Bug 152720 - Security problems found with CVS that need to be fixed.
Security problems found with CVS that need to be fixed.
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: General (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-19 14:33 EDT by David Kaplan
Modified: 2008-05-01 11:38 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:25:09 EST
There have been some new security holes found in CVS and subversion.  They
appear to apply to all versions of CVS up till this month.  They should be
patched ASAP.  I haven't got time right now, but hopefully someone else will.

http://news.com.com/2100-1002_3-5216353.html



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-19 16:53:18 ----

The Redhat AS 2.1 bugzilla report:

https://rhn.redhat.com/errata/RHSA-2004-190.html



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-19 17:10:59 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just rebuilt cvs from the 2.1AS SRPMS.

If you look at the changelog, this is an extension of what was being used on
rh7.3.

So, the below RPMS are now up for QA on rh7.3:

domino> sha1sum -b cvs-1.11.1p1-14.legacy.*
f6a97f77562966ad72105683c2205e88256bfc48 *cvs-1.11.1p1-14.legacy.i386.rpm
3f132bb0a2f9ab8822160e000fda81a2e6f9a5c3 *cvs-1.11.1p1-14.legacy.src.rpm

http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/cvs

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFArCGLSY7s7uPf/IURAtqpAKCkkGI7ssVBqd/rJxyfHHRMZI+YPwCeI3Lx
jwAeffFnQXFhbjGpf6TtGNo=
=+B8f
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-19 17:17:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Made a goof in rebuilding (with perl path).

New RPMS:

d7eb93b8e36d37ef54cc5da2562246934e8c3b5d *cvs-1.11.1p1-14.legacy.2.i386.rpm
c952a5dc7ab549547eeb21e7a0baceb6b4ff8cf2 *cvs-1.11.1p1-14.legacy.2.src.rpm

same url.

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFArCM9SY7s7uPf/IURAtAPAJ9CBZQGubUWcYhX/uv4/s4lrKnPawCfZ43d
4fTE5tca0ot4tw38sfosBww=
=CMyU
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-05-20 01:46:49 ----

I tested the client part of cvs-1.11.1p1-14.legacy.2.i386.rpm on RH 7.3 by
checking things out from sf.net and it is wokring as expected.



------- Additional Comments From dmkaplan@ucdavis.edu 2004-05-20 09:02:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I built cvs from 3AS SRPMS for Redhat 9.
 
http://erizo.ucdavis.edu/~dmk/software/RPMS/cvs-1.11.2-22.legacy.src.rpm
http://erizo.ucdavis.edu/~dmk/software/RPMS/cvs-1.11.2-22.legacy.i386.rpm
http://erizo.ucdavis.edu/~dmk/software/RPMS/cvs-debuginfo-1.11.2-22.legacy.i386.rpm
http://erizo.ucdavis.edu/~dmk/software/RPMS/cvs.md5sum.txt.asc
 
These should be ready for QA.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFArQCuOr2eGKYsVBARAnrBAJ4lxLmAW7ef6gwgdJ0tZfOWuhePrwCffJEo
O6+SIU1QUU9D5dODiyJ4kOs=
=dmZF
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2004-05-20 10:01:49 ----

Could we have names like 'cvs.legacy.spec' instead of 'cvs.spec.legacy'?
One of reasons is that emacs loading a file with '.spec' suffix turns on
automatically 'rpm-spec-mode'. :-)  There may be other tools which expect
the same.

Other than that I do not see any issues.



------- Additional Comments From jkeating@j2solutions.net 2004-05-20 10:05:13 ----

Why is the spec file name changing?  It should be just cvs.spec.  



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-20 10:09:12 ----

It's changing cuz rpm is .... ok, n/m.

Didn't want another rpm -ivh of the srpm to wipe out my spec file.

Rebuilding. Back in a few.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-20 10:12:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rebuild w. spec name as requested. Didn't increment version number.

> sha1sum -b cvs-1.11.1p1-14*
42dfd44c28675136c74d5648a2db7de248a9a587 *cvs-1.11.1p1-14.legacy.2.i386.rpm
c04e7e4227ea954dade827227613e55bba2a0b7e *cvs-1.11.1p1-14.legacy.2.src.rpm


- -DWB


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFArREtSY7s7uPf/IURAmkOAJoCcUWZ30CVEIF4XEObKIBFtuWqcwCg2RZO
lQ2zDRvoXCYnaQq51b88R8o=
=f48T
-----END PGP SIGNATURE-----




------- Additional Comments From dmkaplan@ucdavis.edu 2004-05-20 10:46:30 ----

Should I separate the RPM for Redhat 9 and above into a separate bug report or
is it OK to keep it in this bug report?  Redhat 9 and above needs at least
cvs-1.11.2






------- Additional Comments From jkeating@j2solutions.net 2004-05-20 10:54:33 ----

This ticket is fine.  All releases will come out at the same time anyway.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-05-21 07:39:27 ----

Because this is a remote exploit, perhaps it should be pushed up, somewhat?



