[gentoo-announce] [ GLSA 200405-12 ] CVS heap overflow vulnerability - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200405-12 ] CVS heap overflow vulnerability
Date:	Thu, 20 May 2004 18:18:21
Message-Id:	`40ACF62D.5080008@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200405-12

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: High

11

     Title: CVS heap overflow vulnerability

12

      Date: May 20, 2004

13

      Bugs: #51460

14

        ID: 200405-12

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

CVS is subject to a heap overflow vulnerability allowing source

22

repository compromise.

23

24

Background

25

==========

26

27

CVS (Concurrent Versions System) is an open-source network-transparent

28

version control system. It contains both a client utility and a server.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package       /   Vulnerable   /                       Unaffected

35

    -------------------------------------------------------------------

36

  1  dev-util/cvs      <= 1.11.15                           >= 1.11.16

37

38

Description

39

===========

40

41

Stefan Esser discovered a heap overflow in the CVS server, which can be

42

triggered by sending malicious "Entry" lines and manipulating the flags

43

related to that Entry. This vulnerability was proven to be exploitable.

44

45

Impact

46

======

47

48

A remote attacker can execute arbitrary code on the CVS server, with

49

the rights of the CVS server. By default, Gentoo uses the "cvs" user to

50

run the CVS server. In particular, this flaw allows a complete

51

compromise of CVS source repositories. If you're not running a server,

52

then you are not vulnerable.

53

54

Workaround

55

==========

56

57

There is no known workaround at this time. All users are advised to

58

upgrade to the latest available version of CVS.

59

60

Resolution

61

==========

62

63

All users running a CVS server should upgrade to the latest stable

64

version:

65

66

    # emerge sync

67

68

    # emerge -pv ">=dev-util/cvs-1.11.16"

69

    # emerge ">=dev-util/cvs-1.11.16"

70

71

References

72

==========

73

74

  [ 1 ] E-matters advisory 07/2004

75

        http://security.e-matters.de/advisories/072004.html

76

  [ 2 ] CAN-2004-0396

77

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396

78

79

Availability

80

============

81

82

This GLSA and any updates to it are available for viewing at

83

the Gentoo Security Website:

84

85

     http://security.gentoo.org/glsa/glsa-200405-12.xml

86

87

Concerns?

88

=========

89

90

Security is a primary focus of Gentoo Linux and ensuring the

91

confidentiality and security of our users machines is of utmost

92

importance to us. Any security concerns should be addressed to

93

security@g.o or alternatively, you may file a bug at

94

http://bugs.gentoo.org.

95

96

License

97

=======

98

99

Copyright 2004 Gentoo Technologies, Inc; referenced text

100

belongs to its owner(s).

101

102

The contents of this document are licensed under the

103

Creative Commons - Attribution / Share Alike license.

104

105

http://creativecommons.org/licenses/by-sa/1.0

106

107

-----BEGIN PGP SIGNATURE-----

108

Version: GnuPG v1.2.4 (GNU/Linux)

109

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

110

111

iD8DBQFArPYsvcL1obalX08RAra6AJ9y2fOFXOehlVb5V1VqX7ApBinrCQCglDIo

112

12HXNH7oaV2/olRemjT+Uq4=

113

=SFp9

114

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200405-12
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: High
11	Title: CVS heap overflow vulnerability
12	Date: May 20, 2004
13	Bugs: #51460
14	ID: 200405-12
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	CVS is subject to a heap overflow vulnerability allowing source
22	repository compromise.
23
24	Background
25	==========
26
27	CVS (Concurrent Versions System) is an open-source network-transparent
28	version control system. It contains both a client utility and a server.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 dev-util/cvs <= 1.11.15 >= 1.11.16
37
38	Description
39	===========
40
41	Stefan Esser discovered a heap overflow in the CVS server, which can be
42	triggered by sending malicious "Entry" lines and manipulating the flags
43	related to that Entry. This vulnerability was proven to be exploitable.
44
45	Impact
46	======
47
48	A remote attacker can execute arbitrary code on the CVS server, with
49	the rights of the CVS server. By default, Gentoo uses the "cvs" user to
50	run the CVS server. In particular, this flaw allows a complete
51	compromise of CVS source repositories. If you're not running a server,
52	then you are not vulnerable.
53
54	Workaround
55	==========
56
57	There is no known workaround at this time. All users are advised to
58	upgrade to the latest available version of CVS.
59
60	Resolution
61	==========
62
63	All users running a CVS server should upgrade to the latest stable
64	version:
65
66	# emerge sync
67
68	# emerge -pv ">=dev-util/cvs-1.11.16"
69	# emerge ">=dev-util/cvs-1.11.16"
70
71	References
72	==========
73
74	[ 1 ] E-matters advisory 07/2004
75	http://security.e-matters.de/advisories/072004.html
76	[ 2 ] CAN-2004-0396
77	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396
78
79	Availability
80	============
81
82	This GLSA and any updates to it are available for viewing at
83	the Gentoo Security Website:
84
85	http://security.gentoo.org/glsa/glsa-200405-12.xml
86
87	Concerns?
88	=========
89
90	Security is a primary focus of Gentoo Linux and ensuring the
91	confidentiality and security of our users machines is of utmost
92	importance to us. Any security concerns should be addressed to
93	security@g.o or alternatively, you may file a bug at
94	http://bugs.gentoo.org.
95
96	License
97	=======
98
99	Copyright 2004 Gentoo Technologies, Inc; referenced text
100	belongs to its owner(s).
101
102	The contents of this document are licensed under the
103	Creative Commons - Attribution / Share Alike license.
104
105	http://creativecommons.org/licenses/by-sa/1.0
106
107	-----BEGIN PGP SIGNATURE-----
108	Version: GnuPG v1.2.4 (GNU/Linux)
109	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
110
111	iD8DBQFArPYsvcL1obalX08RAra6AJ9y2fOFXOehlVb5V1VqX7ApBinrCQCglDIo
112	12HXNH7oaV2/olRemjT+Uq4=
113	=SFp9
114	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce