Bug 54773 - (CVE-2004-0418) VUL-0: CVE-2004-0418: outstanding fix for cvs (for next security update)
(CVE-2004-0418)
VUL-0: CVE-2004-0418: outstanding fix for cvs (for next security update)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Major
: ---
Assigned To: Sebastian Krahmer
Security Team bot
CVE-2004-0418: CVSS v2 Base Score: 10...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-03 17:27 UTC by Adrian Schröter
Modified: 2021-10-13 14:11 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
the fix (680 bytes, patch)
2004-05-03 17:30 UTC, Sebastian Krahmer
Details | Diff
patchinfo (449 bytes, text/plain)
2004-05-03 18:25 UTC, Sebastian Krahmer
Details
patchinfo for box (451 bytes, text/plain)
2004-05-03 18:26 UTC, Sebastian Krahmer
Details
New fix from Derek, which calims to also fix interoperability issues with winCVS introduced by last fix (3.33 KB, patch)
2004-05-14 16:49 UTC, Sebastian Krahmer
Details | Diff
new fix, also covering CAN-2004-396 (4.91 KB, patch)
2004-05-21 16:40 UTC, Sebastian Krahmer
Details | Diff
Patch for the new vulnerabilities (6.11 KB, patch)
2004-05-28 17:38 UTC, Sebastian Krahmer
Details | Diff
rewritten patch for the esser+krahmer issues from Derek (63.74 KB, patch)
2004-06-01 17:00 UTC, Sebastian Krahmer
Details | Diff
The same patch for the krahmer-esser issues but for 1.12 (8.33 KB, patch)
2004-06-04 16:25 UTC, Sebastian Krahmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2004-05-03 17:27:11 UTC
Date: Sun, 2 May 2004 17:37:04 +0200
From: Stefan Esser <s.esser@e-matters.de>
To: vendor-sec@lst.de, joe@manyfish.co.uk, gstein@apache.org,
    brian@collab.net
Cc: s.esser@e-matters.de
Subject: [vendor-sec] CVS Pserver / Subversion / Neon remote vulnerabilities
Parts/Attachments:
   1 Shown    77 lines  Text
   2   OK     21 lines  Text
   3   OK     12 lines  Text
   4   OK     12 lines  Text
----------------------------------------

Hi to everyone addressed,

today I have to inform you about 3 vulnerabilities which are
from my point of view a serious threat.

The 3 vulnerabilities in question are:

1) CVS 1.12.7 (and older) pserver remote heap overflow

      Malformed "Entry" Lines in combination with Is-modified and Unchanged
      can be used to overflow malloc()ed memory. This was proofen to be
      exploitable.

2) Subversion 1.0.1 (and older) remote stack overflow

      A malicious revision date in a DAV/2 REPORT query, or a malicious
      revision date in a subversion get-dated-rev request can overflow
      the stack because of unsafe usage of sscanf(). 
      
      THIS is even exploitable with several stack overflow protectors,
      because overflowing one of the function parameters can be used
      to store an arbitrary value of 32-64 bits to any memory position
      within one of the called subfunctions. So it is f.e. possible
      to overwrite ONLY stored eip of the inner subfunction, before
      the stackoverflow is detected... 
      
      This was also proofen to be exploitable through DAV/2 REPORT
      but due to the nature of utf-8 strings it is somewhat harder to
      exploit.

3) Neon 0.24.5 (and older) remote stack overflow

      This vulnerability was NOT researched yet (because of lack of time)
      but it was found the same day as subversion and here also sscanf()
      is used in an unsafe manner. This will result in an overflow of
      a static heap varibale. I havent checked the layout yet. But I guess
      somehow it is exploitable.


Attached are fixes for these vulnerabilities. I hope the CVS, SVN and NEON
vendors can check their validity fast. Especially the CVS patch should be
checked. I believe it is okay but maybe Derek Price can verify that it does
not kill functionallity.

Due to the fact that CVS and NEON/SVN are meanwhile widely used I want to
contact some big CVS/SVN repositories before going public with this. f.e.
Samba just switched from CVS to SVN but still runs both afaik. This means
they are doubly vulnerable. I would like to know from you, who should get
prior notified.

