OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

regrep message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [regrep] FW: CERT Advisory CA-2003-02 Double-Free Bug in CVS Server



FYI.

I am sending this out because I know you have begun to use CVS archive
utilities with the stuff posted at SourceForge.

Joel Munter, Intel
desk: 480.552.3076
cell:  602.790.0924

-----Original Message-----
From: CERT Advisory [mailto:cert-advisory@cert.org]
Sent: Wednesday, January 22, 2003 4:57 PM
To: cert-advisory@cert.org
Subject: CERT Advisory CA-2003-02 Double-Free Bug in CVS Server


-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-02 Double-Free Bug in CVS Server

   Original issue date: January 22, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.


Systems Affected

     * Systems running CVS Home project versions of CVS prior to 1.11.5
     * Operating system distributions that provide CVS
     * Source code repositories managed by CVS
     * For detailed vendor status information, see VU#650937:

         <http://www.kb.cert.org/vuls/id/650937#systems>


Overview

   A  "double-free" vulnerability in the Concurrent Versions System
(CVS)
   server  could allow an unauthenticated, remote attacker with
read-only
   access  to  execute  arbitrary  code,  alter  program  operation,
read
   sensitive information, or cause a denial of service.


I. Description

   CVS  is a version control and collaboration system that is widely
used
   by   open-source   software  development  projects.  CVS  is
commonly
   configured  to  allow  public,  anonymous,  read-only  access  via
the
   Internet.

   The  CVS  server component contains a "double-free" vulnerability
that
   can  be  triggered  by  a set of specially crafted directory
requests.
   While processing these requests, an error-checking routine may
attempt
   to  free()  the same memory reference more than once. Deallocating
the
   already freed memory leads to heap corruption, which an attacker
could
   leverage to execute arbitrary code, alter the logical operation of
the
   CVS server program, or read sensitive information stored in memory.
In
   most  cases,  heap  corruption  will  result  in a segmentation
fault,
   causing a denial of service.

   The  CVS  server process is typically started by the Internet
services
   daemon  (inetd) and runs with root privileges. Arbitrary code
inserted
   by an attacker would therefore run with root privileges.

   The CERT/CC is tracking this issue as VU#650937:

     <http://www.kb.cert.org/vuls/id/650937>

   This reference number corresponds to CVE candidate CAN-2002-0059:

     <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015>

   This issue was researched and reported by Stefan Esser of
   e-matters:

     <http://security.e-matters.de/advisories/012003.html>


II. Impact

   Depending   on   configuration,   operating   system,   and
platform
   architecture,  a remote attacker with anonymous, read-only access to
a
   vulnerable   CVS  server  could  execute  arbitrary  code,  alter
the
   operation  of the server program, read sensitive information, or
cause
   a  denial of service. There is also a significant secondary impact.
An
   attacker  who  is  able  to  compromise  a  CVS  server  could
modify
   source-code repositories to contain Trojan horses, backdoors, or
other
   malicious code.


III. Solution

Apply a patch or upgrade

   Apply  the  appropriate  patch or upgrade as specified by your
vendor.
   See  Appendix  A.  below and the Systems Affected section of
VU#650937
   for further information:

     <http://www.kb.cert.org/vuls/id/650937#systems>

Disable or restrict anonymous CVS access

   As  a  temporary solution until patches or upgrades can be applied,
or
   to  improve the security of CVS servers in the long term, consider
the
   following workarounds and configurations:

     * Disable anonymous CVS server access completely.

     * Block  or  restrict access to CVS servers from untrusted hosts
and
       networks.  Anonymous  access  to CVS servers using :cvspserver:
is
       typically provided on port 2401/tcp.

     * Configure CVS servers to run in restricted (chroot) environments.

     * Host CVS servers on single-purpose, secured systems.

   These  workarounds  and  configurations are not complete solutions
and
   will  not  prevent  exploitation of this vulnerability. Other
features
   inherent  in  CVS  may  give anonymous users the ability to gain
shell
   access.


Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When
vendors
   report  new  information,  this section is updated and the changes
are
   noted  in  the  revision  history. If a vendor is not listed below,
we
   have  not  received  their  comments.  The Systems Affected section
of
   VU#650937 contains additional vendor status information:

    <http://www.kb.cert.org/vuls/id/650937#systems>

Conectiva

     Conectiva  Linux is affected by this issue and updated packages are
     available at <ftp://atualizacoes.conectiva.com.br/>:
     
     6.0/SRPMS/cvs-1.10.8-5U60_3cl.src.rpm
     6.0/RPMS/cvs-1.10.8-5U60_3cl.i386.rpm
     6.0/RPMS/cvs-doc-1.10.8-5U60_3cl.i386.rpm
     7.0/SRPMS/cvs-1.11-7U70_2cl.src.rpm
     7.0/RPMS/cvs-1.11-7U70_2cl.i386.rpm
     7.0/RPMS/cvs-doc-1.11-7U70_2cl.i386.rpm
     8/SRPMS/cvs-1.11-9U80_2cl.i386.rpm
     8/RPMS/cvs-1.11-9U80_2cl.i386.rpm
     8/RPMS/cvs-doc-1.11-9U80_2cl.i386.rpm
     
     An official announcement is pending and will show up in our updates
     website at  <http://distro.conectiva.com.br/atualizacoes?idioma=en>
     shortly.

Cray Inc.

     Cray  Inc.  supports  CVS  through  their  Cray Open Software (COS)
     package.  COS  3.3  and  earlier  is  vulnerable. A new CVS will be
     available   shortly.   Please   contact  your  local  Cray  service
     representative if you need this new package.

