Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2004-0180: CVS pserver client side exploit|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Sebastian Krahmer <krahmer>|
|Component:||Incidents||Assignee:||Adrian Schröter <adrian.schroeter>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||security-team|
|Whiteboard:||CVE-2004-0180: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
the fix ffrom Derek
The patch. "backported"
2nd necessary patch
patchfile for box
Description Sebastian Krahmer 2004-03-22 17:38:26 UTC
CVS client accepts absolute pathnames during co/update. This allows for "updating" arbitrary files such as /root/.bashrc. CAN-2004-0180 has been assigned. I will attach a fix from CVS boss.
Comment 1 Sebastian Krahmer 2004-03-22 17:38:26 UTC
<!-- SBZ_reproduce --> Exploit exists. If you need it for testing I will send it to you.
Comment 2 Sebastian Krahmer 2004-03-22 17:44:04 UTC
Created attachment 16953 [details] the fix ffrom Derek
Comment 3 Adrian Schröter 2004-03-22 17:58:24 UTC
patch is submitted to STABLE. Are all versions affected ?
Comment 4 Sebastian Krahmer 2004-03-22 18:00:54 UTC
Yes, so far I know. Do you need patchinfos?
Comment 5 Adrian Schröter 2004-03-22 18:07:25 UTC
can we postpone the fixes for older release after 9.1 Master ? patchinfos are not the problem, but the 9.0 already contains a version, where patched code not exists at all. I don't think I can do this within a day ..
Comment 6 Sebastian Krahmer 2004-03-22 18:14:23 UTC
Um, I am not sure I understand you correctly. The patch applies clean to SL 8.0, 8.1, 8.2? But not to Sl 9.0 and 9.1 correct?
Comment 7 Adrian Schröter 2004-03-22 18:18:13 UTC
I only checked 9.1 and 9.0 yet. no problem with 9.1, but 9.0 already needs some more work. the patched code does not exist at all there and I need to understand what it is doing at all. (insert $FLAME_ABOUT_SPAGETTI_CODE). 8.x will be much more work, I am sure.
Comment 8 Sebastian Krahmer 2004-03-22 21:17:55 UTC
The function to patch in client.c is still there: call_in_directory(). And it makes sense to me. import.c however is missing the cp == checks which the patch substitutes. I will ask the author whether import.c needs fixing in earlier versions.
Comment 9 Sebastian Krahmer 2004-04-05 18:07:52 UTC
Created attachment 17910 [details] The patch. "backported" I removed all the sanity.sh and import.c changes since they are not necessary. This one applied clean to 1.11.6, so I think it should not be a problem to fix old boxes now. I will attach a second fix from Derek too, which fixes some module bug. I also tried this one and it also applies to older versions. With some line-offset :-)
Comment 10 Sebastian Krahmer 2004-04-05 18:08:23 UTC
Created attachment 17911 [details] 2nd necessary patch ...
Comment 11 Adrian Schröter 2004-04-08 00:02:05 UTC
thank you a lot. all packages have been submitted. closing this bug or reassign ?
Comment 12 Sebastian Krahmer 2004-04-09 17:11:20 UTC
No, please leave open. We need it for tracking.
Comment 13 Sebastian Krahmer 2004-04-09 17:15:37 UTC
I think there are patchinfo files missing. I will create them on monday, as I think it will be useless today.
Comment 14 Sebastian Krahmer 2004-04-12 18:13:21 UTC
Created attachment 18205 [details] patchfile ...
Comment 15 Sebastian Krahmer 2004-04-12 18:13:51 UTC
Created attachment 18206 [details] patchfile for box ...
Comment 16 Sebastian Krahmer 2004-04-15 00:00:01 UTC
Packages have been approved and announced.
Comment 17 Thomas Biege 2009-10-13 20:18:32 UTC
CVE-2004-0180: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)