Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2004-0418: outstanding fix for cvs (for next security update)|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Adrian Schröter <adrian.schroeter>|
|Component:||Incidents||Assignee:||Sebastian Krahmer <krahmer>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||krahmer, security-team|
|Whiteboard:||CVE-2004-0418: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2004-0396:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P)|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
patchinfo for box
New fix from Derek, which calims to also fix interoperability issues with winCVS introduced by last fix
new fix, also covering CAN-2004-396
Patch for the new vulnerabilities
rewritten patch for the esser+krahmer issues from Derek
The same patch for the krahmer-esser issues but for 1.12
Description Sebastian Krahmer 2004-05-03 17:27:11 UTC
Date: Sun, 2 May 2004 17:37:04 +0200 From: Stefan Esser <email@example.com> To: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Cc: firstname.lastname@example.org Subject: [vendor-sec] CVS Pserver / Subversion / Neon remote vulnerabilities Parts/Attachments: 1 Shown 77 lines Text 2 OK 21 lines Text 3 OK 12 lines Text 4 OK 12 lines Text ---------------------------------------- Hi to everyone addressed, today I have to inform you about 3 vulnerabilities which are from my point of view a serious threat. The 3 vulnerabilities in question are: 1) CVS 1.12.7 (and older) pserver remote heap overflow Malformed "Entry" Lines in combination with Is-modified and Unchanged can be used to overflow malloc()ed memory. This was proofen to be exploitable. 2) Subversion 1.0.1 (and older) remote stack overflow A malicious revision date in a DAV/2 REPORT query, or a malicious revision date in a subversion get-dated-rev request can overflow the stack because of unsafe usage of sscanf(). THIS is even exploitable with several stack overflow protectors, because overflowing one of the function parameters can be used to store an arbitrary value of 32-64 bits to any memory position within one of the called subfunctions. So it is f.e. possible to overwrite ONLY stored eip of the inner subfunction, before the stackoverflow is detected... This was also proofen to be exploitable through DAV/2 REPORT but due to the nature of utf-8 strings it is somewhat harder to exploit. 3) Neon 0.24.5 (and older) remote stack overflow This vulnerability was NOT researched yet (because of lack of time) but it was found the same day as subversion and here also sscanf() is used in an unsafe manner. This will result in an overflow of a static heap varibale. I havent checked the layout yet. But I guess somehow it is exploitable. Attached are fixes for these vulnerabilities. I hope the CVS, SVN and NEON vendors can check their validity fast. Especially the CVS patch should be checked. I believe it is okay but maybe Derek Price can verify that it does not kill functionallity. Due to the fact that CVS and NEON/SVN are meanwhile widely used I want to contact some big CVS/SVN repositories before going public with this. f.e. Samba just switched from CVS to SVN but still runs both afaik. This means they are doubly vulnerable. I would like to know from you, who should get prior notified. Additionally I suggest these fixes do not go into publicy reachable CVS/SVN trees before we have not notified some big repositories. Especially the CVS pserver bug could be known in the blackhat community for 1-2 years. At least I heard from a trusted source that there is a pserver exploit. I have no idea if this the bug I just found but I strongly believe the source is not lieing. Oh well and it would also be good if all three things can be released at the same time. Especially neon+svn would be handy because they are connected anyway... Yours, Stefan Esser
Comment 1 Sebastian Krahmer 2004-05-03 17:27:11 UTC
<!-- SBZ_reproduce --> Will attach fix shortly. Derek said the bug is probably also existant in 1.11.x
Comment 2 Sebastian Krahmer 2004-05-03 17:30:14 UTC
Created attachment 18913 [details] the fix ... Looks strange to me, so I asked him whether this is really the fix.
Comment 3 Adrian Schröter 2004-05-03 17:37:32 UTC
that code exists one time (not two times like in the patch) in 1.11 not that I understand it at all ...
Comment 4 Sebastian Krahmer 2004-05-03 17:40:34 UTC
The fix looks strange to mee too, but the author confirmed the fix is correct (Derek) and is also correct for 1.11.
Comment 5 Adrian Schröter 2004-05-03 17:47:29 UTC
just for the record, the code exists also two times in some 1.11 releases.
Comment 6 Adrian Schröter 2004-05-03 18:00:16 UTC
packages are ready to get submitted. I do only wait for ack that this is really the right fix.
Comment 7 Sebastian Krahmer 2004-05-03 18:24:25 UTC
The fix is correct. According to Derek and the bug-finder. i created the patchinfos. go ahead :)
Comment 8 Sebastian Krahmer 2004-05-03 18:25:52 UTC
Created attachment 18919 [details] patchinfo ...
Comment 9 Sebastian Krahmer 2004-05-03 18:26:24 UTC
Created attachment 18920 [details] patchinfo for box ...
Comment 10 Adrian Schröter 2004-05-03 19:04:12 UTC
packages are submitted. do you expect that I run edit_patchinfo or will you do it ?
Comment 11 Sebastian Krahmer 2004-05-03 19:49:21 UTC
huh? I think the patchinfos are aöready in place.
