CVS malformed directory name "double free" memory corruption

cvs-doublefree-memory-corruption (11108)

High Risk

Description:

CVS (Concurrent could allow a remote attacker to cause dynamically allocated memory segments to be released twice. A remote attacker could send a malformed directory request to the system to cause the corruption of internal memory segments, which could result in a memory leak, denial of service, or execution of arbitrary code. On systems that are configured to allow anonymous read-only access to the CVS repository, an attacker could use the information leaked to determine the address of some strings that are required for the read/write access checks, which could allow the attacker to use the Checkin-prog or Update-prog command to bypass write access restrictions and execute arbitrary shell commands on the server.

Platforms Affected:

• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• CVS, Derek Price, CVS (Concurrent Versions System) 1.11.4 and prior
• Debian, Debian Linux 2.2
• Debian, Debian Linux 3.0
• FreeBSD, FreeBSD 4.0
• FreeBSD, FreeBSD 4.1
• FreeBSD, FreeBSD 4.1.1
• FreeBSD, FreeBSD 4.2
• FreeBSD, FreeBSD 4.3
• FreeBSD, FreeBSD 4.4
• FreeBSD, FreeBSD 4.5
• FreeBSD, FreeBSD 4.6
• FreeBSD, FreeBSD 4.6.1
• Gentoo, Linux
• Immunix, Immunix OS 7+-beta
• MandrakeSoft, Mandrake Linux 7.2
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.0 PPC
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Single Network Firewall 7.2
• OpenPKG, OpenPKG 1.0
• OpenPKG, OpenPKG 1.1
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SCO, Caldera OpenLinux Server 3.1
• SCO, Caldera OpenLinux Server 3.1.1
• SCO, Caldera OpenLinux Workstation 3.1
• SCO, Caldera OpenLinux Workstation 3.1.1
• Slackware, Slackware Linux 8.1
• Slackware, Slackware Linux current
• Sun, Cobalt CacheRaQ 3
• Sun, Cobalt CacheRaQ 4
• Sun, Cobalt Qube 2
• Sun, Cobalt Qube 3
• Sun, Cobalt RaQ 2
• Sun, Cobalt RaQ 3
• Sun, Cobalt RaQ 4
• Sun, Cobalt RaQ 550
• Sun, Cobalt RaQ XTR
• Sun, Linux 5.0.3
• SuSE, Linux Enterprise Server 8
• SuSE, SuSE eMail Server 3.1
• SuSE, SuSE eMail Server III
• SuSE, SuSE Linux 7.1
• SuSE, SuSE Linux 7.2
• SuSE, SuSE Linux 7.3
• SuSE, SuSE Linux 8.0
• SuSE, SuSE Linux 8.1
• SuSE, SuSE Linux Connectivity Server
• SuSE, SuSE Linux Database Server
• SuSE, SuSE Linux Enterprise Server 7.0
• SuSE, SuSE Linux Firewall
• SuSE, SuSE Linux Office Server
• Turbolinux, Turbolinux 7 Server
• Turbolinux, Turbolinux 7 Workstation
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux 8 Workstation
• Turbolinux, Turbolinux Advanced Server 6
• Turbolinux, Turbolinux Server 6.1
• Turbolinux, Turbolinux Server 6.5

Remedy:

Upgrade to the latest version of CVS (1.11.5 or later), available from the CVS Web site. See References.

For Red Hat Linux:
Upgrade to the latest CVS packages, as listed below. Refer to RHSA-2003:012-09 for more information. See References.

Red Hat Linux 6.2: 1.11.1p1-8.6 or later
Red Hat Linux 7.0, 7.1, 7.2, and 7.3: 1.11.1p1-8.7 or later
Red Hat Linux 8.0: 1.11.2-8 or later

For OpenPKG:
Upgrade to the latest cvs package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.004 for more information. See References.

OpenPKG Current: 1.11.5-20030121 or later
OpenPKG 1.0: 1.11.1p1-1.0.2 or later
OpenPKG 1.1: 1.11.2-1.1.1 or later

For Debian GNU/Linux:
Upgrade to the latest cvs package, as listed below. Refer to DSA-233-1 for more information. See References.

Debian GNU/Linux 2.2 (potato): 1.10.7-9.2 or later
Debian GNU/Linux 3.0 (woody): 1.11.1p1debian-8.1 or later

For Gentoo Linux:
Upgrade to the latest version (cvs-1.11.5r or later), as listed in Gentoo Linux Security Announcement 200301-12. See References.

For Slackware Linux:
Upgrade to the latest cvs package, as listed below. Refer to slackware-security Mailing List, Tue 21 Jan 2003 14:26:20 -0800 (PST) for more information. See References.

Slackware Linux 8.1 and current: cvs-1.11.5-i386-1 or later

For Conectiva Linux:
Upgrade to the latest cvs package, as listed below. Refer to Conectiva Linux Announcement CLSA-2003:561 for more information. See References.

