CVS malformed module file manipulation

cvs-module-file-manipulation (13929)

Medium Risk

Description:

CVS (Concurrent Versions System) could allow a remote attacker to create files on the system. By sending a malformed module request, a remote attacker could create directories and files in the filesystem root.

Platforms Affected:

• Conectiva, Linux 8.0
• Conectiva, Linux 9.0
• CVS, Derek Price, CVS (Concurrent Versions System) prior to 1.11.10
• Debian, Debian Linux 3.0
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux 9.1
• MandrakeSoft, Mandrake Linux 9.2
• MandrakeSoft, Mandrake Linux 9.2 AMD64
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• OpenPKG, OpenPKG 1.2
• OpenPKG, OpenPKG 1.3
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 AS
• RedHat, Linux 9.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Slackware, Slackware Linux 8.0
• Slackware, Slackware Linux 9.0
• Slackware, Slackware Linux 9.1
• Slackware, Slackware Linux current
• Turbolinux, Turbolinux 10 Desktop
• Turbolinux, Turbolinux 7 Server
• Turbolinux, Turbolinux 7 Workstation
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux 8 Workstation
• Turbolinux, Turbolinux Advanced Server 6
• Turbolinux, Turbolinux Server 6.1
• Turbolinux, Turbolinux Server 6.5
• Turbolinux, Turbolinux Workstation 6.0

Remedy:

Upgrade to the latest version of CVS (1.11.10), available from the Concurrent Versions System Web site. See References.

For Slackware Linux:
Upgrade to the latest cvs package, as listed below. Refer to slackware-security Mailing List, Thu, 11 Dec 2003 13:52:45 -0800 (PST) for more information. See References.

Slackware Linux 8.1, 9.0, 9.1, and -current: 1.11.10 or later

For Mandrake Linux:
Upgrade to the latest cvs package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:112-1 : cvs for more information. See References.

Mandrake Linux 9.1: 1.11.10-0.2.91mdk or later
Mandrake Linux 9.2: 1.11.10-0.2.92mdk or later

For Gentoo Linux:
Upgrade to the latest version of cvs (1.11.10 or later), as listed in Gentoo Linux Security Announcement 200312-04. See References.

For Turbolinux:
Upgrade to the latest cvs package (1.12.4-1 or later), as listed in Turbolinux Security Advisory TLSA-2003-69. See References.

For OpenPKG:
Upgrade to the latest cvs package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.052 for more information. See References.

OpenPKG 1.2: 1.11.5-1.2.3 or later
OpenPKG 1.3: 1.12.1-1.3.1 or later
OpenPKG CURRENT: 1.12.3-20031205 or later

For Red Hat Linux:
Upgrade to the latest CVS package, as listed below. Refer to RHSA-2004:003-01 for more information. See References.

Red Hat 9: 1.11.2-13 or later

For Debian GNU/Linux:
Upgrade to the latest cvs package, as listed below. Refer to DSA-422-1 for more information. See References.

Debian GNU/Linux 3.0 (Woody): 1.11.1 or later

For Conectiva Linux:
Upgrade to the latest cvs package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:808 for more information. See References.

Conectiva Linux 8: 1.11-9U80_5cl or later or later
Conectiva Linux 9: 1.11-22818U90_2cl or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

File Manipulation

References:

• CIAC Information Bulletin O-049, Red Hat Updated CVS Packages Fix Minor Security Issue at http://www.ciac.org/ciac/bulletins/o-049.shtml.
• Concurrent Versions System Web site, Stable CVS Version 1.11.10 Released! (security update) at http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1.
• Conectiva Linux Security Announcement CLSA-2004:808, cvs at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000808.
• Gentoo Linux Security Announcement 200312-04, dev-util/cvs at http://www.linuxsecurity.com/content/view/105588/104/. (From LinuxSecurity archive)
• slackware-security Mailing List, Thu, 11 Dec 2003 13:52:45 -0800 (PST), cvs security update (SSA:2003-345-01) at http://www.slackware.com/security/viewer.php?l=slackware-security&y=2003&m=slackware-security.402538.
• BID-9178: CVS Malformed Request System Root File Creation Vulnerability
• CVE-2003-0977: CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
• DSA-422: cvs -- remote vulnerability
• GLSA-200312-04: CVS: malformed module request vulnerability
• MDKSA-2003:112: Updated cvs packages fix malformed module request vulnerability
• MDKSA-2003:112-1: Updated cvs packages fix malformed module request vulnerability
• OpenPKG-SA-2003.052: CVS
• RHSA-2004-003: Updated CVS packages fix minor security issue
• RHSA-2004-004: cvs security update

Reported:

Dec 08, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page