Bugzilla – Bug 51659
VUL-0: CVE-2004-0180: CVS pserver client side exploit
Last modified: 2021-10-09 08:33:36 UTC
CVS client accepts absolute pathnames during co/update. This allows for
"updating" arbitrary files such as /root/.bashrc.
CAN-2004-0180 has been assigned.
I will attach a fix from CVS boss.
<!-- SBZ_reproduce -->
Exploit exists. If you need it for testing I will send
it to you.
Created attachment 16953 [details]
the fix ffrom Derek
patch is submitted to STABLE.
Are all versions affected ?
Yes, so far I know.
Do you need patchinfos?
can we postpone the fixes for older release after 9.1 Master ?
patchinfos are not the problem, but the 9.0 already contains a version, where
patched code not exists at all. I don't think I can do this within a day ..
Um, I am not sure I understand you correctly. The patch applies clean
to SL 8.0, 8.1, 8.2? But not to Sl 9.0 and 9.1 correct?
I only checked 9.1 and 9.0 yet. no problem with 9.1, but 9.0 already needs
some more work. the patched code does not exist at all there and I need to
understand what it is doing at all. (insert $FLAME_ABOUT_SPAGETTI_CODE).
8.x will be much more work, I am sure.
The function to patch in client.c is still there:
call_in_directory(). And it makes sense to me. import.c however is missing
the cp == checks which the patch substitutes.
I will ask the author whether import.c needs fixing in earlier versions.
Created attachment 17910 [details]
The patch. "backported"
I removed all the sanity.sh and import.c changes since they are not necessary.
This one applied clean to 1.11.6, so I think it should not be a problem
to fix old boxes now. I will attach a second fix from Derek too,
which fixes some module bug. I also tried this one and it also
applies to older versions. With some line-offset :-)
Created attachment 17911 [details]
2nd necessary patch
thank you a lot.
all packages have been submitted.
closing this bug or reassign ?
No, please leave open. We need it for tracking.
I think there are patchinfo files missing. I will create them on monday,
as I think it will be useless today.
Created attachment 18205 [details]
Created attachment 18206 [details]
patchfile for box
Packages have been approved and announced.
CVE-2004-0180: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)