|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0418: outstanding fix for cvs (for next security update) | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Adrian Schröter <adrian.schroeter> |
| Component: | Incidents | Assignee: | Sebastian Krahmer <krahmer> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | krahmer, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0418: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2004-0396:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
the fix
patchinfo patchinfo for box New fix from Derek, which calims to also fix interoperability issues with winCVS introduced by last fix new fix, also covering CAN-2004-396 Patch for the new vulnerabilities rewritten patch for the esser+krahmer issues from Derek The same patch for the krahmer-esser issues but for 1.12 |
||
|
Description
Sebastian Krahmer
2004-05-03 17:27:11 UTC
<!-- SBZ_reproduce --> Will attach fix shortly. Derek said the bug is probably also existant in 1.11.x Created attachment 18913 [details]
the fix
... Looks strange to me, so I asked him whether this is really the fix.
that code exists one time (not two times like in the patch) in 1.11 not that I understand it at all ... The fix looks strange to mee too, but the author confirmed the fix is correct (Derek) and is also correct for 1.11. just for the record, the code exists also two times in some 1.11 releases. packages are ready to get submitted. I do only wait for ack that this is really the right fix. The fix is correct. According to Derek and the bug-finder. i created the patchinfos. go ahead :) Created attachment 18919 [details]
patchinfo
...
Created attachment 18920 [details]
patchinfo for box
...
packages are submitted. do you expect that I run edit_patchinfo or will you do it ? huh? I think the patchinfos are aöready in place. okay ... Created attachment 19603 [details]
New fix from Derek, which calims to also fix interoperability issues with winCVS introduced by last fix
We want to use this fix when the next update takes place.
CAN-2004-0396 packages approved and annoucned in SA-2004:013 <!-- SBZ_reopen -->Reopened by adrian@suse.de at Wed May 19 14:30:49 2004, took initial reporter krahmer@suse.de to cc fine, I do reopen, because of the attached fix for next update. Ok. Theres a new Entry-based issue anyway. Will attach fix soon. And, there will be come more for sure. Date: Fri, 21 May 2004 09:03:26 +0100 (BST) From: Mark J Cox <mjc@redhat.com> To: Derek Robert Price <derek@ximbiot.com> Cc: Stefan Esser <s.esser@e-matters.de>, Ben Reser <ben@reser.org>, Luis Villa <louie@ximian.com>, kfogel@collab.net, Greg Stein <gstein@lyra.org>, Brian Behlendorf <brian@collab.net>, vendor-sec@lst.de, joe@manyfish.co.uk, sussman@collab.net, cmpilato@collab.net, Mark D. Baushke <mdb@cvshome.org>, Larry Jones <lawrence.jones@ugsplm.com>, Jack Repenning <jrepenning@collab.net> Subject: Re: Vendor-Sec Policies & Procedures? (was Re: [vendor-sec] Re: CVS/SVN Prenotification Coordination) Parts/Attachments: 1 Shown 8 lines Text 2 OK ~5.3 KB Text, "" ---------------------------------------- > While looking into possibilities related to the first patch, I found > yet another vulnerability based on a malformed Entry. Use CAN-2004-0414 Attached the diff between the server.c Derek sent and virgin 1.11.15 (therefore this diff includes the fix for CAN-2004-0396 as well) Mark [ Part 2, "" Text/PLAIN (Name: "ccvs-exploit-20040521.diff") 116 ] [ lines. ] [ Not Shown. Use the "V" command to view or save this part. ] Created attachment 20020 [details]
new fix, also covering CAN-2004-396
shall I start to update the packages or are shall I wait for more patches ? I think we should wait a bit. I will discuss this with Stefan. We are not finished with the audit, too. Created attachment 20405 [details]
Patch for the new vulnerabilities
The patch needs review, but should work.
Date: Thu, 27 May 2004 15:16:30 +0100 (BST) From: Mark J Cox <mjc@redhat.com> To: Derek Robert Price <derek@ximbiot.com> Cc: Stefan Esser <s.esser@e-matters.de>, vendor-sec@lst.de Subject: Re: [vendor-sec] Re: More BAD CVS news... > I assume we'll be going the CVE & synchronized release route with this? For CVE names: I allocated CAN-2004-0414 for the no-null-termination "Entry" issue that Derek found last week. Out of the other issues as far as I can see these need names: 3. error_prog_name "double-free()" (SE) use CAN-2004-0416 4. argument integer overflow (SK) use CAN-2004-0417 6. serve_notify() out of bound writes (SK) use CAN-2004-0418 Created attachment 20524 [details]
rewritten patch for the esser+krahmer issues from Derek
This is for 1.11.x
I think if this applies we can start building packages.
Do you need 1.12.x too?
Looks like June 9th is coordinated release date. So we are a bit in a hurry. I am not avail on Thue. (tomorrow) Sebastian, still awake ? I am right that we need only the patches from #24 and #19 now ? Yes, please go ahead. Sebastian, I would be happy if you have a matching patch for 1.12 (for STABLE and cvs.kde.org). thanks. Created attachment 20697 [details]
The same patch for the krahmer-esser issues but for 1.12
...
packages are checked in. Sebastian, please close. packages approved, advisory will go out in about 1 hour. CVE-2004-0418: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |