发布时间 :2004-08-06 00:00:00
修订时间 :2018-05-02 21:29:25

[原文]Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.

[CNNVD]CVS wrapper.c远程格式串处理漏洞(CNNVD-200408-100)

        Concurrent Versions System (CVS)是一款开放源代码的版本控制软件。
        CVS wrapper文件存在格式串问题,远程攻击者可以利用这个漏洞对CVS进行拒绝服务攻击或以进程权限在系统上执行任意指令。
        CVS wrapper文件允许指定格式字符串,这些字符串在被CVS服务器接收后没有进行任何过滤检查,因此一项畸形wrapper行可使服务器崩溃或可能执行任意指令。不过此漏洞攻击者需要CVSROOT commit访问来触发,一般需要高访问级别。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:openpkg:openpkg:1.3OpenPKG 1.3
cpe:/a:openpkg:openpkg:2.0OpenPKG 2.0
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/a:sgi:propack:3.0SGI ProPack 3.0
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/o:openbsd:openbsd:3.5OpenBSD 3.5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11145Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may ...
oval:org.mitre.oval:def:1001Integer overflow in the "Max-dotdot" CVS protocol command

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  SGI  20040605-01-U
(UNKNOWN)  FULLDISC  20040609 Advisory 09/2004: More CVS remote vulnerabilities
(UNKNOWN)  BUGTRAQ  20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs)

- 漏洞信息

CVS wrapper.c远程格式串处理漏洞
中危 未知
2004-08-06 00:00:00 2005-10-20 00:00:00
        Concurrent Versions System (CVS)是一款开放源代码的版本控制软件。
        CVS wrapper文件存在格式串问题,远程攻击者可以利用这个漏洞对CVS进行拒绝服务攻击或以进程权限在系统上执行任意指令。
        CVS wrapper文件允许指定格式字符串,这些字符串在被CVS服务器接收后没有进行任何过滤检查,因此一项畸形wrapper行可使服务器崩溃或可能执行任意指令。不过此漏洞攻击者需要CVSROOT commit访问来触发,一般需要高访问级别。

- 公告与补丁

        或者绿盟科技建议您运行通过SSH chrooted的CVS server来代替:pserver:模式:

- 漏洞信息 (F33521)

092004.txt (PacketStormID:F33521)
2004-06-10 00:00:00
Stefan Esser

A team audit of the CVS codebase has revealed more security related problems. The vulnerabilities discovered include exploitable, potentially exploitable and simple crash bugs. Vulnerable versions are CVS feature releases up to 1.12.8 and stable release up to 1.11.16.

Hash: SHA1

                           e-matters GmbH

                      -= Security  Advisory =-

     Advisory: More CVS remote vulnerabilities
 Release Date: 2004/06/09
Last Modified: 2004/06/09
       Author: Stefan Esser []

  Application: CVS feature release <= 1.12.8
               CVS stable release  <= 1.11.16
     Severity: Vulnerabilities within CVS allow remote compromise of
               CVS servers.
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.


   Concurrent Versions System (CVS) is the dominant open-source version 
   control software that allows developers to access the latest code using
   a network connection. 
   A team audit of the CVS codebase has revealed more security related 
   problems. The vulnerabilties discovered include exploitable, potentially
   exploitable and simple crash bugs.
   During the analysis of the hack incident Derek Robert Price
   discovered a null-termination issue in the patch for the previous
   CVS security issue. This issue was not deeply analysed but it is
   believed that it can only cause crashes.
   At the same time Sebastian Krahmer from SuSE and I started together
   a deeper audit of the CVS codebase. This process revealed several 
   problems which are listed below. This includes those found by S. Krahmer
   [ error_prog_name "double-free()" - found by SE ]
   The "Argumentx" command allows to add more data to a previously supplied
   argument. This is done by reallocating the last stored argument.
   Unfourtunately "Argumentx" does not check if there is any argument in
   the argument list. If the list is empty realloc() will be called on a
   pointer that should not get touched at all, because it will get free()d
   when the client disconnect. This "double-free()" bug has been exploited
   successfully on several linux systems.
   [ wrapper.c format string issues - found by SE ]
   The CVS wrapper file allows to specify format strings. These strings are
   trusted by the CVS server without any sanity check. A malformed wrapper
   line could crash the server or possibly execute arbitrary code. However
   an attacker needs CVSROOT commit access to trigger this, which is the
   highest access level.
   [ serve_max_dotdot integer overflow - found by SE ]
   An integer overflow within the "Max-dotdot" CVS protocol command allows
   crashing the CVS server. While CVS server processes are usually forked
   a crash usually leaves data in the temporary file directory. This means
   on non partitioned servers this bug could be used to fill the hard-disk
   to the rim.
   [ serve_notify() out of bound writes - found by SK ]
   Serve_notify() does not properly handle empty data lines. If an empty 
   data line is supplied by an attacker serve_notify() will access data 
   outside the allocated buffer. If a specific memory layout is met, this
   can be abused to write a single byte outside the buffer. Depending on
   the underlying memory allocating routines, this could be used to 
   execute arbitrary system on the target system. An exploit for this
   problem is not yet finished.
   [ getline == 0 bugs - found by SK ]
   When reading some configuration files from CVSROOT empty lines could
   cause one byte underflows. Because an attacker needs CVSROOT commit 
   access to trigger this bug it was not further analysed. Additionally
   this bug should only cause problems on big endian systems.
   [ Argument (and other) integer overflows - found by SK ]
   With the new release a bunch of possible integer multiplication overflows
   are fixed. Some of them are only triggerable with CVS commit access or
   with huge amounts of data. In cases like the Argument command the
   overflow is not triggerable, because the requested allocation size will 
   exceed the free address space before the overflow can happen. This results
   in realloc() returning a NULL pointer which is then used as base pointer
   for following array accesses. If an attacker is able to cause realloc()
   to fail in the right moment this may allow him to overwrite vital data
   structures with pointers to his data.

Proof of Concept:

   e-matters is not going to release an exploit for any of these 
   vulnerabilities to the public.

Disclosure Timeline:

   20. May 2004  - Derek Robert Price informed vendor-sec and some
                   individuals about the hack and that he
		   found a bug that was introduced by the previous
		   security update
   21. May 2004  - Sebastian Krahmer and I reported to the same people,
                   that we had started on a team audit of CVS and already
		   had discovered some bugs
   27. May 2004  - A patch for the discovered vulnerabilities and
                   a final report about the problems was delivered
	           to those involved in the disclosure process
   28. May 2004  - Pre notification process started. The same parties
                   were warned
   09. June 2004 - Coordinated Public Disclosure

CVE Information:

   The Common Vulnerabilities and Exposures project ( has
   assigned the following names to the discussed vulnerabilities
        CAN-2004-0414 - no-null-termination of "Entry" lines
        CAN-2004-0416 - error_prog_name "double-free()"
        CAN-2004-0417 - Argument integer overflow
        CAN-2004-0418 - serve_notify() out of bounds writes
   Please note, that only CAN-2004-0416 was discovered by e-matters. For
   the other vulnerabilities within this advisory no additional names
   were assigned.


   Recommended is an immediate update to the new version. Additionally you
   should consider running your CVS server chrooted over SSH instead of 
   using the :pserver: method. You can find a tutorial how to setup such a
   server at
   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam 
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC

Copyright 2004 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


- 漏洞信息

CVS Max-dotdot Overflow DoS
Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-06-10 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete