Debian Bug report logs - #305254
cvs: Several security issues in CVS

version graph

Package: cvs; Maintainer for cvs is Thorsten Glaser <tg@mirbsd.de>; Source for cvs is src:cvs.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Mon, 18 Apr 2005 21:48:30 UTC

Severity: grave

Tags: security

Found in version 1:1.12.9-11

Fixed in version cvs/1:1.12.9-13

Done: Steve McIntyre <93sam@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Steve McIntyre <93sam@debian.org>:
Bug#305254; Package cvs. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Steve McIntyre <93sam@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cvs: Several security issues in CVS
Date: Mon, 18 Apr 2005 23:45:01 +0200
Package: cvs
Version: 1:1.12.9-11
Severity: grave
Tags: security
Justification: user security hole

CVS 1.12.12 fixes several security issues:

* Thanks to a report from Alen Zukich <[40]alen.zukich@klocwork.com>, several minor
  security issues have been addressed.  One was a buffer overflow that is
  potentially serious but which may not be exploitable, assigned CAN-2005-0753
  by the Common Vulnerabilities and Exposures Project
  <[41]http://www.cve.mitre.org>.  Other fixes resulting from Alen's report include
  repair of an arbitrary free with no known exploit and several plugged memory
  leaks and potentially freed NULL pointers which may have been exploitable for
  a denial of service attack.

* Thanks to a report from Craig Monson <[42]craig@malachiarts.com>, minor
  potential vulnerabilities in the contributed Perl scripts have been fixed.
  The confirmed vulnerability could allow the execution of arbitrary code on
  the CVS server, but only if a user already had commit access and if one of
  the contrib scripts was installed improperly, a condition which should have
  been quickly visible to any administrator.  The complete description of the
  problem is here: <https://ccvs.cvshome.org/issues/show_bug.cgi?id=224>.  If
  you were making use of any of the contributed trigger scripts on a CVS
  server, you should probably still replace them with the new versions, to be
  on the safe side.

  Unfortunately, our fix is incomplete.  Taint-checking has been enabled in all
  the contributed Perl scripts intended to be run as trigger scripts, but no
  attempt has been made to ensure that they still run in taint mode.  You will
  most likely have to tweak the scripts in some way to make them run.  Please
  send any patches you find necessary back to <[43]bug-cvs@gnu.org> so that we may
  again ship fully enabled scripts in the future.

  You should also make sure that any home-grown Perl scripts that you might
  have installed as CVS triggers also have taint-checking enabled.  This can be
  done by adding `-T' on the scripts' #! lines.  Please try running
 `perldoc perlsec' if you would like more information on general Perl security
  and taint-checking.

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages cvs depends on:
ii  debconf                     1.4.48       Debian configuration management sy
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  zlib1g                      1:1.2.2-4    compression library - runtime

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, Steve McIntyre <93sam@debian.org>:
Bug#305254; Package cvs. Full text and rfc822 format available.

Acknowledgement sent to Margarita Manterola <debian@marga.com.ar>:
Extra info received and forwarded to list. Copy sent to Steve McIntyre <93sam@debian.org>. Full text and rfc822 format available.

Message #10 received at 305254@bugs.debian.org (full text, mbox):

From: Margarita Manterola <debian@marga.com.ar>
To: 305254@bugs.debian.org
Subject: Additional info and links
Date: Fri, 22 Apr 2005 11:49:50 -0300
[Message part 1 (text/plain, inline)]
This security bug was first published by Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200504-16.xml

And has a CAN:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753

Please, do review the changes, I think a DSA is in order, and stable needs
to be fixed as well as uploading the new version to unstable.

Thanks!

-- 
 Bessos,    (o_
    Marga.  (\)_
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve McIntyre <93sam@debian.org>:
Bug#305254; Package cvs. Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Steve McIntyre <93sam@debian.org>. Full text and rfc822 format available.

Message #15 received at 305254@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: Margarita Manterola <debian@marga.com.ar>, 305254@bugs.debian.org
Subject: Re: Bug#305254: Additional info and links
Date: Fri, 22 Apr 2005 16:12:18 +0100
[Message part 1 (text/plain, inline)]
On Fri, Apr 22, 2005 at 11:49:50AM -0300, Margarita Manterola wrote:
>This security bug was first published by Gentoo:
>http://www.gentoo.org/security/en/glsa/glsa-200504-16.xml
>
>And has a CAN:
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753
>
>Please, do review the changes, I think a DSA is in order, and stable needs
>to be fixed as well as uploading the new version to unstable.

I'm looking at it now, thanks for the help.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steve McIntyre <93sam@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 305254-close@bugs.debian.org (full text, mbox):

From: Steve McIntyre <93sam@debian.org>
To: 305254-close@bugs.debian.org
Subject: Bug#305254: fixed in cvs 1:1.12.9-13
Date: Wed, 27 Apr 2005 03:47:03 -0400
Source: cvs
Source-Version: 1:1.12.9-13

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive:

cvs_1.12.9-13.diff.gz
  to pool/main/c/cvs/cvs_1.12.9-13.diff.gz
cvs_1.12.9-13.dsc
  to pool/main/c/cvs/cvs_1.12.9-13.dsc
cvs_1.12.9-13_alpha.deb
  to pool/main/c/cvs/cvs_1.12.9-13_alpha.deb
cvs_1.12.9-13_i386.deb
  to pool/main/c/cvs/cvs_1.12.9-13_i386.deb
cvs_1.12.9-13_ia64.deb
  to pool/main/c/cvs/cvs_1.12.9-13_ia64.deb
cvs_1.12.9-13_mips.deb
  to pool/main/c/cvs/cvs_1.12.9-13_mips.deb
cvs_1.12.9-13_powerpc.deb
  to pool/main/c/cvs/cvs_1.12.9-13_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 305254@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 27 Apr 2005 00:55:57 +0100
Source: cvs
Binary: cvs
Architecture: alpha i386 ia64 mips powerpc source 
Version: 1:1.12.9-13
Distribution: unstable
Urgency: high
Maintainer: Steve McIntyre <93sam@debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Description: 
 cvs        - Concurrent Versions System
Closes: 305254
Changes: 
 cvs (1:1.12.9-13) unstable; urgency=high
 .
   * Security fixes, hence high urgency.
   * Fixes for CAN-2005-0753:
     + Buffer overflow
     + Arbitrary free() call
     + Potential NULL dereference
   * Fixes for contrib perl scripts
   * Closes: #305254
Files: 
 30856918fdcbe6d673b3bdfdcb282b02 1444386 devel optional cvs_1.12.9-13_i386.deb
 3cf1cfcb5eadd98fe273eeebe95fb90d 1602686 devel optional cvs_1.12.9-13_ia64.deb
 8df840f5f09dc0670a51f74ce7fe3077 695 devel optional cvs_1.12.9-13.dsc
 bfad77ad2af9bccedc0ec09f8f719933 1463028 devel optional cvs_1.12.9-13_powerpc.deb
 de78534409951b641c81e59c16315225 1471640 devel optional cvs_1.12.9-13_mips.deb
 f45d1b0525e46a69f43a5dd2b023cfdf 66710 devel optional cvs_1.12.9-13.diff.gz
 fba155872863955060a2ab629927da5e 1526552 devel optional cvs_1.12.9-13_alpha.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCbz7LfDt5cIjHwfcRAjagAKCLNiyY1fiw/oJhp6+yGzp66/DvwQCeNk47
JdPgKjQJEpwqVI5dOZdk8so=
=4XVL
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:42:00 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.