CVE-2004-0418
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:45:13
NMCOPS    

[原文]serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data.


[CNNVD]CVS serve_serve_notify()边界溢出任意指令执行漏洞(CNNVD-200408-037)

        
        Concurrent Versions System (CVS)是一款开放源代码的版本控制软件。
        CVS Serve_notify()没有正确处理空数据行,远程攻击者可以利用这个漏洞对CVS进行拒绝服务攻击或以进程权限在系统上执行任意指令。
        如果攻击者提供一个空数据行,serve_notify()会访问已分配缓冲区之外的数据,如果指定的内存空间合适,就可能被利用为写一个字节到缓冲区之外,根据内存分配函数不同,此漏洞可在目标系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:cvs:cvs:1.11.10
cpe:/a:cvs:cvs:1.11.11
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/a:sgi:propack:3.0SGI ProPack 3.0
cpe:/a:cvs:cvs:1.11.16
cpe:/a:cvs:cvs:1.11.14
cpe:/a:cvs:cvs:1.11.15
cpe:/a:cvs:cvs:1.11.4
cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/a:cvs:cvs:1.11.1_p1
cpe:/a:cvs:cvs:1.11.3
cpe:/a:cvs:cvs:1.12.2
cpe:/a:openpkg:openpkg:1.3OpenPKG 1.3
cpe:/a:cvs:cvs:1.11.2
cpe:/a:cvs:cvs:1.12.1
cpe:/a:cvs:cvs:1.11.1
cpe:/a:openpkg:openpkg:2.0OpenPKG 2.0
cpe:/a:cvs:cvs:1.12.7
cpe:/a:cvs:cvs:1.10.8
cpe:/a:cvs:cvs:1.11
cpe:/a:openpkg:openpkgOpenPKG
cpe:/a:cvs:cvs:1.10.7
cpe:/a:cvs:cvs:1.11.6
cpe:/a:cvs:cvs:1.12.5
cpe:/a:cvs:cvs:1.11.5
cpe:/o:openbsd:openbsd:3.5OpenBSD 3.5
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/a:cvs:cvs:1.12.8
cpe:/o:openbsd:openbsdOpenBSD

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11242serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote att...
oval:org.mitre.oval:def:1003CVS serve_notify Improper Handling of Empty Data Lines
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0418
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0418
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-037
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.asc
(UNKNOWN)  SGI  20040604-01-U
ftp://patches.sgi.com/support/free/security/advisories/20040605-01-U.asc
(UNKNOWN)  SGI  20040605-01-U
http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022441.html
(UNKNOWN)  FULLDISC  20040609 Advisory 09/2004: More CVS remote vulnerabilities
http://marc.info/?l=bugtraq&m=108716553923643&w=2
(UNKNOWN)  BUGTRAQ  20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs)
http://security.e-matters.de/advisories/092004.html
(UNKNOWN)  MISC  http://security.e-matters.de/advisories/092004.html
http://security.gentoo.org/glsa/glsa-200406-06.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200406-06
http://www.debian.org/security/2004/dsa-519
(VENDOR_ADVISORY)  DEBIAN  DSA-519
http://www.mandriva.com/security/advisories?name=MDKSA-2004:058
(UNKNOWN)  MANDRAKE  MDKSA-2004:058
http://www.redhat.com/support/errata/RHSA-2004-233.html
(UNKNOWN)  REDHAT  RHSA-2004:233

- 漏洞信息

CVS serve_serve_notify()边界溢出任意指令执行漏洞
危急 未知
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        
        Concurrent Versions System (CVS)是一款开放源代码的版本控制软件。
        CVS Serve_notify()没有正确处理空数据行,远程攻击者可以利用这个漏洞对CVS进行拒绝服务攻击或以进程权限在系统上执行任意指令。
        如果攻击者提供一个空数据行,serve_notify()会访问已分配缓冲区之外的数据,如果指定的内存空间合适,就可能被利用为写一个字节到缓冲区之外,根据内存分配函数不同,此漏洞可在目标系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        CVS
        ---
        目前厂商已经在1.11.17及1.12.9版的软件中修复了这个安全问题,请到厂商的主页下载:
        https://ccvs.cvshome.org/files/documents/19/194/cvs-1.11.17.tar.gz
        https://ccvs.cvshome.org/files/documents/19/201/cvs-1.12.9.tar.gz
        或者绿盟科技建议您运行通过SSH chrooted的CVS server来代替:pserver:模式:
        
        http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt

- 漏洞信息 (F33521)

