CVS malformed module file manipulation

cvs-module-file-manipulation (13929)

Medium Risk

Description:

CVS (Concurrent Versions System) could allow a remote attacker to create files on the system. By sending a malformed module request, a remote attacker could create directories and files in the filesystem root.

Consequences:

File Manipulation

Remedy:

Upgrade to the latest version of CVS (1.11.10), available from the Concurrent Versions System Web site. See References.

For Slackware Linux:
Upgrade to the latest cvs package, as listed below. Refer to slackware-security Mailing List, Thu, 11 Dec 2003 13:52:45 -0800 (PST) for more information. See References.

Slackware Linux 8.1, 9.0, 9.1, and -current: 1.11.10 or later

For Mandrake Linux:
Upgrade to the latest cvs package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:112-1 : cvs for more information. See References.

Mandrake Linux 9.1: 1.11.10-0.2.91mdk or later
Mandrake Linux 9.2: 1.11.10-0.2.92mdk or later

For Gentoo Linux:
Upgrade to the latest version of cvs (1.11.10 or later), as listed in Gentoo Linux Security Announcement 200312-04. See References.

For Turbolinux:
Upgrade to the latest cvs package (1.12.4-1 or later), as listed in Turbolinux Security Advisory TLSA-2003-69. See References.

For OpenPKG:
Upgrade to the latest cvs package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.052 for more information. See References.

OpenPKG 1.2: 1.11.5-1.2.3 or later
OpenPKG 1.3: 1.12.1-1.3.1 or later
OpenPKG CURRENT: 1.12.3-20031205 or later

For Red Hat Linux:
Upgrade to the latest CVS package, as listed below. Refer to RHSA-2004:003-01 for more information. See References.

Red Hat 9: 1.11.2-13 or later

For Debian GNU/Linux:
Upgrade to the latest cvs package, as listed below. Refer to DSA-422-1 for more information. See References.

Debian GNU/Linux 3.0 (Woody): 1.11.1 or later

For Conectiva Linux:
Upgrade to the latest cvs package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:808 for more information. See References.

Conectiva Linux 8: 1.11-9U80_5cl or later or later
Conectiva Linux 9: 1.11-22818U90_2cl or later

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• CIAC Information Bulletin O-049: Red Hat Updated CVS Packages Fix Minor Security Issue.
• Concurrent Versions System Web site: Stable CVS Version 1.11.10 Released! (security update) .
• Conectiva Linux Security Announcement CLSA-2004:808: cvs.
• Gentoo Linux Security Announcement 200312-04: dev-util/cvs. (From LinuxSecurity archive)
• slackware-security Mailing List, Thu, 11 Dec 2003 13:52:45 -0800 (PST): cvs security update (SSA:2003-345-01).
• BID-9178: CVS Malformed Request System Root File Creation Vulnerability
• CVE-2003-0977: CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
• DSA-422: cvs -- remote vulnerability
• GLSA-200312-04: CVS: malformed module request vulnerability
• MDKSA-2003:112: Updated cvs packages fix malformed module request vulnerability
• MDKSA-2003:112-1: Updated cvs packages fix malformed module request vulnerability
• OpenPKG-SA-2003.052: CVS
• RHSA-2004-003: Updated CVS packages fix minor security issue
• RHSA-2004-004: cvs security update

Platforms Affected:

• Conectiva Linux 8.0
• Conectiva Linux 9.0
• CVS, Derek Price CVS (Concurrent Versions System) prior to 1.11.10
• Debian Debian Linux 3.0
• Gentoo Linux
• MandrakeSoft Mandrake Linux 9.0
• MandrakeSoft Mandrake Linux 9.1 PPC
• MandrakeSoft Mandrake Linux 9.1
• MandrakeSoft Mandrake Linux 9.2 AMD64
• MandrakeSoft Mandrake Linux 9.2
• MandrakeSoft Mandrake Linux Corporate Server 2.1
• MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
• OpenPKG OpenPKG 1.2
• OpenPKG OpenPKG 1.3
• OpenPKG OpenPKG CURRENT
• RedHat Enterprise Linux 2.1 AS
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 2.1 WS
• RedHat Enterprise Linux 3 AS
• RedHat Enterprise Linux 3 ES
• RedHat Enterprise Linux 3 WS
• RedHat Linux 9.0
• RedHat Linux Advanced Workstation 2.1 Itanium
• Slackware Slackware Linux 8.0
• Slackware Slackware Linux 9.0
• Slackware Slackware Linux 9.1
• Slackware Slackware Linux current
• Turbolinux Turbolinux 10 Desktop
• Turbolinux Turbolinux 7 Server
• Turbolinux Turbolinux 7 Workstation
• Turbolinux Turbolinux 8 Server
• Turbolinux Turbolinux 8 Workstation
• Turbolinux Turbolinux Advanced Server 6
• Turbolinux Turbolinux Server 6.1
• Turbolinux Turbolinux Server 6.5
• Turbolinux Turbolinux Workstation 6.0

Reported:

Dec 08, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page