Additionally I suggest these fixes do not go into publicy reachable CVS/SVN
trees before we have not notified some big repositories. Especially the 
CVS pserver bug could be known in the blackhat community for 1-2 years. At
least I heard from a trusted source that there is a pserver exploit. I have
no idea if this the bug I just found but I strongly believe the source is
not lieing. 
Oh well and it would also be good if all three things can be released at 
the same time. Especially neon+svn would be handy because they are connected
anyway...

Yours,
Stefan Esser
Comment 1 Sebastian Krahmer 2004-05-03 17:27:11 UTC
<!-- SBZ_reproduce  -->
Will attach fix shortly. Derek said the bug is probably also existant
in 1.11.x
Comment 2 Sebastian Krahmer 2004-05-03 17:30:14 UTC
Created attachment 18913 [details]
the fix

... Looks strange to me, so I asked him whether this is really the fix.
Comment 3 Adrian Schröter 2004-05-03 17:37:32 UTC
that code exists one time (not two times like in the patch) in 1.11 
 
not that I understand it at all ... 
Comment 4 Sebastian Krahmer 2004-05-03 17:40:34 UTC
The fix looks strange to mee too, but the author confirmed the fix is
correct (Derek) and is also correct for 1.11.
Comment 5 Adrian Schröter 2004-05-03 17:47:29 UTC
just for the record, the code exists also two times in some 1.11 releases. 
Comment 6 Adrian Schröter 2004-05-03 18:00:16 UTC
packages are ready to get submitted. I do only wait for ack that this is really  
the right fix. 
Comment 7 Sebastian Krahmer 2004-05-03 18:24:25 UTC
The fix is correct. According to Derek and the bug-finder. i created the
patchinfos. go ahead :)
Comment 8 Sebastian Krahmer 2004-05-03 18:25:52 UTC
Created attachment 18919 [details]
patchinfo

...
Comment 9 Sebastian Krahmer 2004-05-03 18:26:24 UTC
Created attachment 18920 [details]
patchinfo for box

...
Comment 10 Adrian Schröter 2004-05-03 19:04:12 UTC
packages are submitted. 
 
do you expect that I run edit_patchinfo or will you do it ? 
Comment 11 Sebastian Krahmer 2004-05-03 19:49:21 UTC
huh?
I think the patchinfos are aöready in place.
Comment 12 Adrian Schröter 2004-05-03 19:53:53 UTC
okay ...  
Comment 13 Sebastian Krahmer 2004-05-14 16:49:46 UTC
Created attachment 19603 [details]
New fix from Derek, which calims to also fix interoperability issues with winCVS introduced by last fix

We want to use this fix when the next update takes place.
Comment 14 Sebastian Krahmer 2004-05-19 17:14:27 UTC
CAN-2004-0396
Comment 15 Sebastian Krahmer 2004-05-19 20:05:26 UTC
packages approved and annoucned in SA-2004:013
Comment 16 Adrian Schröter 2004-05-19 20:30:49 UTC
<!-- SBZ_reopen -->Reopened by adrian@suse.de at Wed May 19 14:30:49 2004, took initial reporter krahmer@suse.de to cc
Comment 17 Adrian Schröter 2004-05-19 20:30:49 UTC
fine, I do reopen, because of the attached fix for next update. 
Comment 18 Sebastian Krahmer 2004-05-21 16:38:52 UTC
Ok. Theres a new Entry-based issue anyway. Will attach fix soon.
And, there will be come more for sure.