------- Additional Comments From hbo@egbok.com 2004-05-21 09:03:30 ----

It's not only a remote hole, but via a well-known attack vector; existing
exploit code doesn't have to change very much.

http://www.securityfocus.com/archive/1/363775/2004-05-16/2004-05-22/0
 



------- Additional Comments From jkeating@j2solutions.net 2004-05-21 09:25:32 ----

*grumble* there is no changelog in these rpms.  Will rebuild and bump release
again with a change log.  Please be sure to add changelogs to the packages you
submit.



------- Additional Comments From jkeating@j2solutions.net 2004-05-21 09:47:11 ----

Ok, I see my confusion.  The 7.3 is a direct rebuild from 2.1AS.  Now the 9 rpm
is a rebuild from AS3, but I don't see an rpmdiff that proves AS3s rpm is
exactly the same as 9's but with just this patch added.  I assume this test
hasn't been done.  I will engineer a 9 rpm for QA.



------- Additional Comments From jkeating@j2solutions.net 2004-05-21 10:01:43 ----

Ok, here are RHL9 rpms built with the patch, this is NOT a direct build from RHEL3.

http://geek.j2solutions.net/rpms/legacy/cvs/

d42b355ff8ef32ba7335fb0fee2c1be841a8d466  9/cvs-1.11.2-18.legacy.i386.rpm
8415e614818707e6022cbd67d683dcde60633968  9/cvs-1.11.2-18.legacy.src.rpm
6fc840ab0a21b538c0a78abb24c5b676d4ea844d  9/sha1sums

Please QA them quickly so that I can push to updates-testing today. (and
hopefully release on Monday)



------- Additional Comments From dmkaplan@ucdavis.edu 2004-05-21 10:14:44 ----

The packages that I contributed were taken directly from the Redhat site.  They
already have the patch applied (see Patch19 in the spec).  All I did was change
version 22 to 22.legacy.  I added a changelog stating that I did that and
assumed that redhat had documented the patch.  Apparently they didn't.  

I have fixed that and repackaged.  I think we should use these as they keep up
to date with what redhat is doing.





------- Additional Comments From marcdeslauriers@videotron.ca 2004-05-21 10:34:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I checked these ones out:
 
http://geek.j2solutions.net/rpms/legacy/cvs/
 
d42b355ff8ef32ba7335fb0fee2c1be841a8d466  9/cvs-1.11.2-18.legacy.i386.rpm
8415e614818707e6022cbd67d683dcde60633968  9/cvs-1.11.2-18.legacy.src.rpm
6fc840ab0a21b538c0a78abb24c5b676d4ea844d  9/sha1sums
 
 
sha1sums are ok
source tar was checked
patches look good
spec file looks good
builds ok
installs ok
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFArme7LMAs/0C4zNoRAhsnAJsFHDyGO6rt6OrRrE47Ci1FhzpfXgCgvX6H
eHNsRtl1YkrpmbDrDeT0d6I=
=yzF0
-----END PGP SIGNATURE-----




------- Additional Comments From misterbawb@gmail.com 2004-05-21 12:18:16 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

changes from:
c04e7e4227ea954dade827227613e55bba2a0b7e  cvs-1.11.1p1-14.legacy.2.src.rpm
to
46da2ca673b3af8a08eab8b1d4322e0d6a9d08ad  cvs-1.11.1p1-9.7.legacy.src.rpm

patch added ccvs-exploit-20040519.2.diff (1b2ab647d57e28f1c7e4407306f6c06ed4dfd4ef)
 - CAN-2004-0396
 - matches ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.patch

patch added cvs-1.11.2-1.11.14-noCVS.patch
(55a2794502ac75dc1f873d5112cd7380ac92bb39)
 - matches code in cvs 1.11.14

patch added cvs-1.11.1p1-sscanf.patch (58a9b33781ef0c551f0225a458c1ee0fd5fac3e3)
 - CAN-2002-0844
 - matches cvs 1.11.2 changes

patch added 03cvs-client-exploit-fix-1.11.2.diff
(e5cd52eec968dc8c01d47528d4b56c3852dd01da)
patch added cvs-cat-etc-fix-1.11.2.diff (fe02f41eca78c711b338d8e92cac65cba84f4c48)
 - CVE-2004-0180 and CAN-2004-0405
 - src/client.c and src/modules.c changes match:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch
       
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody2.diff.gz
 - src/import.c and src/sanity.sh changes matches code in cvs-1.11.16

builds ok
installs ok
++publish
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFArn/0aiZhT6XVAwURAn0gAKCT4y3ee3Wp2U6J/QtkRJ2Z8tDKCACgosNh
+yjnFthl5SAeQ9n8NdGJZOU=
=R6Uf
-----END PGP SIGNATURE-----



------- Additional Comments From michal@harddata.com 2004-05-21 17:33:57 ----

The annouced 7.3/updates-testing/i386/cvs-1.11.1p1-14.legacy.2.i386.rpm
in dependencies (try 'rpm -qRp ...' with the package above) shows
....
/bin/sh  
/usr/bin/perl  
no             <------ 
...
and does not install without '--nodeps' as there is no rpm providing "no".

