Red Hat Bugzilla – Bug 113139
CAN-2003-0977 CVS write outside of directories
Last modified: 2007-04-18 13:01:02 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; Galeon)
Description of problem:
Here's the cvs-1.11.11 release announcement:
Stable CVS 1.11.11 has been released. Stable releases contain only bug
fixes from previous versions of CVS. This release adds code to the CVS
server to prevent it from continuing as root after a user login, as an
extra failsafe against a compromise of the CVSROOT/passwd file.
Previously, any user with the ability to write the CVSROOT/passwd file
could execute arbitrary code as the root user on systems with CVS
pserver access enabled. We recommend this upgrade for all CVS servers!
This vulnerability was used to exploit the Savannah servers, according
to a post about a LWN article <http://lwn.net/Articles/64835/>
(currently requires a subscription).
The Savannah codebase and infrastructure was audited after the
compromise to find potential security holes that the cracker could
have used. CVS 1.12.5 and 1.11.11 were released on 2003-12-18 as a
direct result of that work. Futher details on CVS will be released in
the coming days. Services are being brought back up on Savannah as
they are secured. For instance, under the new Savannah setup, each
software project's CVS repository resides in its own chroot, and other
essential system services also reside in their own chroots. The FSF
and Savannah volunteers have taken this compromise very seriously, and
we've taken steps to limit the damage from any future compromises.
Free Software Foundation
Can we expect an errata release soon?
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Unknown, but apparently there is an exploit out in the wild somewhere.
This is in-process for release as an erratum.