092004.txt (PacketStormID:F33521)
2004-06-10 00:00:00
Stefan Esser  security.e-matters.de
advisory,vulnerability
CVE-2004-0414,CVE-2004-0416,CVE-2004-0417,CVE-2004-0418
[点击下载]

A team audit of the CVS codebase has revealed more security related problems. The vulnerabilities discovered include exploitable, potentially exploitable and simple crash bugs. Vulnerable versions are CVS feature releases up to 1.12.8 and stable release up to 1.11.16.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: More CVS remote vulnerabilities
 Release Date: 2004/06/09
Last Modified: 2004/06/09
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: CVS feature release <= 1.12.8
               CVS stable release  <= 1.11.16
     Severity: Vulnerabilities within CVS allow remote compromise of
               CVS servers.
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
    Reference: http://security.e-matters.de/advisories/092004.html


Overview:

   Concurrent Versions System (CVS) is the dominant open-source version 
   control software that allows developers to access the latest code using
   a network connection. 
   
   A team audit of the CVS codebase has revealed more security related 
   problems. The vulnerabilties discovered include exploitable, potentially
   exploitable and simple crash bugs.
   
   
Details:
   
   During the analysis of the cvshome.org hack incident Derek Robert Price
   discovered a null-termination issue in the patch for the previous
   CVS security issue. This issue was not deeply analysed but it is
   believed that it can only cause crashes.
   
   At the same time Sebastian Krahmer from SuSE and I started together
   a deeper audit of the CVS codebase. This process revealed several 
   problems which are listed below. This includes those found by S. Krahmer
   
   [ error_prog_name "double-free()" - found by SE ]
   
   The "Argumentx" command allows to add more data to a previously supplied
   argument. This is done by reallocating the last stored argument.
   Unfourtunately "Argumentx" does not check if there is any argument in
   the argument list. If the list is empty realloc() will be called on a
   pointer that should not get touched at all, because it will get free()d
   when the client disconnect. This "double-free()" bug has been exploited
   successfully on several linux systems.
   
   [ wrapper.c format string issues - found by SE ]
   
   The CVS wrapper file allows to specify format strings. These strings are
   trusted by the CVS server without any sanity check. A malformed wrapper
   line could crash the server or possibly execute arbitrary code. However
   an attacker needs CVSROOT commit access to trigger this, which is the
   highest access level.
   
   [ serve_max_dotdot integer overflow - found by SE ]
   
   An integer overflow within the "Max-dotdot" CVS protocol command allows
   crashing the CVS server. While CVS server processes are usually forked
   a crash usually leaves data in the temporary file directory. This means
   on non partitioned servers this bug could be used to fill the hard-disk
   to the rim.
   
   [ serve_notify() out of bound writes - found by SK ]
   
   Serve_notify() does not properly handle empty data lines. If an empty 
   data line is supplied by an attacker serve_notify() will access data 
   outside the allocated buffer. If a specific memory layout is met, this
   can be abused to write a single byte outside the buffer. Depending on
   the underlying memory allocating routines, this could be used to 
   execute arbitrary system on the target system. An exploit for this
   problem is not yet finished.
   
   [ getline == 0 bugs - found by SK ]
   
   When reading some configuration files from CVSROOT empty lines could
   cause one byte underflows. Because an attacker needs CVSROOT commit 
   access to trigger this bug it was not further analysed. Additionally
   this bug should only cause problems on big endian systems.
   
   [ Argument (and other) integer overflows - found by SK ]
   
   With the new release a bunch of possible integer multiplication overflows
   are fixed. Some of them are only triggerable with CVS commit access or
   with huge amounts of data. In cases like the Argument command the
   overflow is not triggerable, because the requested allocation size will 
   exceed the free address space before the overflow can happen. This results
   in realloc() returning a NULL pointer which is then used as base pointer
   for following array accesses. If an attacker is able to cause realloc()
   to fail in the right moment this may allow him to overwrite vital data
   structures with pointers to his data.
   

Proof of Concept:

   e-matters is not going to release an exploit for any of these 
   vulnerabilities to the public.
   

