Bug 152736 - cvs package fixes security issues CAN-2004-0414,0416,0417,0418
cvs package fixes security issues CAN-2004-0414,0416,0417,0418
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: cvs (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
https://rhn.redhat.com/errata/RHSA-20...
LEGACY, QA, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-09 04:26 EDT by Dave Botsch
Modified: 2014-01-21 17:51 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 19:15:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:25:40 EST
From the Redhat 2.1AS advisory (and we are now using 2.1AS packages on 7.3):

An updated cvs package that fixes several server vulnerabilities, which could
be exploited by a malicious client, is now available.

CVS is a version control system frequently used to manage source code
repositories.

While investigating a previously fixed vulnerability, Derek Price
discovered a flaw relating to malformed "Entry" lines which lead to a
missing NULL terminator. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0414 to this issue.

Stefan Esser and Sebastian Krahmer conducted an audit of CVS and fixed a
number of issues that may have had security consequences.

Among the issues deemed likely to be exploitable were:

-- a double-free relating to the error_prog_name string (CAN-2004-0416)
-- an argument integer overflow (CAN-2004-0417)
-- out-of-bounds writes in serv_notify (CAN-2004-0418).

An attacker who has access to a CVS server may be able to execute arbitrary
code under the UID on which the CVS server is executing.

Users of CVS are advised to upgrade to this updated package, which contains
backported patches correcting these issues.

Red Hat would like to thank Stefan Esser, Sebastian Krahmer, and Derek
Price for auditing, disclosing, and providing patches for these issues.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-06-09 04:45:10 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Built new cvs rpms for 7.3:

sha1sum -b cvs*
ba50e986e1d960039381e627c1519ba6939feef8 *cvs-1.11.1p1-16.legacy.i386.rpm
21409962221842f3ba07056f86286697397a212f *cvs-1.11.1p1-16.legacy.src.rpm


Available from:

http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/cvs

Uses the redhat 2.1AS patches applied against the previously released fedora
legacy srpm.

- -DWB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAxyJCSY7s7uPf/IURAgTjAKCks81gs6U+59r852XX8DkkoevkOACfUU8/
9zYJOt0RcZMRAzN0O1O8PK0=
=NPCH
-----END PGP SIGNATURE-----




------- Additional Comments From jp107@damtp.cam.ac.uk 2004-06-09 05:30:52 ----

Take the SRPM from RHEL AS3 (cvs-1.11.2-24.src.rpm)

Edit the specfile:

--- cvs.spec.orig       2004-05-28 19:23:34.000000000 +0100
+++ cvs.spec    2004-06-09 15:52:41.000000000 +0100
@@ -1,7 +1,7 @@
 Summary: A version control system.
 Name: cvs
 Version: 1.11.2
-Release: 24
+Release: 24JSP
 License: GPL
 Group: Development/Tools
 Source: ftp://ftp.cvshome.org/pub/cvs-%{cvsbase}/cvs-%{version}.tar.gz
@@ -75,7 +75,7 @@
 %patch21 -p1 -b .krahmer-esser-issues-fix
 
 %build
-k5prefix=`krb5-config --prefix`
+k5prefix=`/usr/kerberos/bin/krb5-config --prefix`
 if test "$k5prefix" = /usr ; then
        k5prefix=
 fi
@@ -122,6 +122,9 @@
 %{_datadir}/%{name}
 
 %changelog
+* Sat Jun 09 2004 Jon Peatfield <jp107@damtp.cam.ac.uk> 1.11.2-24JSP
+- fix krb5-config path version change
+
 * Fri May 28 2004 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-24
 - add security fix for CAN-2004-0416,CAN-2004-0417,CAN-2004-0418 (Stefan Esser)
 
Is enough to make it build cleanly on RH80, and the same will probably
be fine for RH73/9 etc.

I'm currently QA'ing a version build this way on my RH80 machines,
available from:

  http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/

  SRPMS/cvs-1.11.2-24JSP.src.rpm
  RPMS/i386/cvs-1.11.2-24JSP.i386.rpm





------- Additional Comments From jkeating@j2solutions.net 2004-06-09 06:14:20 ----

Comment #1, I have a private updated build of CVS for legacy that has a small
change needed to the spec file:

BuildPreReq: should have "texinfo" added or else the info files will not be made
properly.  Please make that change.



