Bug 155508 - CAN-2005-0753 multiple issues in cvs
CAN-2005-0753 multiple issues in cvs
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: cvs (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rh73, rh90, 1, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-20 18:36 EDT by Marc Deslauriers
Modified: 2007-04-18 13:24 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-12 20:37:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Deslauriers 2005-04-20 18:36:01 EDT
+++ This bug was initially created as a clone of Bug #155029 +++

Derek Price alerted vendor-sec about a buffer overflow and an incorrect free.

The incorrect free seems to be part of a dead codepath, I'm not 100% sure of
this though.

Patch available in bug 155029
Comment 1 Michal Jaegermann 2005-04-21 16:17:13 EDT
A patched source package is available as
ftp://ftp.harddata.com/pub/Legacy_srpms/cvs-1.11.1p1-16.legacy.2hd.src.rpm

This source has added on the top of the latest Legacy release, i.e.
cvs-1.11.1p1-16.legacy.2, an "adjusted" patch derived from
cvs-1.11.17-CAN-2005-0753.patch as present in cvs-1.11.17-6.FC3.src.rpm.
There are different offsets and two obvious rejects are fixed.  Otherwise
there are no real changes.
Comment 2 Michal Jaegermann 2005-04-21 16:18:57 EDT
Forgot to add; cvs-1.11.1p1-16.legacy.2 is for RH7.3 and so it the fixed package.
Comment 3 Marc Deslauriers 2005-04-21 18:40:40 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on Michal's rh7.3 package:

f7ccebfc249c1340b2d06e6ad3877c5917c66350  cvs-1.11.1p1-16.legacy.2hd.src.rpm

- - Patch matches FC3 with adjustments
- - Spec file changes are good
- - Builds and runs

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCaCvrLMAs/0C4zNoRAvWmAJ9JEV+n9gXpbhsXEyhUVIHIws6q2ACgiCdT
BgDDHwa1qO/+VzC8bx/ABbg=
=WGg9
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2005-04-21 20:55:56 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated cvs packages to QA for rh9, fc1 and fc2:

Changelog:
* Thu Apr 21 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.11.17-2.1.legacy
- - add security fix CAN-2005-0753 (Derek Price)

3941a1899757b52fef0e223b8d2cfd2fd561f338  9/cvs-1.11.2-25.legacy.i386.rpm
028a69b5134040b282beb058c932b5039c234609  9/cvs-1.11.2-25.legacy.src.rpm
8af100aabddb1f75b715220637e564dd4d135060  1/cvs-1.11.17-1.1.legacy.i386.rpm
cb2b555a8a282e425087f2c3e384f3a7dc40e97b  1/cvs-1.11.17-1.1.legacy.src.rpm
927ce8605647e216cb9b9dc36583d832219692f9  2/cvs-1.11.17-2.1.legacy.i386.rpm
578d6da491c8c87c022712d1eaaa958e23e08e97  2/cvs-1.11.17-2.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/cvs-1.11.2-25.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cvs-1.11.2-25.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cvs-1.11.17-1.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cvs-1.11.17-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/cvs-1.11.17-2.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/cvs-1.11.17-2.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCaEs3LMAs/0C4zNoRArZVAKCnEvR1VFaukNqpNdFXA9qa2P6+KgCgsY9j
4zqrVNcU1JOxhdT3KxQTq3M=
=o4Qi
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-05-01 03:00:09 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patch verified to match pretty closely to RHEL3 and FC3.

One thing I noted that the security patch in RHEL3 didn't change the
following, but our patches did:

- -diff -Naur cvs-1.11.2.ori/src/rcs.c cvs-1.11.2/src/rcs.c
- ---- cvs-1.11.2.ori/src/rcs.c   2002-03-19 14:15:45.000000000 -0500
- -+++ cvs-1.11.2/src/rcs.c       2005-04-21 19:26:17.000000000 -0400
- -@@ -3016,8 +3016,7 @@
- -     if (retval != NULL)
- -       return (retval);
- -
- --    if (!force_tag_match ||
- --      (vers != NULL && RCS_datecmp (vers->date, date) <= 0))
- -+    if (vers != NULL && (!force_tag_match || RCS_datecmp (vers->date, date)
<= 0))
- -       return (xstrdup (vers->version));
- -     else
- -       return (NULL);

.. this is however present in FC3.