CVS Home

     CVS  release  1.11.5  addresses  this  issue  for  CVS servers. CVS
     clients are not affected.

Debian

     Debian has updated their distribution with DSA 233.
     <http://www.debian.org/security/2003/dsa-233>

     For  the stable distribution (woody) this problem has been fixed in
     version 1.11.1p1debian-8.1.

     For  the  old  stable  distribution  (potato) this problem has been
     fixed in version 1.10.7-9.2.

     For  the  unstable  distribution  (sid)  this problem will be fixed
     soon.

Hewlett-Packard

     SOURCE:  Hewlett-Packard Company and Compaq Computer Corporation, a
     wholly-owned subsidiary of Hewlett-Packard Company
     
     RE: x-reference SSRT3463
     
     Not Vulnerable:
     
     HP-UX
     HP-MPE/ix
     HP Tru64 UNIX
     HP NonStop Servers
     HP OpenVMS
     
     To  report  any  security  issue  for any HP software products send
     email to <security-alert@hp.com>

IBM

     The  AIX  operating  system does not ship with CVS. However, CVS is
     available for installation on AIX from the Linux Affinity Toolbox.

     CVS  versions  1.11.1p1-2  and earlier are vulnerable to the issues
     discussed  in  CERT Vulnerability Note VU#650937 and any advisories
     which follow.

     Users are advised to download CVS 1.11.1p1-3 from:

     <ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/
     cvs/cvs-1.11.1p1-3.aix4.3.ppc.rpm>
     
     Please note that the above address was wrapped to two lines.

     CVS  1.11.1p1-3  contains  the security fixes made in CVS 1.11.5 to
     address these issues.

     This software is offered on an "as-is" basis.

Openwall GNU/*/Linux

     We  don't  yet  re-distribute  CVS  in Openwall GNU/*/Linux. We do,
     however,  provide  public  anonymous  CVS  access  to a copy of our
     repository,  hosted  off  a  separate machine and in a chroot jail.
     This  kind  of vulnerabilities in CVS was expected, and our anoncvs
     setup  is  mostly  resistant  to  them:  read-only  access  to  the
     repository  is  achieved  primarily  with  the  use of regular Unix
     permissions,  not  controls  built  into CVS. CVS LockDir option is
     used  to  direct  CVS  lock  files  to  a  separate directory tree,
     actually  writable  to  the  pseudo-user. Nevertheless, the anoncvs
     server  has  been  upgraded  to CVS 1.11.5 a few hours after it was
     released.

Red Hat, Inc.

     Red  Hat Linux and Red Hat Linux Advanced Server shipped with a cvs
     package  vulnerable  to  these  issues.  New  cvs  packages are now
     available  along  with our advisory at the URLs below. Users of the
     Red Hat Network can update their systems using the 'up2date' tool.

     Red Hat Linux Advanced Server:

     <http://rhn.redhat.com/errata/RHSA-2003-013.html>

     Red Hat Linux:

     <http://rhn.redhat.com/errata/RHSA-2003-013.html>

Sun Microsystems Inc.

     Sun  does not include CVS with Solaris and therefore Solaris is not
     affected by this issue.

     Sun  Linux,  versions  5.0.3 and below, does ship with a vulnerable
     CVS  package.  Sun  recommends  that  CVS  services  be disabled on
     affected  Sun  Linux  systems  until patches are available for this
     issue.

     Sun  will  be  publishing  a Sun Alert for Sun Linux describing the
     patch information which will be available from:

     <http://sunsolve.Sun.COM>


Appendix B. References

     * CERT/CC Vulnerability Note VU#650937 -
       <http://www.kb.cert.org/vuls/id/650937>
     * e-matters Advisory 01/2003 -
       <http://security.e-matters.de/advisories/012003.html>

     _________________________________________________________________

   This vulnerability was reported by Stefan Esser of e-matters.
     _________________________________________________________________

   Author: Art Manion.
 
______________________________________________________________________

   This document is available from:
   <http://www.cert.org/advisories/CA-2003-02.html>
 
______________________________________________________________________

CERT/CC Contact Information

   Email: <cert@cert.org>
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)
/
   EDT(GMT-4)  Monday  through  Friday;  they are on call for
emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by
email.
   Our public PGP key is available from
   <http://www.cert.org/CERT_PGP.key>

   If  you  prefer  to  use  DES,  please  call the CERT hotline for
more
   information.

Getting security information

   CERT  publications  and  other security information are available
from
   our web site
   <http://www.cert.org/>

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to <majordomo@cert.org>. Please include in the body of
   your message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the
U.S.
   Patent and Trademark Office.
 
______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the
Software
   Engineering  Institute  is  furnished  on  an  "as is" basis.
Carnegie
   Mellon University makes no warranties of any kind, either expressed
or
   implied  as  to  any matter including, but not limited to, warranty
of
   fitness  for  a  particular purpose or merchantability, exclusivity
or
   results  obtained from use of the material. Carnegie Mellon
University
   does  not  make  any warranty of any kind with respect to freedom
from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History

   January 22, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPi8vSmjtSoHZUTs5AQGr2wQAwBNBUDgbiDbXzF3CsqmOgzQUKrgKYWHJ
wbeH8Y+6Eiuha2bu/2JDBxYWOPdPUhu11USaa8fwg9k73yjVUCVeT+mRBTjVsw9k
9jwT96JtKj2aNyRT+KR4YAme0JzQCqgJD88B8Z6vCWdsMJXPKg1acjou2qNwbaqz
UCRRY26e5dk=
=FBp0
-----END PGP SIGNATURE-----


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC