Bug 38765

Summary: CVS Daemon Vulnerability in 1.11.1p1
Product: Base System Reporter: Alex Dupre <sysadmin>
Component: binAssignee: Peter Wemm <peter>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Alex Dupre 2002-05-31 09:50:01 UTC 
Due to a boundry condition error, it may be possible for a local attacker
to execute arbitrary code. The rcs.c file contains an off-by-one error that
could result in an attacker overwriting portions of stack memory, and
executing arbitrary code.

Fix: 

Download cvs-1.11.2 from:
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&dlID=115
and import it into src/contrib/cvs following FREEBSD-upgrade instructions.
Comment 1 Makoto Matsushita 2002-05-31 16:48:05 UTC 
sysadmin> Due to a boundry condition error, it may be possible for a
sysadmin> local attacker to execute arbitrary code. The rcs.c file
sysadmin> contains an off-by-one error that could result in an
sysadmin> attacker overwriting portions of stack memory, and executing
sysadmin> arbitrary code.

Is this bug fixed *really* in cvs-1.11.2?  How did you confirm that?

According to http://ccvs.cvshome.org/source/browse/ccvs/src/rcs.c, rev
1.259 is the fix.  However, this change is occured *after* 1.11.2 was
released.  And, cvs-1.11.1 doesn't have this code.  Sorry if I'm wrong.

-- -
Makoto `MAR' Matsushita
Comment 2 Alex Dupre 2002-05-31 17:15:49 UTC 
Makoto Matsushita wrote:
> Is this bug fixed *really* in cvs-1.11.2?  How did you confirm that?
> 
> According to http://ccvs.cvshome.org/source/browse/ccvs/src/rcs.c, rev
> 1.259 is the fix.  However, this change is occured *after* 1.11.2 was
> released.  And, cvs-1.11.1 doesn't have this code.  Sorry if I'm wrong.

Nope, you are right. I thought it was fixed in 1.11.2, as reported by 
securityfocus (http://online.securityfocus.com/bid/4829/solution/). But the 
truth is that it's been fixed later, after the release. So it's not enough 
to update to the latest release.

-- 
Alex Dupre                             sysadmin@alexdupre.com
http://www.alexdupre.com/              alex@sm.FreeBSD.org
Comment 3 Makoto Matsushita 2002-05-31 17:30:51 UTC 
sysadmin> Nope, you are right. I thought it was fixed in 1.11.2, as
sysadmin> reported by securityfocus
sysadmin> (http://online.securityfocus.com/bid/4829/solution/).

Ya, this report says other points, my assumption is not correct.

<URL:http://online.securityfocus.com/archive/1/274281> shows the
correct information.  This problem is fixed in src/rcs.c rev 1.252,
which is between cvs-1.11.1 and cvs-1.11.2; FreeBSD's cvs has this bug.

-- -
Makoto `MAR' Matsushita
Comment 4 Johan Karlsson freebsd_committer freebsd_triage 2002-08-20 19:33:42 UTC 
Responsible Changed
From-To: freebsd-bugs->peter

Over to cvs maintainer. 

Peter, do our cvs version have this problem 
and is this a good reason to upgrade cvs to  
the latest release?
Comment 5 Alex Dupre 2003-02-19 11:34:19 UTC 
Close this obsolete PR, please.

-- 
Alex Dupre                             sysadmin@alexdupre.com
http://www.alexdupre.com/              alex@sm.FreeBSD.org
Comment 6 Alex Dupre 2003-08-02 23:37:53 UTC 
Still waiting to be closed :)

-- 
Alex Dupre                             sysadmin@alexdupre.com
http://www.alexdupre.com/              alex@sm.FreeBSD.org

Today's excuse: Change your language to Finnish.
Comment 7 Alex Dupre freebsd_committer freebsd_triage 2004-01-22 23:18:51 UTC 
State Changed
From-To: open->closed

Obsolate PR.