Disclosure Timeline:

   20. May 2004  - Derek Robert Price informed vendor-sec and some
                   individuals about the cvshome.org hack and that he
		   found a bug that was introduced by the previous
		   security update
   21. May 2004  - Sebastian Krahmer and I reported to the same people,
                   that we had started on a team audit of CVS and already
		   had discovered some bugs
   27. May 2004  - A patch for the discovered vulnerabilities and
                   a final report about the problems was delivered
	           to those involved in the disclosure process
   28. May 2004  - Pre notification process started. The same parties
                   were warned
   09. June 2004 - Coordinated Public Disclosure

   
CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the following names to the discussed vulnerabilities
   
        CAN-2004-0414 - no-null-termination of "Entry" lines
   
        CAN-2004-0416 - error_prog_name "double-free()"
   
        CAN-2004-0417 - Argument integer overflow
   
        CAN-2004-0418 - serve_notify() out of bounds writes
   
   Please note, that only CAN-2004-0416 was discovered by e-matters. For
   the other vulnerabilities within this advisory no additional names
   were assigned.
   

Recommendation:

   Recommended is an immediate update to the new version. Additionally you
   should consider running your CVS server chrooted over SSH instead of 
   using the :pserver: method. You can find a tutorial how to setup such a
   server at
   
   http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt
   
   
GPG-Key:

   http://security.e-matters.de/gpg_key.asc
    
   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam 
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAxyajb31XLTAExLwRAsGhAKCtWZ4LPmhWGL5LPwLw0rdLcRJK9QCgzwAa
g8QiBoU/d9w24xQdZp22CO0=
=pJWH
-----END PGP SIGNATURE-----
    

- 漏洞信息

6834
CVS serve_notify Overflow Command Execution
Local Access Required, Remote / Network Access Denial of Service, Input Manipulation, Other
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in Concurrent Versions System. The CVS fails to handle an empty data line input resulting in a potential single byte overflow. With a specially crafted request, an attacker can cause the execution of the supplied code resulting in a loss of confidentiality, integrity, and/or availability. Since the CVS system is used to version control source code, these flaws put the source code in the repository at risk of being changed. This could lead to future exploits of any software that was checked into the system. These problems were discovered after a system compromise. The subsequent CVS code audit discovered several issues. This should be considered a critical issue and any source code located on public CVS servers should be verified to be correct.

- 时间线

2004-06-09 2004-05-20
2004-05-20 Unknow

- 解决方案

Upgrade to version 1.11.17 Stable, 1.12.9 Devel or higher, as it has been reported to fix this vulnerability. Further, additional steps can be taken to help secure a CVS server.

- 相关参考

- 漏洞作者

- 漏洞信息

CVS Multiple Vulnerabilities
Unknown 10499
Yes No
2004-06-09 12:00:00 2009-07-12 05:16:00
Discovery of these issues is credited to Stefan Esser, Sebastian Krahmer, and Derek Robert Price.

- 受影响的程序版本

SGI ProPack 3.0
SGI ProPack 2.4
OpenPKG OpenPKG 2.0
OpenPKG OpenPKG 1.3
OpenPKG OpenPKG Current
OpenBSD OpenBSD 3.5
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD -current
Gentoo Linux 1.4
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20
FreeBSD FreeBSD 3.5.1 -STABLE
FreeBSD FreeBSD 3.5.1 -RELEASE
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 3.5 x
FreeBSD FreeBSD 3.5 -STABLEpre122300
FreeBSD FreeBSD 3.5 -STABLEpre050201
FreeBSD FreeBSD 3.5 -STABLE
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.4 x
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 3.3 x
FreeBSD FreeBSD 3.3
FreeBSD FreeBSD 3.2 x
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.1 x
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.0 -RELENG
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.2 x
FreeBSD FreeBSD 2.2
FreeBSD FreeBSD 2.1.7 .1
FreeBSD FreeBSD 2.1.6 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1 x
FreeBSD FreeBSD 2.1
FreeBSD FreeBSD 2.0.5
FreeBSD FreeBSD 2.0
FreeBSD FreeBSD 1.1.5 .1
FreeBSD FreeBSD 4.10-PRERELEASE
FreeBSD FreeBSD 3.x
FreeBSD FreeBSD 2.x
CVS CVS 1.12.8
CVS CVS 1.12.7
CVS CVS 1.12.5
+ OpenPKG OpenPKG 2.0
CVS CVS 1.12.2
CVS CVS 1.12.1
+ OpenPKG OpenPKG 1.3
CVS CVS 1.11.16
CVS CVS 1.11.15
CVS CVS 1.11.14
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
CVS CVS 1.11.11
CVS CVS 1.11.10
CVS CVS 1.11.6
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
CVS CVS 1.11.5
+ OpenPKG OpenPKG 1.2
+ S.u.S.E. Linux Personal 8.2
CVS CVS 1.11.4
CVS CVS 1.11.3
CVS CVS 1.11.2
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Slackware Linux 8.1
CVS CVS 1.11.1 p1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ OpenBSD OpenBSD 3.5
+ OpenBSD OpenBSD 3.4
+ OpenBSD OpenBSD 3.3
+ OpenBSD OpenBSD 3.2
+ OpenBSD OpenBSD 3.1
+ Red Hat Linux 6.2
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 7+
CVS CVS 1.11.1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
CVS CVS 1.11
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
CVS CVS 1.10.8
+ Conectiva Linux 6.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
CVS CVS 1.10.7
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
CVS CVS 1.12.9
+ Trustix Secure Linux 2.2
CVS CVS 1.11.17
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Red Hat Fedora Core3

- 不受影响的程序版本

CVS CVS 1.12.9
+ Trustix Secure Linux 2.2
CVS CVS 1.11.17
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Red Hat Fedora Core3

- 漏洞讨论

CVS is prone to multiple vulnerabilities. The issues include a double free vulnerability, format string vulnerabilities, and integer overflows. There is also a null termination issue in the security patch for BID 10384, potentially leading to a server crash. Some of these issues may be leveraged to execute arbitrary code, while other issues may only result in a denial of service.

- 漏洞利用

The researchers who discovered these issues have developed working exploits for some of the reported vulnerabilities. These exploits are not publicly available or known to be circulating in the wild at the time of writing.

Exploit code has been supplied by Gyan Chawdhary for the double free heap corruption vulnerability (CAN-2004-0416).

- 解决方案

FreeBSD has released advisory FreeBSD-SA-04:14 addressing these issues. Please see the referenced advisory for further information on patches and fixes.

SuSE (SuSE-SA:2004:015) has released an advisory provided fixes for these issues. Please see the attached advisory for further information.

Red Hat has released an advisory (RHSA-2004:233-07) for Enterprise distributions to address these issues. Fixes may be applied via the Red Hat Network. Further information may be found in the attached advisory.

OpenBSD has released patches addressing these vulnerabilities. These patches fix OpenBSD 3.4 and 3.5. OpenBSD-current is also fixed in CVS as of June 9, 2004. Please see the referenced patches for information on applying them.

CVS version 1.11.17 has been released to address these issues in 1.11.x releases.

CVS version 1.12.9 has been released to address these issues in 1.12.x releases.

MandrakeSoft has released an advisory (MDKSA-2004:058) and provided fixes for these issues. Please see the attached advisory for further information.

Debian GNU/Linux has released an advisory DSA 517-1 addressing this issue. Please see the referenced advisory for further information.

Gentoo Linux has released advisory GLSA 200406-06 addressing this issue. Please see the referenced advisory for further information. Users of affected packages are urged to run the following commands as the superuser:
emerge sync
emerge -pv ">=dev-util/cvs-1.11.17"
emerge ">=dev-util/cvs-1.11.17"

OpenPKG has released advisory OpenPKG-SA-2004.027 addressing this issue. Please see the referenced advisory for further information.

Red Hat Fedora has released advisories FEDORA-2004-169 and FEDORA-2004-170 dealing with these issues. Please see the referenced advisories for more information.

Debian GNU/Linux has released an advisory DSA 519-1 addressing this issue. Please see the referenced advisory for further information.

SGI has released a security advisory (20040604-01-U) to address this and other issues in SGI ProPack 3. Please see the referenced advisory for more information.

SGI has released a security advisory (20040605-01-U) to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.

Slackware has released an advisory (SSA:2004-161-01) addressing this issue. Please see the referenced advisory for further information.

An Immunix Linux upgrade has been made available.

A Fedora legacy advisory is available that addresses various issues affecting cvs. This advisory contains fixes for the Red Hat Linux 7.3 and 9.0 operating systems running the i386 platform. Please see the referenced advisory to obtain more information.