I am not sure where this is coming from.  Recompiling from the same specs
on my machines shows in dependencies:
....
/bin/csh  
/bin/sh  
/usr/bin/perl 
....
and there is no mention of "no".



------- Additional Comments From jpdalbec@ysu.edu 2004-05-24 02:39:11 ----

Is this the same problem?

04.20.21 CVE: CAN-2004-0396
Platform: Cross Platform
Title: CVS Heap Overflow Vulnerability
Description: CVS is a source control version system. CVS is reportedly
vulnerable to a heap overflow issue. The issue presents itself during
the handling of certain user-supplied input for entry lines with
"modified" and "unchanged" flags. This could lead to either a denial
of service condition or arbitrary code execution. This vulnerability
was reported for CVS versions 1.11.15 and prior, and CVS feature
versions 1.12.7 and prior.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-05/0196.html



------- Additional Comments From Freedom_Lover@pobox.com 2004-05-24 06:48:01 ----

I believe the problem of the dependency on 'no' is caused by the build host not
having the /bin/csh available.  I rebuilt the SRPM on my system and then diffed
the output of rpm -qpR, finding the only differences were /bin/sch on my build
and 'no' on the updates-testing build.  After removing the tcsh rpm and
rebuilding, I too had 'no' as a requires and not /bin/csh.  tcsh should be added
as BuildRequires.



------- Additional Comments From edgester@yahoo.com 2004-05-25 02:32:17 ----

I get the following warning when installing cvs on a redhat 7.3 host. 
-------------------------------------------------------
#rpm -Uvh --nodeps cvs-1.11.1p1-14.legacy.2.i386.rpm
Preparing...                ########################################### [100%]
   1:cvs                    ########################################### [100%]
install-info: warning: no info dir entry in `//usr/share/info/cvs.info.gz'
install-info: warning: no info dir entry in `//usr/share/info/cvsclient.info.gz'
-----------------------------------------------------

I also got the "no" dependency problem.



------- Additional Comments From jkeating@j2solutions.net 2004-05-25 14:52:11 ----

Rebuilt the 7.3 rpm with tcsh as a buildreq.

http://download.fedoralegacy.org/redhat/

de3bbf0941d5e8e75c5198ed94f497dfbf889e1a 
7.3/updates-testing/SRPMS/cvs-1.11.1p1-14.legacy.3.src.rpm
72a356d222a2e576c529157556d49c31145ab4c5 
7.3/updates-testing/i386/cvs-1.11.1p1-14.legacy.3.i386.rpm



------- Additional Comments From villegas@math.gatech.edu 2004-05-26 04:14:27 ----

I assume that the problems with the dependencies only affect the 7.3 version, I 
installed the RH9 version just fine (not using yum). But so far I haven't played 
much with it, I'll update as soon as I do. Is there any good known POC code to 
check if the vulnerability is gone?



------- Additional Comments From jkeating@j2solutions.net 2004-05-31 08:45:01 ----

*** Bug 1485 has been marked as a duplicate of this bug. ***



------- Additional Comments From jkeating@j2solutions.net 2004-06-01 08:38:58 ----

Ack, seems more problems with CVS.  Here are some CVEs that we need to verify
we're fixing...

CAN-2004-0180 CAN-2004-0396 CAN-2004-0414 CAN-2004-0416 CAN-2004-0417 CAN-2004-0418.

I have not done any verification yet on our packages.  Can somebody out there do
this?  I'm stuck at work, not able to spend any cycles on it.



------- Additional Comments From skvidal@phy.duke.edu 2004-06-03 10:41:09 ----

What I can tell is that the patches from stefan esser that came out in rhel3 and
rhel2.1 look right for 7.x and 9, respectively.

The build you made originally seems to cover it.

rebuild them w/o the 'no' problem, and push them to testing-updates and let's go
with this one asap?



------- Additional Comments From jkeating@j2solutions.net 2004-06-03 13:52:17 ----

Grumble, slight snag.  Seems RHL9 isn't patched for CAN-2004-0405, and neither
is 7.3.  These are in http://rhn.redhat.com/errata/RHSA-2004-153.html and should
be put in our CVSs.  *sigh* back to the drawing board.  Packages pulled from
updates-testing as they are not complete.



------- Additional Comments From jkeating@j2solutions.net 2004-06-03 20:02:07 ----

Wait, investigating.  Seems all the same patches that are in RHEL's packages are
in 7.3/9's, but there is no mention in the changelog that CAN-2004-0405 was
fixed, and I can't figure out which patch is for it.  Contacting RH Security
team for guidance.



------- Additional Comments From jkeating@j2solutions.net 2004-06-03 20:07:25 ----

Found the patch, it was cvs-cat-etc-fix-1.11.2.diff.  Resigning and pushing to
updates.  



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:25 -------

This bug previously known as bug 1620 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1620
Originally filed under the Fedora Legacy product and General component.

Unknown priority P1. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.