Subject: NetBSD Security Advisory 2005-006: Multiple vulnerabilities in CVS
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 11/08/2005 09:57:00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-006
		 =================================

Topic:		Multiple vulnerabilities in CVS

Version:	NetBSD-current:	source prior to August 26, 2005
		NetBSD 2.1:	not affected
		NetBSD 2.0.3:	not affected
		NetBSD 2.0.2:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.2:	affected
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		pkgsrc:		CVS packages prior to 1.11.20nb2

Severity:	Remote execution of arbitrary code, denial of service and
		local privilege escalation

Fixed:		NetBSD-current:		August 26, 2005
		NetBSD-3 branch:	August 26, 2005 
						(3.0 will include the fix)
		NetBSD-2.0 branch:	August 26, 2005
						(2.0.3 includes the fix)
		NetBSD-2 branch:	August 26, 2005 
						(2.1 includes the fix)
		NetBSD-1.6 branch:	August 26, 2005 
						(1.6.3 will include the fix)
		pkgsrc:			cvs-1.11.20nb2 or higher
					correct the issues


Abstract
========

CVS has multiple vulnerabilities, ranging from remote execution of
arbitrary code to denial of service.  Most of the issues are when the
CVS server is running in pserver mode.


Technical Details
=================

There are multiple issues, summarised in the following list:

 * A heap overflow is present in the handling of "Entry" lines for CVS
   servers running in pserver mode.  An attacker would require write
   access to the repository to exploit this.
 
 * Problem handling malformed "Entry" lines and empty data lines,
   which could lead to a denial of service (crash), modification of
   critical program data or arbitrary code execution.

 * Double-free vulnerability in "error_prog_name" string leading to
   remote execution of arbitrary code.

 * Integer overflow in the "Max-dotdot" CVS protocol command resulting
   in denial of service.

 * The "serve_notify" function does not correctly handle empty data
   lines.  Using a crafted request an attacker could potentially
   execute arbitrary system commands.

 * An unspecified buffer overflow leading to remote execution of
   arbitrary code.

 * Insecure temporary file handling in cvsbug script which can lead to
   local privilege escalation.

Most of the issues are enabled when running CVS server mode (e.g. pserver).

CVE:	CAN-2004-0396, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, 
	CAN-2004-0418, CAN-2005-2693 and CAN-2005-0753


Solutions and Workarounds
=========================

If you run a CVS server we highly recommend you to upgrade your CVS
binary to 1.11.20, or 1.12.12 or higher.  This can be accomplished by
upgrading CVS in the base distribution or alternatively, deleting your
CVS binaries and updating from pkgsrc.  pkgsrc sources from 2005-08-27
in both HEAD and pkgsrc-2005Q2 contain the fix.

To check which version of CVS you are running enter "cvs -v" and look
for the version string.

The following instructions describe how to upgrade your CVS
binaries by updating your source tree and rebuilding and
installing a new version of CVS.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2005-08-25
	should be upgraded to NetBSD-current dated 2005-08-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		gnu/dist/cvs
		gnu/usr.bin/cvs

	To update from CVS, re-build, and re-install CVS:
		# cd src
		# cvs update -d -P gnu/dist/cvs gnu/usr.bin/cvs
		# cd gnu/usr.bin/cvs

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		
* NetBSD 2.0:

	The binary distribution of NetBSD 2.0 is vulnerable.

	NetBSD 2.1 and 2.0.3 include the fix.

	Systems running NetBSD 2.0 sources dated from before
	2005-08-25 should be upgraded from NetBSD 2.0 sources dated
	2005-08-26 or later.

	The following directories need to be updated from the
	netbsd-2-0 CVS branch:
		gnu/dist/cvs
		gnu/usr.bin/cvs
		
	To update from CVS, re-build, and re-install CVS:

		# cd src
		# cvs update -d -P -r netbsd-2-0 gnu/dist/cvs gnu/usr.bin/cvs
		# cd gnu/usr.bin/cvs

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 1.6, 1.6.1, 1.6.2:

	The binary distributions of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.

	NetBSD 1.6.3 will include the fix.

	Systems running NetBSD 1.6 sources dated from before
	2005-08-25 should be upgraded from NetBSD 1.6 sources dated
	2005-08-26 or later.

	NetBSD 1.6.3 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		gnu/dist/cvs
		gnu/usr.bin/cvs

	To update from CVS, re-build, and re-install CVS:

		# cd src
		# cvs update -d -P -r netbsd-1-6 gnu/dist/cvs gnu/usr.bin/cvs
		# cd gnu/usr.bin/cvs

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========

Sebastian Krahmer and 
Stefan Esser 			Discovery and notification

Jun-ichiro "itojun" Hagino	Initial research, fix and documentation 

Matthias Scheler and
Takahiro Kambe 			Further fixes


Revision History
================

	2005-10-31	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-006.txt,v 1.7 2005/10/31 06:40:04 gendalia Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKaj5Ru2/4N2IFAQKE4wP+KuycCCEBHqibLLE2k/Cv0RjDN3F9Ld9M
gLFySxpFwfYVkHAqs9J8A37qf6e07LbPQah8k89Rcy1lxhjKYzKXRsTWScLtZJcN
aZwGspv8lKQ5NUs+mWsf3FG1nSicroLgVwDbqOOQGp21zgPIGYecUnLfZ8vuD2jI
/XHPuVAQVsk=
=PcVV
-----END PGP SIGNATURE-----