CVS entry line buffer overflow

cvs-entry-line-bo (16193)

High Risk

Description:

CVS (Concurrent is vulnerable to a heap overflow, caused by improper handling of entry lines when applying modified and unchanged flags. A remote attacker could send specially-crafted commands to overflow a buffer and execute arbitrary code on the system.

Platforms Affected:

• CVS, Derek Price, CVS (Concurrent Versions System) 1.11.15 and prior
• CVS, Derek Price, CVS (Concurrent Versions System) 1.12.7 and prior
• Debian, Debian Linux 3.0
• FreeBSD, FreeBSD
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 10.0 AMD64
• MandrakeSoft, Mandrake Linux 10.0
• MandrakeSoft, Mandrake Linux 9.1
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux 9.2 AMD64
• MandrakeSoft, Mandrake Linux 9.2
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• NetBSD, NetBSD 1.6
• NetBSD, NetBSD 2.0
• NetBSD, NetBSD CURRENT
• Novell, UnitedLinux 1.0
• OpenBSD, OpenBSD 3.4
• OpenBSD, OpenBSD 3.5
• OpenBSD, OpenBSD CURRENT
• OpenPKG, OpenPKG 1.3
• OpenPKG, OpenPKG 2.0
• OpenPKG, OpenPKG CURRENT
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 AW
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 ES
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Slackware, Slackware Linux 8.1
• Slackware, Slackware Linux 9.0
• Slackware, Slackware Linux 9.1
• Sun, Solaris 7.0
• Sun, Solaris 8
• Sun, Solaris 9
• SuSE, SuSE Linux 9.0
• SuSE, SuSE Linux Enterprise Server 7.0
• SuSE, SuSE Linux Office Server
• Turbolinux, Turbolinux 10 Desktop
• Turbolinux, Turbolinux 7 Server
• Turbolinux, Turbolinux 7 Workstation
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux 8 Workstation
• Turbolinux, Turbolinux Advanced Server 6
• Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
• Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed
• Turbolinux, Turbolinux Server 6.1
• Turbolinux, Turbolinux Server 6.5
• Turbolinux, Turbolinux Workstation 6.0

Remedy:

Apply the latest CVS version, when it becomes available from the CVS Web site. See References.

For FreeBSD:
Upgrade to the latest version of FreeBSD (4-STABLE or later) or (RELENG_5_2, RELENG_4_9, or RELENG_4_8 or later dated after 2004-05-18 security branch), as listed in FreeBSD Security Advisory FreeBSD-SA-04:10.cvs. See References.

— OR —

Apply the patch for this vulnerability, as listed in FreeBSD Security Advisory FreeBSD-SA-04:10.cvs. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest cvs package (1.11.1p1debian-9woody4 or later), as listed in DSA-505-1. See References.

For Red Hat Linux:
Upgrade to the latest cvs package, as listed below. Refer to RHSA-2004:190-14 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 1.11.1p1-14 or later

Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 1.11.2-22.x86_644 or later

For OpenBSD:
Apply the appropriate patch, as listed below. Refer to OpenBSD Security Advisory 5/25/2004 14:42 for more information. See References.

OpenBSD 3.5: 007_cvs2.patch
OpenBSD 3.4: 021_cvs2.patch

For Slackware Linux:
Upgrade to the latest cvs package, as listed below. Refer to slackware-security Mailing List, Wed, 19 May 2004 19:14:49 -0700 (PDT) for more information. See References.

Slackware Linux 8.1, 9.0, 9.1 and -current: 1.11.16-i386-1 or later

For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57573 for more information. See References.

SPARC Platform
Solaris 7 without patch 107684-11 or later
Solaris 8 without patch 110615-11 or later
Solaris 9 without sendmail(1M) upgrade 8.12.10 (as delivered in patch 113575-05) or later

x86 Platform
Solaris 7 without patch 107685-11 or later
Solaris 8 without patch 110616-11 or later
Solaris 9 without sendmail(1M) upgrade 8.12.10 (as delivered in patch 114137-04) or later

For NetBSD-current (dated prior to 2004-21-05), 1.6, and 2.0 branch: Upgrade to the appropriate fixed versions of NetBSD, as listed in NetBSD Security Advisory 2004-008. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2004.022 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• CIAC Information Bulletin O-147, Linux CVS Server Heap Overflow Vulnerability at http://www.ciac.org/ciac/bulletins/o-147.shtml.
• CVS Web site, Project Download List at http://ccvs.cvshome.org/servlets/ProjectDownloadList.
• FreeBSD Security Advisory FreeBSD-SA-04:10.cvs, CVS pserver protocol parser errors at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc.
• Full-Disclosure Mailing List, Wed May 19 2004 - 01:38:08 CDT, Advisory 07/2004: CVS remote vulnerability at http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0980.html.
• OpenBSD Security Advisory 5/25/2004 14:42, cvs Heap overflow vulnerability at http://www.linuxsecurity.com/content/view/106096/108/.
• Slackware Security cvs SSA:2004-140-01, cvs Heap overflow vulnerability at http://slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.395865.
• Sun Alert ID: 57573, Buffer Overflow in sendmail(1M) Ruleset Parsing May Result in Unauthorized Privileges at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57573&zone_32=security.
• BID-10384: CVS Malformed Entry Modified and Unchanged Flag Insertion Heap Overflow Vulnerability
• CVE-2004-0396: Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.
• DSA-505: cvs -- heap overflow
• GLSA-200405-12: CVS heap overflow vulnerability
• MDKSA-2004:048: Updated cvs packages fix remotely exploitable vulnerability
• OpenPKG-SA-2004.022: CVS
• OSVDB ID: 6305: CVS Line Entry Overflow
• RHSA-2004-190: cvs security update
• SA11641: CVS Entry Line Heap Overflow Vulnerability
• SUSE-SA:2004:013: cvs: remote command execution

Reported:

May 19, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page