------- Additional Comments From dwb7@ccmr.cornell.edu 2004-06-09 06:26:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rebuilt with texinfo as a prebuildreq:

sha1sum -b cvs*
0a6fc28c6040144aab72bdba8a14cf38377f087e *cvs-1.11.1p1-16.legacy.2.i386.rpm
ee8a21735b105e3419bf510871fcf545ec59caff *cvs-1.11.1p1-16.legacy.2.src.rpm


Same url:

http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/cvs

- -DWB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAxzn0SY7s7uPf/IURAkRhAKCnMDeBL/dxY+6cVIwCbd0RGKsstQCePnIc
GTB+sCNuBRiwN18CT8+a4/I=
=/+aC
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-09 14:02:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9:

Changelog:
* Wed Jun 09 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.11.2-24.legacy
- - add security fix for CVE CAN-2004-0414 (Derek Price)
- - add security fix for CAN-2004-0416,CAN-2004-0417,CAN-2004-0418 (Stefan Esser)

cf6cde8a4e382c79ade6ceb10b4e62474d24e227  cvs-1.11.2-24.legacy.i386.rpm
6c213b4fc335a55d9dcb408c7e3c772c4b3982cb  cvs-1.11.2-24.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/cvs-1.11.2-24.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cvs-1.11.2-24.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAx6TzLMAs/0C4zNoRAkpkAJ96sTIA0zcWPg1L7GYJcHBkdSfo+QCgtGUB
yMEZmzagp/h7/bkehR+Ix8w=
=+HJm
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom@netikka.fi 2004-06-09 22:15:55 ----

I did a QA on the RH 9 packages in Comment #5:


SHA1 is ok.
Installs ok.
Spec file looks ok.
patch looks ok.
I did a functinality test by checking out things from sf.net and cvs is
working as expected.

I wote for publish.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-10 12:11:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA'd the 7.3 package from comment #4:

ee8a21735b105e3419bf510871fcf545ec59caff *cvs-1.11.1p1-16.legacy.2.src.rpm

- - sha1sum matches
- - Spec file changes are good
- - Patch files look good
- - Other sources are OK when diffed with previous release
- - Builds OK
- - Installs OK
- - Runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAyNulLMAs/0C4zNoRAkDdAKCaxhwBEVrG0lyZjEmlgVdQ0zoX0QCgs3WK
zs16zL6DZ4iXvJIYitiqiBY=
=+ByE
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-06-10 15:59:54 ----

Pushed to updates-testing:

This update can be downloaded from:
  http://download.fedoralegacy.org/redhat/
 
d309756c60dcf33235581f2174db39fe103bac27 
7.3/updates-testing/SRPMS/cvs-1.11.1p1-16.legacy.2.src.rpm
9620756fc080096881f062b6272306a1ba57fb40 
7.3/updates-testing/i386/cvs-1.11.1p1-16.legacy.2.i386.rpm

ffa2ea4c2689dbbd304364a14517a0e9f1747be2 
9/updates-testing/SRPMS/cvs-1.11.2-24.legacy.src.rpm
9f3eac397a31464cc39bad75877e6f5a11c7c31d 
9/updates-testing/i386/cvs-1.11.2-24.legacy.i386.rpm



------- Additional Comments From edgester@yahoo.com 2004-06-11 03:06:17 ----

Downloaded  from updates-testing using yum from download.fedoralegacy.org onto
two RH 7.3 machines.

No problems installing.

I've done a cvs update and commit using pserver. Seems to work ok.

Summary: Tested on RH7.3 and looks good to me.

I vote to move to updates folder.





------- Additional Comments From mule@umich.edu 2004-09-22 08:27:02 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
9f3eac397a31464cc39bad75877e6f5a11c7c31d  cvs-1.11.2-24.legacy.i386.rpm
ffa2ea4c2689dbbd304364a14517a0e9f1747be2  cvs-1.11.2-24.legacy.src.rpm
 
For Red Hat 9:
 
* Checked spec file - OK
* Checked cvs-1.11.2-CAN-2004-0414.patch - OK
* Checked cvs-krahmer-esser-issues-fix-1.11.2.patch - OK
* Build from source - OK
* Installs - OK
* Runs - OK
 
