First, shut down the cvs server if you are running one.
Then, upgrade the package:
# upgradepkg cvs-1.11.10-i486-1.tgz
Finally, restart the CVS server.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAgbJSakRjwEAQIjMRAm2MAJ0dp/2OgYp9Bp9glVCncULikT9+EgCgkarc
C2lF1sQRWvJynY70L5hQP0Y=
=emVX
-----END PGP SIGNATURE-----
|
|