Comment 12 Adrian Schröter 2004-05-03 19:53:53 UTC
Comment 13 Sebastian Krahmer 2004-05-14 16:49:46 UTC
Created attachment 19603 [details] New fix from Derek, which calims to also fix interoperability issues with winCVS introduced by last fix We want to use this fix when the next update takes place.
Comment 14 Sebastian Krahmer 2004-05-19 17:14:27 UTC
Comment 15 Sebastian Krahmer 2004-05-19 20:05:26 UTC
packages approved and annoucned in SA-2004:013
Comment 16 Adrian Schröter 2004-05-19 20:30:49 UTC
<!-- SBZ_reopen -->Reopened by email@example.com at Wed May 19 14:30:49 2004, took initial reporter firstname.lastname@example.org to cc
Comment 17 Adrian Schröter 2004-05-19 20:30:49 UTC
fine, I do reopen, because of the attached fix for next update.
Comment 18 Sebastian Krahmer 2004-05-21 16:38:52 UTC
Ok. Theres a new Entry-based issue anyway. Will attach fix soon. And, there will be come more for sure. Date: Fri, 21 May 2004 09:03:26 +0100 (BST) From: Mark J Cox <email@example.com> To: Derek Robert Price <firstname.lastname@example.org> Cc: Stefan Esser <email@example.com>, Ben Reser <firstname.lastname@example.org>, Luis Villa <email@example.com>, firstname.lastname@example.org, Greg Stein <email@example.com>, Brian Behlendorf <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, Mark D. Baushke <email@example.com>, Larry Jones <firstname.lastname@example.org>, Jack Repenning <email@example.com> Subject: Re: Vendor-Sec Policies & Procedures? (was Re: [vendor-sec] Re: CVS/SVN Prenotification Coordination) Parts/Attachments: 1 Shown 8 lines Text 2 OK ~5.3 KB Text, "" ---------------------------------------- > While looking into possibilities related to the first patch, I found > yet another vulnerability based on a malformed Entry. Use CAN-2004-0414 Attached the diff between the server.c Derek sent and virgin 1.11.15 (therefore this diff includes the fix for CAN-2004-0396 as well) Mark [ Part 2, "" Text/PLAIN (Name: "ccvs-exploit-20040521.diff") 116 ] [ lines. ] [ Not Shown. Use the "V" command to view or save this part. ]
Comment 19 Sebastian Krahmer 2004-05-21 16:40:48 UTC
Created attachment 20020 [details] new fix, also covering CAN-2004-396
Comment 20 Adrian Schröter 2004-05-21 16:47:50 UTC
shall I start to update the packages or are shall I wait for more patches ?
Comment 21 Sebastian Krahmer 2004-05-21 17:38:14 UTC
I think we should wait a bit. I will discuss this with Stefan. We are not finished with the audit, too.
Comment 22 Sebastian Krahmer 2004-05-28 17:38:22 UTC
Created attachment 20405 [details] Patch for the new vulnerabilities The patch needs review, but should work.
Comment 23 Sebastian Krahmer 2004-05-28 17:39:16 UTC
Date: Thu, 27 May 2004 15:16:30 +0100 (BST) From: Mark J Cox <firstname.lastname@example.org> To: Derek Robert Price <email@example.com> Cc: Stefan Esser <firstname.lastname@example.org>, email@example.com Subject: Re: [vendor-sec] Re: More BAD CVS news... > I assume we'll be going the CVE & synchronized release route with this? For CVE names: I allocated CAN-2004-0414 for the no-null-termination "Entry" issue that Derek found last week. Out of the other issues as far as I can see these need names: 3. error_prog_name "double-free()" (SE) use CAN-2004-0416 4. argument integer overflow (SK) use CAN-2004-0417 6. serve_notify() out of bound writes (SK) use CAN-2004-0418
Comment 24 Sebastian Krahmer 2004-06-01 17:00:49 UTC
Created attachment 20524 [details] rewritten patch for the esser+krahmer issues from Derek This is for 1.11.x I think if this applies we can start building packages. Do you need 1.12.x too?
Comment 25 Sebastian Krahmer 2004-06-02 17:51:46 UTC
Looks like June 9th is coordinated release date. So we are a bit in a hurry. I am not avail on Thue. (tomorrow)
Comment 26 Adrian Schröter 2004-06-03 04:04:21 UTC
Sebastian, still awake ? I am right that we need only the patches from #24 and #19 now ?
Comment 27 Sebastian Krahmer 2004-06-04 15:36:17 UTC
Yes, please go ahead.
Comment 28 Adrian Schröter 2004-06-04 16:20:50 UTC
Sebastian, I would be happy if you have a matching patch for 1.12 (for STABLE and cvs.kde.org). thanks.
Comment 29 Sebastian Krahmer 2004-06-04 16:25:31 UTC
Created attachment 20697 [details] The same patch for the krahmer-esser issues but for 1.12 ...
Comment 30 Adrian Schröter 2004-06-04 22:42:53 UTC
packages are checked in. Sebastian, please close.
Comment 31 Thomas Biege 2004-06-09 19:44:41 UTC
packages approved, advisory will go out in about 1 hour.
Comment 32 Thomas Biege 2009-10-13 20:21:35 UTC
CVE-2004-0418: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)