++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBUbk0TsaUa9pp4VIRAqayAJ9HySNtvi53r2SBmM3SmgntyfXtYgCeLr9p
z6CE3XiaYlvnEwEAC78rfoQ=
=8GuV
-----END PGP SIGNATURE-----




------- Additional Comments From sheltren@cs.ucsb.edu 2004-09-28 05:03:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verified RH 9 package -
- - Spec file looks good
- - Package checksum matches
- - SRPM rebuilds without errors
- - RPM installs cleanly
- - cvs co and updates work as expected

I vote for publish

- -Jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWXxfKe7MLJjUbNMRAvgPAJ4k9UfFo84GDR3hh35WpeBGtbbT1QCfbwLK
Jbjma/ntKvXfyjHzFOPH++k=
=a8nV
-----END PGP SIGNATURE-----



------- Additional Comments From dom@earth.li 2004-09-28 05:06:35 ----

Hi Jeff. Could you please post the sha1sums of the packages you have QAd.



------- Additional Comments From sheltren@cs.ucsb.edu 2004-09-28 05:15:29 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry, I'm still getting used to all this :)

Here are the sha1 sums for the packages I tested for comment #11

9f3eac397a31464cc39bad75877e6f5a11c7c31d  cvs-1.11.2-24.legacy.i386.rpm
ffa2ea4c2689dbbd304364a14517a0e9f1747be2  cvs-1.11.2-24.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWX/CKe7MLJjUbNMRAjMUAKCrNv7rGWbOqnsGbJOmSeSml+gjDwCglTS/
OD4qNYtEAJk/5mjHJqAK0J0=
=pZBE
-----END PGP SIGNATURE-----



------- Additional Comments From cra@wpi.edu 2004-10-05 13:52:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA/Verify rh73 packages:

d309756c60dcf33235581f2174db39fe103bac27  cvs-1.11.1p1-16.legacy.2.src.rpm
9620756fc080096881f062b6272306a1ba57fb40  cvs-1.11.1p1-16.legacy.2.i386.rpm

- - good sigs from 1024D/731002FA 2004-01-19 Fedora Legacy
(http://www.fedoralegacy.org) <secnotice@fedoralegacy.org>
- - good sha1sums
- - verified that these patches apply, as mentioned in changelog:

        Patch17: cvs-1.11.2-CAN-2004-0414.patch
        Patch18: cvs-krahmer-esser-issues-fix-1.11.1p1.patch

- - rpm-build-compare.sh shows no unintended changes between these
  pkgs and 1.11.1p1-14.legacy.3
- - builds ok
- - installs ok
- - works ok as a client against sourceforge.net
  (anonymous pserver, ssh, co, update, diff, commit)

++VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBYzNnw2eg+Um7WIYRAq6CAKCNut8aIXNb9ocgTVzs2I1+9XbdEwCfY3W/
OWyCkPei6ShO+mWV+OMsxO4=
=dra3
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-10-05 14:09:49 ----

Thanks to Charles for doing that final verify.

I propose to release
http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1735-cvs-draft.txt, but
before I do can someone do me a favour and clarify the status of CAN-2004-0778
for our packages (as referred to in the Red Hat advisory). I can't see any
mention of it in this bug; have we fixed it? If not does it need fixing?



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-05 14:40:41 ----

I can confirm we do indeed fix CAN-2004-0778 in the 7.3 and 9 cvs packages. It
should be added to the advisory text.

The following snippet from the cvs-krahmer-esser-issues-fix-1.11.2.patch patch
fixes it:

--- cvs-1.12.7.orig/src/history.c       Mon Mar 22 18:26:45 2004
+++ cvs-1.12.7/src/history.c    Thu May 27 13:38:40 2004
@@ -412,8 +412,11 @@
                working = 1;
                break;
            case 'X':                   /* Undocumented debugging flag */
+#ifdef DEBUG
                histfile = optarg;
+#endif
                break;
+
            case 'D':                   /* Since specified date */
                if (*since_rev || *since_tag || *backto)
                {

References:

https://ccvs.cvshome.org/source/browse/ccvs/src/history.c?r1=1.73&r2=1.74
http://www.idefense.com/application/poi/display?id=130&type=vulnerabilities&flashstatus=true
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130038




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:25 -------

This bug previously known as bug 1735 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1735
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.