I don't see any security implications in this change, but it changes the
semantics of "force_tag_match" if version is NULL.  So this change AFAICS
wouldn't need to be there for backported patches.  But as it's done in
upstream and FC3, it should be small enough to be OK..

+PUBLISH RHL9,FC1,FC2


cb2b555a8a282e425087f2c3e384f3a7dc40e97b  cvs-1.11.17-1.1.legacy.src.rpm
578d6da491c8c87c022712d1eaaa958e23e08e97  cvs-1.11.17-2.1.legacy.src.rpm
028a69b5134040b282beb058c932b5039c234609  cvs-1.11.2-25.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCdH5WGHbTkzxSL7QRAmFKAJ9UbJXXojGlB+IdxEGm3IITtCT7MQCgin/R
O6h+H/SoNvn09TvVct+sD8A=
=eHqS
-----END PGP SIGNATURE-----
Comment 6 Marc Deslauriers 2005-05-05 22:08:16 EDT
Packages were pushed to updates-testing
Comment 7 mschout 2005-05-06 10:36:32 EDT
Verify for rh7.3:

SHA1 SUM:
44748e23bd996cce24d4ee94f8d690d54c9f02bd  cvs-1.11.1p1-17.legacy.i386.rpm

rpm --checksig:
cvs-1.11.1p1-17.legacy.i386.rpm: md5 gpg OK
signed by secnotice@fedoralegacy.org

Package installs with no errors, and CVS appears to be working properly.

+VERIFY RH73
Comment 8 mschout 2005-05-06 10:41:03 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry, I forgot to GPG sign the above verify for RH 7.3

The above verify for RH 7.3 was from me.

+VERIFY RH7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCe4HS+CqvSzp9LOwRAmM5AKCePHGWbZJGC4BjeXM0xCddyT9WLwCgwCOY
qmddkGQwQG9bTMw2e/QM9zQ=
=6qu2
-----END PGP SIGNATURE-----
Comment 9 mschout 2005-05-06 10:44:06 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC1 Verify:

sha1:
e88e07e612ef9a98760d7621feb62676c18744c2  cvs-1.11.17-1.2.legacy.i386.rpm

signature:
cvs-1.11.17-1.2.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (fc395e43082c83291cd85961e02816d8c93368cc)
    MD5 digest: OK (bd1c7957aab6455e44cb04bb6e52e9ae)
    V3 DSA signature: OK, key ID 731002fa

package installs without errors.

CVS appears to be working normally.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCe4Jm+CqvSzp9LOwRAtcXAJ43+6bWTupYtLnMLIZ6AXX0wQliAQCeM34Z
OqgmbNlkq1hAqddyJbLvL78=
=oBVT
-----END PGP SIGNATURE-----
Comment 10 Tom Yates 2005-05-06 17:01:49 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

388ff1fb3678bbe9f548dd0de3b4c34a6b96edd0 cvs-1.11.2-25.legacy.i386.rpm

installed OK.  ci, co, rlog and rcsdiff all work fine.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCe9s3ePtvKV31zw4RAr+ZAJ9ik4+fuH9+QY9P+Je9tpxJaMzkGwCfQllc
o0ouKi1wKXBh9Rnk30+ixOo=
=uG6F
-----END PGP SIGNATURE-----
Comment 11 Matthew Miller 2005-05-08 10:44:27 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


e939ea46087822a17a68b6997ffd47df6cbe60bd  cvs-1.11.17-2.2.legacy.i386.rpm

* installed okay; basic cvs client commands (ci, co, diff, rlog) work fine
* didn't test the pserver.... no one mentions testing that for other
  distro versions....

+VERIFY FC2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCfiWxz8vebpLJCdYRAu+pAKC0bejiWKcH0POdezZZGk8v/cxxoACgkGiO
5aZRpW8SjnmcinVGmV/gqDg=
=c999
-----END PGP SIGNATURE-----
Comment 12 Marc Deslauriers 2005-05-12 20:37:37 EDT
Packages were officially released

Note You need to log in before you can comment on or make changes to this bug.