-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2005-006 ================================= Topic: Multiple vulnerabilities in CVS Version: NetBSD-current: source prior to August 26, 2005 NetBSD 2.1: not affected NetBSD 2.0.3: not affected NetBSD 2.0.2: affected NetBSD 2.0: affected NetBSD 1.6.2: affected NetBSD 1.6.1: affected NetBSD 1.6: affected pkgsrc: CVS packages prior to 1.11.20nb2 Severity: Remote execution of arbitrary code, denial of service and local privilege escalation Fixed: NetBSD-current: August 26, 2005 NetBSD-3 branch: August 26, 2005 (3.0 will include the fix) NetBSD-2.0 branch: August 26, 2005 (2.0.3 includes the fix) NetBSD-2 branch: August 26, 2005 (2.1 includes the fix) NetBSD-1.6 branch: August 26, 2005 (1.6.3 will include the fix) pkgsrc: cvs-1.11.20nb2 or higher correct the issues Abstract ======== CVS has multiple vulnerabilities, ranging from remote execution of arbitrary code to denial of service. Most of the issues are when the CVS server is running in pserver mode. Technical Details ================= There are multiple issues, summarised in the following list: * A heap overflow is present in the handling of "Entry" lines for CVS servers running in pserver mode. An attacker would require write access to the repository to exploit this. * Problem handling malformed "Entry" lines and empty data lines, which could lead to a denial of service (crash), modification of critical program data or arbitrary code execution. * Double-free vulnerability in "error_prog_name" string leading to remote execution of arbitrary code. * Integer overflow in the "Max-dotdot" CVS protocol command resulting in denial of service. * The "serve_notify" function does not correctly handle empty data lines. Using a crafted request an attacker could potentially execute arbitrary system commands. * An unspecified buffer overflow leading to remote execution of arbitrary code. * Insecure temporary file handling in cvsbug script which can lead to local privilege escalation. Most of the issues are enabled when running CVS server mode (e.g. pserver). CVE: CAN-2004-0396, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418, CAN-2005-2693 and CAN-2005-0753 Solutions and Workarounds ========================= If you run a CVS server we highly recommend you to upgrade your CVS binary to 1.11.20, or 1.12.12 or higher. This can be accomplished by upgrading CVS in the base distribution or alternatively, deleting your CVS binaries and updating from pkgsrc. pkgsrc sources from 2005-08-27 in both HEAD and pkgsrc-2005Q2 contain the fix. To check which version of CVS you are running enter "cvs -v" and look for the version string. The following instructions describe how to upgrade your CVS binaries by updating your source tree and rebuilding and installing a new version of CVS. * NetBSD-current: Systems running NetBSD-current dated from before 2005-08-25 should be upgraded to NetBSD-current dated 2005-08-26 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): gnu/dist/cvs gnu/usr.bin/cvs To update from CVS, re-build, and re-install CVS: # cd src # cvs update -d -P gnu/dist/cvs gnu/usr.bin/cvs # cd gnu/usr.bin/cvs # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 2.0: The binary distribution of NetBSD 2.0 is vulnerable. NetBSD 2.1 and 2.0.3 include the fix. Systems running NetBSD 2.0 sources dated from before 2005-08-25 should be upgraded from NetBSD 2.0 sources dated 2005-08-26 or later. The following directories need to be updated from the netbsd-2-0 CVS branch: gnu/dist/cvs gnu/usr.bin/cvs To update from CVS, re-build, and re-install CVS: # cd src # cvs update -d -P -r netbsd-2-0 gnu/dist/cvs gnu/usr.bin/cvs # cd gnu/usr.bin/cvs # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.6, 1.6.1, 1.6.2: The binary distributions of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable. NetBSD 1.6.3 will include the fix. Systems running NetBSD 1.6 sources dated from before 2005-08-25 should be upgraded from NetBSD 1.6 sources dated 2005-08-26 or later. NetBSD 1.6.3 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: gnu/dist/cvs gnu/usr.bin/cvs To update from CVS, re-build, and re-install CVS: # cd src # cvs update -d -P -r netbsd-1-6 gnu/dist/cvs gnu/usr.bin/cvs # cd gnu/usr.bin/cvs # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Sebastian Krahmer and Stefan Esser Discovery and notification Jun-ichiro "itojun" Hagino Initial research, fix and documentation Matthias Scheler and Takahiro Kambe Further fixes Revision History ================ 2005-10-31 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2005-006.txt,v 1.7 2005/10/31 06:40:04 gendalia Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (NetBSD) iQCVAwUBQ2fKaj5Ru2/4N2IFAQKE4wP+KuycCCEBHqibLLE2k/Cv0RjDN3F9Ld9M gLFySxpFwfYVkHAqs9J8A37qf6e07LbPQah8k89Rcy1lxhjKYzKXRsTWScLtZJcN aZwGspv8lKQ5NUs+mWsf3FG1nSicroLgVwDbqOOQGp21zgPIGYecUnLfZ8vuD2jI /XHPuVAQVsk= =PcVV -----END PGP SIGNATURE-----