Bug 113139 - CAN-2003-0977 CVS write outside of directories
CAN-2003-0977 CVS write outside of directories
Product: Red Hat Linux
Classification: Retired
Component: cvs (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-01-08 15:57 EST by Steve Fox
Modified: 2007-04-18 13:01 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-01-14 09:45:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Fox 2004-01-08 15:57:35 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; Galeon)
Gecko/20031114 Galeon/1.3.10

Description of problem:
Here's the cvs-1.11.11 release announcement:

Stable CVS 1.11.11 has been released. Stable releases contain only bug
fixes from previous versions of CVS. This release adds code to the CVS
server to prevent it from continuing as root after a user login, as an
extra failsafe against a compromise of the CVSROOT/passwd file.
Previously, any user with the ability to write the CVSROOT/passwd file
could execute arbitrary code as the root user on systems with CVS
pserver access enabled. We recommend this upgrade for all CVS servers!

This vulnerability was used to exploit the Savannah servers, according
to a post about a LWN article <http://lwn.net/Articles/64835/>
(currently requires a subscription).

 The Savannah codebase and infrastructure was audited after the
compromise to find potential security holes that the cracker could
have used. CVS 1.12.5 and 1.11.11 were released on 2003-12-18 as a
direct result of that work. Futher details on CVS will be released in
the coming days. Services are being brought back up on Savannah as
they are secured. For instance, under the new Savannah setup, each
software project's CVS repository resides in its own chroot, and other
essential system services also reside in their own chroots. The FSF
and Savannah volunteers have taken this compromise very seriously, and
we've taken steps to limit the damage from any future compromises.

Paul Fisher
Free Software Foundation 

Can we expect an errata release soon?

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:
Unknown, but apparently there is an exploit out in the wild somewhere.

Additional info:
Comment 1 Nalin Dahyabhai 2004-01-08 16:00:38 EST
This is in-process for release as an erratum.
Comment 2 Mark J. Cox 2004-01-14 09:45:27 EST
fixed 2004/01/12

Note You need to log in before you can comment on or make changes to this bug.