Bug 74331 (CVE-2005-0753) - VUL-0: CVE-2005-0753: cvs: vulnerabilities in CVS
Summary: VUL-0: CVE-2005-0753: cvs: vulnerabilities in CVS
Status: RESOLVED FIXED
Alias: CVE-2005-0753
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other All
: P5 - None : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2005-0753: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-23 10:17 UTC by Sebastian Krahmer
Modified: 2021-09-26 10:47 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
The patch which was attached to the mail (4.04 KB, patch)
2005-03-23 10:20 UTC, Sebastian Krahmer 		Details | Diff
the attached description (92.44 KB, application/octet-stream)
2005-03-23 10:22 UTC, Sebastian Krahmer 		Details
Additional comments from Derek Price (4.93 KB, text/plain)
2005-03-24 10:19 UTC, Ludwig Nussel 		Details
cvs.patch.box (422 bytes, text/plain)
2005-04-05 09:36 UTC, Adrian Schröter 		Details
cvs.patch.maintained (419 bytes, text/plain)
2005-04-05 09:36 UTC, Adrian Schröter 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2005-03-23 10:17:42 UTC 
Date: Tue, 22 Mar 2005 16:57:08 -0500
From: Derek Price <derek@ximbiot.com>
To: vendor-sec@lst.de, Mark D. Baushke <mdb@cvshome.org>,
    Larry Jones <lawrence.jones@ugs.com>
Subject: [vendor-sec] New CVS Vulnerabilities
Parts/Attachments:
   1.1 Shown     48 lines  Text
   1.2 Shown    122 lines  Text
   1.3           97 KB     Application
   2            261 bytes  Application, "OpenPGP digital signature"
----------------------------------------

Hi all,

Alen Zukich <alen.zukich@klocwork.com> sent me an in-depth defect
analysis of the CVS sources, which I assume was generated by some sort
of automated tool his company sells.

Anyhow, most of the "defects" he reported were non-existant, simple
memory leaks, or harmless, but several might be exploitable.  I expect
that the buffer overflow almost certainly is, though I haven't attempted
it myself.  I've attached the patch for the problems I thought might be
exploitable.

None of these fixes have CVE #s.  This is probably the first anyone
besides myself and Alen (and maybe other folks at Klocwork) have heard
the specifics.

I have also attached a copy of Alen's analysis for anyone who would like
to review them and my responses.  I've attached it as an Open Office 1.0
Text document since the file size is better than 1/10th of the original
MS Word document, but I can send the original MS Word to whoever needs
it.  Except for the four changes contained in the attached patch,
anything that I noted as "committed" in my annotations of the analysis
have been committed to either the 1.11.19.1 or 1.12.11.1 CVS sources.

I could probably release on fairly short notice.  CVS 1.11.19.1 isn't
compiling on an HP-UX and a Solaris but we should be able to fix that
shortly.  Any time 2 weeks from now to 1 month from now would be fine by
me for a coordinated release.

Actionable items:

  1.

     I'd appreciate a code review.

  2.

     The attached patch wants at least one CVE #.

  3.

     Agree on a release schedule.


Regards,

Derek
Comment 1 Sebastian Krahmer 2005-03-23 10:20:21 UTC 
Created attachment 32647 [details]
The patch which was attached to the mail

Need to verify what this is.
Comment 2 Sebastian Krahmer 2005-03-23 10:22:18 UTC 
Created attachment 32648 [details]
the attached description

...
Comment 3 Ludwig Nussel 2005-03-24 10:19:09 UTC 
Created attachment 32729 [details]
Additional comments from Derek Price
Comment 4 Sebastian Krahmer 2005-04-05 09:02:33 UTC 
Hi,

I reviewed the patch. We need it (attachment #1 [details]). Please prepare
updates. Especially the rcs.c and patch.c hunks are important.
For the other issues (from the Doc file) there is no patch yet
and we dont need to care about it yet since release date
for the real cvs issues (the ones fixed by the fix) is April 11th or
April 18th.
Comment 5 Adrian Schröter 2005-04-05 09:06:31 UTC 
packages are submitted. Do you want to create the patchinfo files or shall I 
do ?
Comment 6 Sebastian Krahmer 2005-04-05 09:09:42 UTC 
Hm, since you ask :-) Can you do the patchinfos and attach them here?
I will SWAMP it.
Comment 7 Adrian Schröter 2005-04-05 09:11:56 UTC 
please tell the SWAMP ID first ...
Comment 8 Sebastian Krahmer 2005-04-05 09:13:54 UTC 
SM-Tracker-828
Comment 9 Adrian Schröter 2005-04-05 09:36:28 UTC 
Created attachment 33211 [details]
cvs.patch.box
Comment 10 Adrian Schröter 2005-04-05 09:36:46 UTC 
Created attachment 33212 [details]
cvs.patch.maintained
Comment 11 Sebastian Krahmer 2005-04-18 08:17:23 UTC 
CAN-2005-0753
Comment 12 Sebastian Krahmer 2005-04-18 14:40:12 UTC 
Packages and advisory released in time. Closing.
Comment 13 Thomas Biege 2009-10-13 21:13:00 UTC 
CVE-2005-0753: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)