OpenBSD OpenBSD 3.4

FreeBSD FreeBSD 2.x

OpenBSD OpenBSD 3.5

FreeBSD FreeBSD 3.x

CVS CVS 1.11

CVS CVS 1.11.1

CVS CVS 1.11.1 p1

CVS CVS 1.11.11

CVS CVS 1.11.14

CVS CVS 1.11.15

CVS CVS 1.11.2

CVS CVS 1.11.4

CVS CVS 1.11.5

CVS CVS 1.11.6

CVS CVS 1.12.1

CVS CVS 1.12.5

CVS CVS 1.12.7

CVS CVS 1.12.8

FreeBSD FreeBSD 2.0

FreeBSD FreeBSD 2.0.5

FreeBSD FreeBSD 2.1

FreeBSD FreeBSD 2.1 x

FreeBSD FreeBSD 2.1.5

FreeBSD FreeBSD 2.1.6 .1

FreeBSD FreeBSD 2.1.6

FreeBSD FreeBSD 2.1.7 .1

FreeBSD FreeBSD 2.2

FreeBSD FreeBSD 2.2.2

FreeBSD FreeBSD 2.2.3

FreeBSD FreeBSD 2.2.4

FreeBSD FreeBSD 2.2.6

FreeBSD FreeBSD 2.2.8

FreeBSD FreeBSD 3.0 -RELENG

SGI ProPack 3.0

FreeBSD FreeBSD 3.1 x

FreeBSD FreeBSD 3.2 x

FreeBSD FreeBSD 3.3

FreeBSD FreeBSD 3.4

FreeBSD FreeBSD 3.4 x

FreeBSD FreeBSD 3.5 x

FreeBSD FreeBSD 3.5 -STABLEpre050201

FreeBSD FreeBSD 3.5 -STABLE

FreeBSD FreeBSD 3.5 -STABLEpre122300

FreeBSD FreeBSD 3.5

FreeBSD FreeBSD 3.5.1 -RELEASE

FreeBSD FreeBSD 3.5.1

FreeBSD FreeBSD 3.5.1 -STABLE

FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20

FreeBSD FreeBSD 4.0 alpha

FreeBSD FreeBSD 4.0

FreeBSD FreeBSD 4.0 -RELENG

FreeBSD FreeBSD 4.1

FreeBSD FreeBSD 4.1.1 -STABLE

FreeBSD FreeBSD 4.2

FreeBSD FreeBSD 4.3 -STABLE

FreeBSD FreeBSD 4.3 -RELEASE-p38

FreeBSD FreeBSD 4.3 -RELEASE

FreeBSD FreeBSD 4.3 -RELENG

FreeBSD FreeBSD 4.4 -RELENG

FreeBSD FreeBSD 4.4 -RELEASE-p42

FreeBSD FreeBSD 4.4 -STABLE

FreeBSD FreeBSD 4.4

FreeBSD FreeBSD 4.5 -RELEASE

FreeBSD FreeBSD 4.5 -RELEASE-p32

FreeBSD FreeBSD 4.5

FreeBSD FreeBSD 4.6 -RELEASE-p20

FreeBSD FreeBSD 4.6 -RELENG

FreeBSD FreeBSD 4.6

FreeBSD FreeBSD 4.7 -RELENG

FreeBSD FreeBSD 4.7 -STABLE

FreeBSD FreeBSD 4.7 -RELEASE-p17

FreeBSD FreeBSD 4.8 -PRERELEASE

FreeBSD FreeBSD 4.8

FreeBSD FreeBSD 4.8 -RELENG

FreeBSD FreeBSD 4.9 -RELENG

FreeBSD FreeBSD 4.9

FreeBSD FreeBSD 4.9 -PRERELEASE

FreeBSD FreeBSD 5.0

FreeBSD FreeBSD 5.0 -RELENG

FreeBSD FreeBSD 5.0 alpha

FreeBSD FreeBSD 5.0 -RELEASE-p14

FreeBSD FreeBSD 5.1 -RELEASE/Alpha

FreeBSD FreeBSD 5.1 -RELENG

FreeBSD FreeBSD 5.1 -RELEASE-p5

FreeBSD FreeBSD 5.1

FreeBSD FreeBSD 5.2

FreeBSD FreeBSD 5.2 -RELENG

FreeBSD FreeBSD 5.2 -RELEASE

FreeBSD FreeBSD 5.2.1 -RELEASE

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站