Bug 74331 (CVE-2005-0753)

Summary: VUL-0: CVE-2005-0753: cvs: vulnerabilities in CVS
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0753: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: The patch which was attached to the mail
the attached description
Additional comments from Derek Price
cvs.patch.box
cvs.patch.maintained

Description Sebastian Krahmer 2005-03-23 10:17:42 UTC 
Date: Tue, 22 Mar 2005 16:57:08 -0500
From: Derek Price <derek@ximbiot.com>
To: vendor-sec@lst.de, Mark D. Baushke <mdb@cvshome.org>,
    Larry Jones <lawrence.jones@ugs.com>
Subject: [vendor-sec] New CVS Vulnerabilities
Parts/Attachments:
   1.1 Shown     48 lines  Text
   1.2 Shown    122 lines  Text
   1.3           97 KB     Application
   2            261 bytes  Application, "OpenPGP digital signature"
----------------------------------------

Hi all,

Alen Zukich <alen.zukich@klocwork.com> sent me an in-depth defect
analysis of the CVS sources, which I assume was generated by some sort
of automated tool his company sells.

Anyhow, most of the "defects" he reported were non-existant, simple
memory leaks, or harmless, but several might be exploitable.  I expect
that the buffer overflow almost certainly is, though I haven't attempted
it myself.  I've attached the patch for the problems I thought might be
exploitable.

None of these fixes have CVE #s.  This is probably the first anyone
besides myself and Alen (and maybe other folks at Klocwork) have heard
the specifics.

I have also attached a copy of Alen's analysis for anyone who would like
to review them and my responses.  I've attached it as an Open Office 1.0
Text document since the file size is better than 1/10th of the original
MS Word document, but I can send the original MS Word to whoever needs
it.  Except for the four changes contained in the attached patch,
anything that I noted as "committed" in my annotations of the analysis
have been committed to either the 1.11.19.1 or 1.12.11.1 CVS sources.

I could probably release on fairly short notice.  CVS 1.11.19.1 isn't
compiling on an HP-UX and a Solaris but we should be able to fix that
shortly.  Any time 2 weeks from now to 1 month from now would be fine by
me for a coordinated release.

Actionable items:

  1.

     I'd appreciate a code review.

  2.

     The attached patch wants at least one CVE #.

  3.

     Agree on a release schedule.


Regards,

Derek
Comment 1 Sebastian Krahmer 2005-03-23 10:20:21 UTC 
Created attachment 32647 [details]
The patch which was attached to the mail

Need to verify what this is.
Comment 2 Sebastian Krahmer 2005-03-23 10:22:18 UTC 
Created attachment 32648 [details]
the attached description

...
Comment 3 Ludwig Nussel 2005-03-24 10:19:09 UTC 
Created attachment 32729 [details]
Additional comments from Derek Price
Comment 4 Sebastian Krahmer 2005-04-05 09:02:33 UTC 
Hi,

I reviewed the patch. We need it (attachment #1 [details]). Please prepare
updates. Especially the rcs.c and patch.c hunks are important.
For the other issues (from the Doc file) there is no patch yet
and we dont need to care about it yet since release date
for the real cvs issues (the ones fixed by the fix) is April 11th or
April 18th.
Comment 5 Adrian Schröter 2005-04-05 09:06:31 UTC 
packages are submitted. Do you want to create the patchinfo files or shall I 
do ?
Comment 6 Sebastian Krahmer 2005-04-05 09:09:42 UTC 
Hm, since you ask :-) Can you do the patchinfos and attach them here?
I will SWAMP it.
Comment 7 Adrian Schröter 2005-04-05 09:11:56 UTC 
please tell the SWAMP ID first ...
Comment 8 Sebastian Krahmer 2005-04-05 09:13:54 UTC 
SM-Tracker-828
Comment 9 Adrian Schröter 2005-04-05 09:36:28 UTC 
Created attachment 33211 [details]
cvs.patch.box
Comment 10 Adrian Schröter 2005-04-05 09:36:46 UTC 
Created attachment 33212 [details]
cvs.patch.maintained
Comment 11 Sebastian Krahmer 2005-04-18 08:17:23 UTC 
CAN-2005-0753
Comment 12 Sebastian Krahmer 2005-04-18 14:40:12 UTC 
Packages and advisory released in time. Closing.
Comment 13 Thomas Biege 2009-10-13 21:13:00 UTC 
CVE-2005-0753: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)