Subject: NetBSD Security Advisory 2005-006: Multiple vulnerabilities in CVS
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 11/08/2005 09:57:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2005-006
=================================
Topic: Multiple vulnerabilities in CVS
Version: NetBSD-current: source prior to August 26, 2005
NetBSD 2.1: not affected
NetBSD 2.0.3: not affected
NetBSD 2.0.2: affected
NetBSD 2.0: affected
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected
pkgsrc: CVS packages prior to 1.11.20nb2
Severity: Remote execution of arbitrary code, denial of service and
local privilege escalation
Fixed: NetBSD-current: August 26, 2005
NetBSD-3 branch: August 26, 2005
(3.0 will include the fix)
NetBSD-2.0 branch: August 26, 2005
(2.0.3 includes the fix)
NetBSD-2 branch: August 26, 2005
(2.1 includes the fix)
NetBSD-1.6 branch: August 26, 2005
(1.6.3 will include the fix)
pkgsrc: cvs-1.11.20nb2 or higher
correct the issues
Abstract
========
CVS has multiple vulnerabilities, ranging from remote execution of
arbitrary code to denial of service. Most of the issues are when the
CVS server is running in pserver mode.
Technical Details
=================
There are multiple issues, summarised in the following list:
* A heap overflow is present in the handling of "Entry" lines for CVS
servers running in pserver mode. An attacker would require write
access to the repository to exploit this.
* Problem handling malformed "Entry" lines and empty data lines,
which could lead to a denial of service (crash), modification of
critical program data or arbitrary code execution.
* Double-free vulnerability in "error_prog_name" string leading to
remote execution of arbitrary code.
* Integer overflow in the "Max-dotdot" CVS protocol command resulting
in denial of service.
* The "serve_notify" function does not correctly handle empty data
lines. Using a crafted request an attacker could potentially
execute arbitrary system commands.
* An unspecified buffer overflow leading to remote execution of
arbitrary code.
* Insecure temporary file handling in cvsbug script which can lead to
local privilege escalation.
Most of the issues are enabled when running CVS server mode (e.g. pserver).
CVE: CAN-2004-0396, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417,
CAN-2004-0418, CAN-2005-2693 and CAN-2005-0753
Solutions and Workarounds
=========================
If you run a CVS server we highly recommend you to upgrade your CVS
binary to 1.11.20, or 1.12.12 or higher. This can be accomplished by
upgrading CVS in the base distribution or alternatively, deleting your
CVS binaries and updating from pkgsrc. pkgsrc sources from 2005-08-27
in both HEAD and pkgsrc-2005Q2 contain the fix.
To check which version of CVS you are running enter "cvs -v" and look
for the version string.
The following instructions describe how to upgrade your CVS
binaries by updating your source tree and rebuilding and
installing a new version of CVS.
* NetBSD-current:
Systems running NetBSD-current dated from before 2005-08-25
should be upgraded to NetBSD-current dated 2005-08-26 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
gnu/dist/cvs
gnu/usr.bin/cvs
To update from CVS, re-build, and re-install CVS:
# cd src
# cvs update -d -P gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 2.0:
The binary distribution of NetBSD 2.0 is vulnerable.
NetBSD 2.1 and 2.0.3 include the fix.
Systems running NetBSD 2.0 sources dated from before
2005-08-25 should be upgraded from NetBSD 2.0 sources dated
2005-08-26 or later.
The following directories need to be updated from the
netbsd-2-0 CVS branch:
gnu/dist/cvs
gnu/usr.bin/cvs
To update from CVS, re-build, and re-install CVS:
# cd src
# cvs update -d -P -r netbsd-2-0 gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6, 1.6.1, 1.6.2:
The binary distributions of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.
NetBSD 1.6.3 will include the fix.
Systems running NetBSD 1.6 sources dated from before
2005-08-25 should be upgraded from NetBSD 1.6 sources dated
2005-08-26 or later.
NetBSD 1.6.3 will include the fix.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
gnu/dist/cvs
gnu/usr.bin/cvs
To update from CVS, re-build, and re-install CVS:
# cd src
# cvs update -d -P -r netbsd-1-6 gnu/dist/cvs gnu/usr.bin/cvs
# cd gnu/usr.bin/cvs
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Sebastian Krahmer and
Stefan Esser Discovery and notification
Jun-ichiro "itojun" Hagino Initial research, fix and documentation
Matthias Scheler and
Takahiro Kambe Further fixes
Revision History
================
2005-10-31 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-006.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-006.txt,v 1.7 2005/10/31 06:40:04 gendalia Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKaj5Ru2/4N2IFAQKE4wP+KuycCCEBHqibLLE2k/Cv0RjDN3F9Ld9M
gLFySxpFwfYVkHAqs9J8A37qf6e07LbPQah8k89Rcy1lxhjKYzKXRsTWScLtZJcN
aZwGspv8lKQ5NUs+mWsf3FG1nSicroLgVwDbqOOQGp21zgPIGYecUnLfZ8vuD2jI
/XHPuVAQVsk=
=PcVV
-----END PGP SIGNATURE-----