Bug 51659 (CVE-2004-0180)

Summary:	VUL-0: CVE-2004-0180: CVS pserver client side exploit
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Sebastian Krahmer <krahmer>
Component:	Incidents	Assignee:	Adrian Schröter <adrian.schroeter>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0180: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	the fix ffrom Derek The patch. "backported" 2nd necessary patch patchfile patchfile for box

Description Sebastian Krahmer 2004-03-22 17:38:26 UTC

CVS client accepts absolute pathnames during co/update. This allows for
"updating" arbitrary files such as /root/.bashrc.

CAN-2004-0180 has been assigned.
I will attach a fix from CVS boss.

Comment 1 Sebastian Krahmer 2004-03-22 17:38:26 UTC

<!-- SBZ_reproduce  -->
Exploit exists. If you need it for testing I will send
it to you.

Comment 2 Sebastian Krahmer 2004-03-22 17:44:04 UTC

Created attachment 16953 [details]
the fix ffrom Derek

Comment 3 Adrian Schröter 2004-03-22 17:58:24 UTC

patch is submitted to STABLE. 
 
Are all versions affected ?

Comment 4 Sebastian Krahmer 2004-03-22 18:00:54 UTC

Yes, so far I know.
Do you need patchinfos?

Comment 5 Adrian Schröter 2004-03-22 18:07:25 UTC

can we postpone the fixes for older release after 9.1 Master ? 
 
patchinfos are not the problem, but the 9.0 already contains a version, where 
patched code not exists at all. I don't think I can do this within a day ..

Comment 6 Sebastian Krahmer 2004-03-22 18:14:23 UTC

Um, I am not sure I understand you correctly. The patch applies clean
to SL 8.0, 8.1, 8.2? But not to Sl 9.0 and 9.1 correct?

Comment 7 Adrian Schröter 2004-03-22 18:18:13 UTC

I only checked 9.1 and 9.0 yet. no problem with 9.1, but 9.0 already needs 
some more work. the patched code does not exist at all there and I need to 
understand what it is doing at all. (insert $FLAME_ABOUT_SPAGETTI_CODE). 
 
8.x will be much more work, I am sure.

Comment 8 Sebastian Krahmer 2004-03-22 21:17:55 UTC

The function to patch in client.c is still there:
call_in_directory(). And it makes sense to me. import.c however is missing
the cp == checks which the patch substitutes.
I will ask the author whether import.c needs fixing in earlier versions.

Comment 9 Sebastian Krahmer 2004-04-05 18:07:52 UTC

Created attachment 17910 [details]
The patch. "backported"

I removed all the sanity.sh and import.c changes since they are not necessary.
This one applied clean to 1.11.6, so I think it should not be a problem
to fix old boxes now. I will attach a second fix from Derek too,
which fixes some module bug. I also tried this one and it also
applies to older versions. With some line-offset :-)

Comment 10 Sebastian Krahmer 2004-04-05 18:08:23 UTC

Created attachment 17911 [details]
2nd necessary patch

...

Comment 11 Adrian Schröter 2004-04-08 00:02:05 UTC

thank you a lot. 
 
all packages have been submitted. 
closing this bug or reassign ?

Comment 12 Sebastian Krahmer 2004-04-09 17:11:20 UTC

No, please leave open. We need it for tracking.

Comment 13 Sebastian Krahmer 2004-04-09 17:15:37 UTC

I think there are patchinfo files missing. I will create them on monday,
as I think it will be useless today.

Comment 14 Sebastian Krahmer 2004-04-12 18:13:21 UTC

Created attachment 18205 [details]
patchfile

...

Comment 15 Sebastian Krahmer 2004-04-12 18:13:51 UTC

Created attachment 18206 [details]
patchfile for box

...

Comment 16 Sebastian Krahmer 2004-04-15 00:00:01 UTC

Packages have been approved and announced.

Comment 17 Thomas Biege 2009-10-13 20:18:32 UTC

CVE-2004-0180: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)