Bugzilla – Bug 54773
VUL-0: CVE-2004-0418: outstanding fix for cvs (for next security update)
Last modified: 2021-10-13 14:11:24 UTC
Date: Sun, 2 May 2004 17:37:04 +0200 From: Stefan Esser <s.esser@e-matters.de> To: vendor-sec@lst.de, joe@manyfish.co.uk, gstein@apache.org, brian@collab.net Cc: s.esser@e-matters.de Subject: [vendor-sec] CVS Pserver / Subversion / Neon remote vulnerabilities Parts/Attachments: 1 Shown 77 lines Text 2 OK 21 lines Text 3 OK 12 lines Text 4 OK 12 lines Text ---------------------------------------- Hi to everyone addressed, today I have to inform you about 3 vulnerabilities which are from my point of view a serious threat. The 3 vulnerabilities in question are: 1) CVS 1.12.7 (and older) pserver remote heap overflow Malformed "Entry" Lines in combination with Is-modified and Unchanged can be used to overflow malloc()ed memory. This was proofen to be exploitable. 2) Subversion 1.0.1 (and older) remote stack overflow A malicious revision date in a DAV/2 REPORT query, or a malicious revision date in a subversion get-dated-rev request can overflow the stack because of unsafe usage of sscanf(). THIS is even exploitable with several stack overflow protectors, because overflowing one of the function parameters can be used to store an arbitrary value of 32-64 bits to any memory position within one of the called subfunctions. So it is f.e. possible to overwrite ONLY stored eip of the inner subfunction, before the stackoverflow is detected... This was also proofen to be exploitable through DAV/2 REPORT but due to the nature of utf-8 strings it is somewhat harder to exploit. 3) Neon 0.24.5 (and older) remote stack overflow This vulnerability was NOT researched yet (because of lack of time) but it was found the same day as subversion and here also sscanf() is used in an unsafe manner. This will result in an overflow of a static heap varibale. I havent checked the layout yet. But I guess somehow it is exploitable. Attached are fixes for these vulnerabilities. I hope the CVS, SVN and NEON vendors can check their validity fast. Especially the CVS patch should be checked. I believe it is okay but maybe Derek Price can verify that it does not kill functionallity. Due to the fact that CVS and NEON/SVN are meanwhile widely used I want to contact some big CVS/SVN repositories before going public with this. f.e. Samba just switched from CVS to SVN but still runs both afaik. This means they are doubly vulnerable. I would like to know from you, who should get prior notified. Additionally I suggest these fixes do not go into publicy reachable CVS/SVN trees before we have not notified some big repositories. Especially the CVS pserver bug could be known in the blackhat community for 1-2 years. At least I heard from a trusted source that there is a pserver exploit. I have no idea if this the bug I just found but I strongly believe the source is not lieing. Oh well and it would also be good if all three things can be released at the same time. Especially neon+svn would be handy because they are connected anyway... Yours, Stefan Esser
<!-- SBZ_reproduce --> Will attach fix shortly. Derek said the bug is probably also existant in 1.11.x
Created attachment 18913 [details] the fix ... Looks strange to me, so I asked him whether this is really the fix.
that code exists one time (not two times like in the patch) in 1.11 not that I understand it at all ...
The fix looks strange to mee too, but the author confirmed the fix is correct (Derek) and is also correct for 1.11.
just for the record, the code exists also two times in some 1.11 releases.
packages are ready to get submitted. I do only wait for ack that this is really the right fix.
The fix is correct. According to Derek and the bug-finder. i created the patchinfos. go ahead :)
Created attachment 18919 [details] patchinfo ...
Created attachment 18920 [details] patchinfo for box ...
packages are submitted. do you expect that I run edit_patchinfo or will you do it ?
huh? I think the patchinfos are aöready in place.
okay ...
Created attachment 19603 [details] New fix from Derek, which calims to also fix interoperability issues with winCVS introduced by last fix We want to use this fix when the next update takes place.
CAN-2004-0396
packages approved and annoucned in SA-2004:013
<!-- SBZ_reopen -->Reopened by adrian@suse.de at Wed May 19 14:30:49 2004, took initial reporter krahmer@suse.de to cc
fine, I do reopen, because of the attached fix for next update.
Ok. Theres a new Entry-based issue anyway. Will attach fix soon. And, there will be come more for sure. Date: Fri, 21 May 2004 09:03:26 +0100 (BST) From: Mark J Cox <mjc@redhat.com> To: Derek Robert Price <derek@ximbiot.com> Cc: Stefan Esser <s.esser@e-matters.de>, Ben Reser <ben@reser.org>, Luis Villa <louie@ximian.com>, kfogel@collab.net, Greg Stein <gstein@lyra.org>, Brian Behlendorf <brian@collab.net>, vendor-sec@lst.de, joe@manyfish.co.uk, sussman@collab.net, cmpilato@collab.net, Mark D. Baushke <mdb@cvshome.org>, Larry Jones <lawrence.jones@ugsplm.com>, Jack Repenning <jrepenning@collab.net> Subject: Re: Vendor-Sec Policies & Procedures? (was Re: [vendor-sec] Re: CVS/SVN Prenotification Coordination) Parts/Attachments: 1 Shown 8 lines Text 2 OK ~5.3 KB Text, "" ---------------------------------------- > While looking into possibilities related to the first patch, I found > yet another vulnerability based on a malformed Entry. Use CAN-2004-0414 Attached the diff between the server.c Derek sent and virgin 1.11.15 (therefore this diff includes the fix for CAN-2004-0396 as well) Mark [ Part 2, "" Text/PLAIN (Name: "ccvs-exploit-20040521.diff") 116 ] [ lines. ] [ Not Shown. Use the "V" command to view or save this part. ]
Created attachment 20020 [details] new fix, also covering CAN-2004-396
shall I start to update the packages or are shall I wait for more patches ?
I think we should wait a bit. I will discuss this with Stefan. We are not finished with the audit, too.
Created attachment 20405 [details] Patch for the new vulnerabilities The patch needs review, but should work.
Date: Thu, 27 May 2004 15:16:30 +0100 (BST) From: Mark J Cox <mjc@redhat.com> To: Derek Robert Price <derek@ximbiot.com> Cc: Stefan Esser <s.esser@e-matters.de>, vendor-sec@lst.de Subject: Re: [vendor-sec] Re: More BAD CVS news... > I assume we'll be going the CVE & synchronized release route with this? For CVE names: I allocated CAN-2004-0414 for the no-null-termination "Entry" issue that Derek found last week. Out of the other issues as far as I can see these need names: 3. error_prog_name "double-free()" (SE) use CAN-2004-0416 4. argument integer overflow (SK) use CAN-2004-0417 6. serve_notify() out of bound writes (SK) use CAN-2004-0418
Created attachment 20524 [details] rewritten patch for the esser+krahmer issues from Derek This is for 1.11.x I think if this applies we can start building packages. Do you need 1.12.x too?
Looks like June 9th is coordinated release date. So we are a bit in a hurry. I am not avail on Thue. (tomorrow)
Sebastian, still awake ? I am right that we need only the patches from #24 and #19 now ?
Yes, please go ahead.
Sebastian, I would be happy if you have a matching patch for 1.12 (for STABLE and cvs.kde.org). thanks.
Created attachment 20697 [details] The same patch for the krahmer-esser issues but for 1.12 ...
packages are checked in. Sebastian, please close.
packages approved, advisory will go out in about 1 hour.
CVE-2004-0418: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)