Date: Fri, 21 May 2004 09:03:26 +0100 (BST)
From: Mark J Cox <mjc@redhat.com>
To: Derek Robert Price <derek@ximbiot.com>
Cc: Stefan Esser <s.esser@e-matters.de>, Ben Reser <ben@reser.org>,
    Luis Villa <louie@ximian.com>, kfogel@collab.net,
    Greg Stein <gstein@lyra.org>, Brian Behlendorf <brian@collab.net>,
    vendor-sec@lst.de, joe@manyfish.co.uk, sussman@collab.net,
    cmpilato@collab.net, Mark D. Baushke <mdb@cvshome.org>,
    Larry Jones <lawrence.jones@ugsplm.com>,
    Jack Repenning <jrepenning@collab.net>
Subject: Re: Vendor-Sec Policies & Procedures? (was Re: [vendor-sec] Re:   
    CVS/SVN Prenotification Coordination)
Parts/Attachments:
   1 Shown      8 lines  Text
   2   OK    ~5.3 KB     Text, ""
----------------------------------------

> While looking into possibilities related to the first patch, I found
> yet another vulnerability based on a malformed Entry.  

Use CAN-2004-0414

Attached the diff between the server.c Derek sent and virgin 1.11.15 
(therefore this diff includes the fix for CAN-2004-0396 as well)

Mark
    [ Part 2, ""  Text/PLAIN (Name: "ccvs-exploit-20040521.diff")  116 ]
    [ lines. ]
    [ Not Shown. Use the "V" command to view or save this part. ]

Comment 19 Sebastian Krahmer 2004-05-21 16:40:48 UTC
Created attachment 20020 [details]
new fix, also covering CAN-2004-396
Comment 20 Adrian Schröter 2004-05-21 16:47:50 UTC
shall I start to update the packages or are shall I wait for more patches ? 
Comment 21 Sebastian Krahmer 2004-05-21 17:38:14 UTC
I think we should wait a bit. I will discuss this with Stefan. We are not
finished with the audit, too.
Comment 22 Sebastian Krahmer 2004-05-28 17:38:22 UTC
Created attachment 20405 [details]
Patch for the new vulnerabilities

The patch needs review, but should work.
Comment 23 Sebastian Krahmer 2004-05-28 17:39:16 UTC
Date: Thu, 27 May 2004 15:16:30 +0100 (BST)
From: Mark J Cox <mjc@redhat.com>
To: Derek Robert Price <derek@ximbiot.com>
Cc: Stefan Esser <s.esser@e-matters.de>, vendor-sec@lst.de
Subject: Re: [vendor-sec] Re: More BAD CVS news...

> I assume we'll be going the CVE & synchronized release route with this?

For CVE names:

I allocated CAN-2004-0414 for the no-null-termination "Entry" issue that
Derek found last week.

Out of the other issues as far as I can see these need names:

3. error_prog_name "double-free()" (SE)

use CAN-2004-0416

4. argument integer overflow (SK)

use CAN-2004-0417

6. serve_notify() out of bound writes (SK)

use CAN-2004-0418
Comment 24 Sebastian Krahmer 2004-06-01 17:00:49 UTC
Created attachment 20524 [details]
rewritten patch for the esser+krahmer issues from Derek

This is for 1.11.x
I think if this applies we can start building packages.
Do you need 1.12.x too?
Comment 25 Sebastian Krahmer 2004-06-02 17:51:46 UTC
Looks like June 9th is coordinated release date.
So we are a bit in a hurry. I am not avail on Thue. (tomorrow)
Comment 26 Adrian Schröter 2004-06-03 04:04:21 UTC
Sebastian, still awake ?  
  
I am right that we need only the patches from #24 and #19 now ? 
Comment 27 Sebastian Krahmer 2004-06-04 15:36:17 UTC
Yes, please go ahead.
Comment 28 Adrian Schröter 2004-06-04 16:20:50 UTC
Sebastian, I would be happy if you have a matching patch for 1.12 (for STABLE 
and cvs.kde.org). thanks. 
 
Comment 29 Sebastian Krahmer 2004-06-04 16:25:31 UTC
Created attachment 20697 [details]
The same patch for the krahmer-esser issues but for 1.12

...
Comment 30 Adrian Schröter 2004-06-04 22:42:53 UTC
packages are checked in. 
 
Sebastian, please close. 
Comment 31 Thomas Biege 2004-06-09 19:44:41 UTC
packages approved, advisory will go out in about 1 hour. 
Comment 32 Thomas Biege 2009-10-13 20:21:35 UTC
CVE-2004-0418: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)