Hi! Are we affected by this? I haven't seen any DSA.
On Mon, Sep 20, 2004 at 01:50:33PM +0000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-04:14.cvs.asc Security Advisory > The FreeBSD Project > > Topic: CVS > > Category: contrib > Module: cvs > Announced: 2004-09-19 > Credits: Stefan Esser, Sebastian Krahmer, Derek Price > iDEFENSE > Affects: All FreeBSD versions > Corrected: 2004-06-29 16:10:50 UTC (RELENG_4) > 2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3) > 2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12) > 2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25) > 2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10) > CVE Name: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418, > CAN-2004-0778 > FreeBSD only: NO > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit > <URL:http://www.freebsd.org/security/>. > > I. Background > > The Concurrent Versions System (CVS) is a version control system. It > may be used to access a repository locally, or to access a `remote > repository' using a number of different methods. When accessing a > remote repository, the target machine runs the CVS server to fulfill > client requests. > > II. Problem Description > > A number of vulnerabilities were discovered in CVS by Stefan Esser, > Sebastian Krahmer, and Derek Price. > > . Insufficient input validation while processing "Entry" lines. > (CAN-2004-0414) > > . A double-free resulting from erroneous state handling while > processing "Argumentx" commands. (CAN-2004-0416) > > . Integer overflow while processing "Max-dotdot" commands. > (CAN-2004-0417) > > . Erroneous handling of empty entries handled while processing > "Notify" commands. (CAN-2004-0418) > > . A format string bug while processing CVS wrappers. > > . Single-byte buffer underflows while processing configuration files > from CVSROOT. > > . Various other integer overflows. > > Additionally, iDEFENSE reports an undocumented command-line flag used > in debugging does not perform input validation on the given path > names. > > III. Impact > > CVS servers ("cvs server" or :pserver: modes) are affected by these > vulnerabilities. They vary in impact but include information disclosure > (the iDEFENSE-reported bug), denial-of-service (CAN-2004-0414, > CAN-2004-0416, CAN-2004-0417 and other bugs), or possibly arbitrary code > execution (CAN-2004-0418). In very special situations where the > attacker may somehow influence the contents of CVS configuration files > in CVSROOT, additional attacks may be possible. > > IV. Workaround > > Disable the use of remote CVS repositories. > > V. Solution > > Do one of the following: > > 1) Upgrade your vulnerable system to the RELENG_4 stable branch, or to > the RELENG_5_2, RELENG_4_10, RELENG_4_9, or RELENG_4_8 security branch > dated after the correction date. > > OR > > 2) Patch your present system: > > The following patches have been verified to apply to FreeBSD 4.8, 4.9, > 4.10 and 5.2.1 systems. Note that one *must* have previously applied > the patches pertaining to FreeBSD-SA-04:10.cvs in order to use these > patches. > > Note that FreeBSD 4.10-STABLE systems built from sources dated > 2004-06-29 16:20:00 UTC or later include cvs 1.11.17, which has all > of these issues fixed. These patches should not be applied to those > systems. > > a) Download the relevant patches from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:14/cvs.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:14/cvs.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/gnu/usr.bin/cvs > # make obj && make depend && make && make install > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_4_10 > src/UPDATING 1.73.2.90.2.4 > src/sys/conf/newvers.sh 1.44.2.34.2.5 > src/contrib/cvs/lib/xsize.h 1.1.1.1.6.1 > src/contrib/cvs/src/commit.c 1.8.2.5.6.1 > src/contrib/cvs/src/cvs.h 1.11.2.6.6.1 > src/contrib/cvs/src/filesubr.c 1.6.2.4.6.1 > src/contrib/cvs/src/history.c 1.1.1.6.2.4.6.1 > src/contrib/cvs/src/modules.c 1.1.1.5.2.4.2.1 > src/contrib/cvs/src/server.c 1.13.2.5.6.3 > src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.6.1 > src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.6.1 > RELENG_4_9 > src/UPDATING 1.73.2.89.2.13 > src/sys/conf/newvers.sh 1.44.2.32.2.13 > src/contrib/cvs/lib/xsize.h 1.1.1.1.8.1 > src/contrib/cvs/src/commit.c 1.8.2.5.4.1 > src/contrib/cvs/src/cvs.h 1.11.2.6.4.1 > src/contrib/cvs/src/filesubr.c 1.6.2.4.4.1 > src/contrib/cvs/src/history.c 1.1.1.6.2.4.4.1 > src/contrib/cvs/src/modules.c 1.1.1.5.2.3.4.2 > src/contrib/cvs/src/server.c 1.13.2.5.4.3 > src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.4.1 > src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.4.1 > RELENG_4_8 > src/UPDATING 1.73.2.80.2.28 > src/sys/conf/newvers.sh 1.44.2.29.2.26 > src/contrib/cvs/lib/xsize.h 1.1.1.1.10.1 > src/contrib/cvs/src/commit.c 1.8.2.5.2.1 > src/contrib/cvs/src/cvs.h 1.11.2.6.2.1 > src/contrib/cvs/src/filesubr.c 1.6.2.4.2.1 > src/contrib/cvs/src/history.c 1.1.1.6.2.4.2.1 > src/contrib/cvs/src/modules.c 1.1.1.5.2.3.2.2 > src/contrib/cvs/src/server.c 1.13.2.5.2.3 > src/contrib/cvs/src/wrapper.c 1.1.1.7.2.3.2.1 > src/gnu/usr.bin/cvs/lib/config.h.proto 1.16.2.1.2.1 > RELENG_5_2 > src/UPDATING 1.282.2.18 > src/sys/conf/newvers.sh 1.56.2.17 > src/contrib/cvs/lib/xsize.h 1.1.1.1.12.1 > src/contrib/cvs/src/commit.c 1.13.4.1 > src/contrib/cvs/src/cvs.h 1.17.4.1 > src/contrib/cvs/src/filesubr.c 1.10.6.1 > src/contrib/cvs/src/history.c 1.1.1.10.6.1 > src/contrib/cvs/src/modules.c 1.1.1.8.6.3 > src/contrib/cvs/src/server.c 1.19.4.4 > src/contrib/cvs/src/wrapper.c 1.1.1.10.6.1 > src/gnu/usr.bin/cvs/lib/config.h.proto 1.17.2.1 > - ------------------------------------------------------------------------- > > VII. References > > <URL: http://security.e-matters.de/advisories/092004.html > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (FreeBSD) > > iD8DBQFBTterFdaIBMps37IRAlkjAJ9jZ40PME0gr8b6DyS+h6zVHCxGTgCfdJN/ > JiKgPD2YDy378kBO3hYd8Ao= > =qzxJ > -----END PGP SIGNATURE----- > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- .''`. Proudly running Debian GNU/kFreeBSD unstable/unreleased (on UFS2+S) : :' : `. `' http://www.debian.org/ports/kfreebsd-gnu `-
