Hi,

While looking for security problems in cvs-1.11.2, I found
a few issues:


1) Heap underflow in pserver.  From cvs-1.11.2/src/subr.c:

  /* Remove trailing newlines from STRING, destructively. */
  void
  strip_trailing_newlines (str)
       char *str;
  {   
      int len;
      len = strlen (str) - 1;
  
      while (str[len] == '\n')
          str[len--] = '\0';
  }

When this is passed a string of zero length (which an attacker
can arrange, by putting a null byte at the start of the repository
string in a pserver connection) it accesses the character
before the start of str, and changes it to a null if it's a
newline.

I don't think this is exploitable on FreeBSD where I tried it,
but I can think of ways to implement malloc that would make it
exploitable for arbitrary command execution.


2) No check for ':' in usernames.  From cvs-1.11.2/src/server.c:

    /* Look for a relevant line -- one with this user's name. */
    namelen = strlen (username);
    while (getline (&linebuf, &linebuf_len, fp) >= 0)
    {
        if ((strncmp (linebuf, username, namelen) == 0)
            && (linebuf[namelen] == ':'))
        {
            found_it = 1;
            break;
        }
    }

So a username like "foo:*" could match more of the line in the
password file than it should.  I can't think of a scenario
where that causes a problem, but it's still worth fixing IMO.


3) The assert() macro is used to prevent buffer overflows in a
few places.  This is a bit fragile since on FreeBSD the assert()
macro does nothing if the NDEBUG preprocessor symbol is set.

An example from cvs-1.11.2/src/server.c:

    /* The client will send us a two byte length followed by that many
       bytes.  */
    if (fread (buf, 1, 2, stdin) != 2)
        error (1, errno, "read of length failed");

    nbytes = ((buf[0] & 0xff) << 8) | (buf[1] & 0xff);
    assert (nbytes <= sizeof buf);

    if (fread (buf, 1, nbytes, stdin) != nbytes)
        error (1, errno, "read of data failed");


--
Nick Cleaton
[EMAIL PROTECTED]

_______________________________________________
Bug-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/bug-cvs

Reply via email to