Conectiva Linux 6.0: 1.10.8-5U60_4cl or later
Conectiva Linux 7.0: 1.11-7U70_3cl or later
Conectiva Linux 8.0: 1.11-9U80_3cl or later

For Mandrake Linux:
Upgrade to the latest cvs package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:009:cvs for more information. See References.

Mandrake Linux 7.2, 8.0, 8.1, 8.2, 9.0, and Single Network Firewall 7.2: 1.11.4-2.2mdk or later

For SuSE Linux:
Upgrade to the latest cvs package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2003:0007 for more information. See References.

SuSE Linux 8.0 and 8.1 (Intel): 1.11.1p1-235 or later
SuSE Linux 7.1 and 7.3 (Intel): 1.11-230 or later
SuSE Linux 7.2 (Intel): 1.11-231 or later
SuSE Linux 7.3 (Sparc): 1.11-103 or later
SuSE Linux 7.1 (AXP): 1.11-106 or later
SuSE Linux 7.1 and 7.3 (PPC): 1.11-115 or later

For Caldera OpenLinux 3.1 and 3.1.1 (Workstation and Server):
Upgrade to the latest cvs package (1.11-9 or later), as listed in SCO Security Advisory CSSA-2003-0006. See References.

For FreeBSD:
Apply the patch for this vulnerability, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-03:01.cvs. See References.

For Immunix OS 7+:
Upgrade to the latest version of cvs (1.11.1p1-4_imnx_2 or later), as listed in Immunix OS Security Advisory IMNX-2003-7+-004-01. See References.

For Sun Linux 5.0.3:
Upgrade to the latest cvs package (1.11.1p1-8.7 or later), as listed in Sun Alert ID: 50439. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• BugTraq Mailing List, 2003-02-02 11:27:23, Exploit for CVS double free() for Linux pserver at http://marc.theaimsgroup.com/?l=bugtraq&m=104428571204468&w=2.
• BugTraq Mailing List, Fri Jan 24 2003 - 09:52:41 CST, Test program for CVS double-free. at http://archives.neohapsis.com/archives/bugtraq/2003-01/0262.html.
• CERT Advisory CA-2003-02, Double-Free Bug in CVS Server at http://www.cert.org/advisories/CA-2003-02.html.
• CIAC Information Bulletin N-032, Double-Free Bug in Concurrent Versions System (CVS) Server at http://www.ciac.org/ciac/bulletins/n-032.shtml.
• Concurrent Versions System News, 2003-01-20: CVS 1.11.5 Released! (security update) at https://ccvs.cvshome.org/servlets/NewsItemView?newsItemID=51.
• Conectiva Linux Announcement CLSA-2003:560, cvs -- Remote vulnerability at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000560.
• Conectiva Linux Announcement CLSA-2003:561, cvs -- Update: cvs remote double free() vulnerability at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000561.
• CVS Web site, Project Download List at http://ccvs.cvshome.org/servlets/ProjectDownloadList.
• e-matters Security Advisory 01/2003, CVS remote vulnerability at http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0028.html.
• FreeBSD Security Advisory FreeBSD-SA-03:01.cvs, remotely exploitable vulnerability in cvs server at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:01.cvs.asc.
• Gentoo Linux Security Announcement 200301-12, cvs -- arbitrary code execution at http://www.linuxsecurity.com/content/view/104530/104/.
• Immunix OS Security Advisory IMNX-2003-7+-004-01, cvs at http://www.linuxsecurity.com/content/view/104875/105/. (From LinuxSecurity archive)
• SCO Security Advisory CSSA-2003-006.0, Linux: CVS double free vulnerability at http://www.linuxsecurity.com/content/view/104573/98/.
• slackware-security Mailing List, Tue, 21 Jan 2003 14:26:20 -0800 (PST), [slackware-security] New CVS packages available at http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.213783.
• Sun Alert ID: 50439, CVS Versions on all Sun Cobalt Legacy Products and Sun Linux 5.0.3 are Vulnerable to a "Double Free" Vulnerability at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50439&zone_32=category%3Asecurity.
• BID-6650: CVS Directory Request Double Free Heap Corruption Vulnerability
• CVE-2003-0015: Double-free vulnerability in CVS 1.11.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed Directory request, as demonstrated by bypassing write checks to execute Update-prog and Checkin-prog commands.
• DSA-233: cvs -- doubly freed memory
• MDKSA-2003:009: Updated cvs packages fix multiple vulnerabilities
• OpenPKG-SA-2003.004: CVS
• RHSA-2003-012: Updated CVS packages available
• RHSA-2003-013: cvs security update
• SUSE-SA:2003:0007: cvs: remote system compromise

Reported:

Jan 20, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page