----------------------------------------------------------------------- Immunix Secured OS Security Advisory Packages updated: cvs Affected products: ImmunixOS 7.0, 7+ Bugs fixed: CAN-2003-0015 Date: Wed Apr 2 2003 Advisory ID: IMNX-2003-7+-004-01 Author: Seth Arnold <sarnold@wirex.com> ----------------------------------------------------------------------- Description: Stefan Esser discovered a double free() bug in CVS that can be remotely exploited by anonymous users to gain write access to the CVS repository. This write access can be converted into execute access using the CVS protocol commands "Checkin-prog" and "Update-prog". Igor Dobrovitski: "The impact of a successful exploitation is not that great: an unprivileged access to the system, where your calls to getuid() will return a number that's far from 0 (cvs drops provileges, and does it right)." We did not disable the Checkin-prog and Update-prog protocol commands; be aware that granting CVS write access is tantamount to also giving execute access on the repository. References: http://security.e-matters.de/advisories/012003.html http://www.securityfocus.com/archive/1/309913/2003-02-01/2003-02-04/0 Package names and locations: Precompiled binary packages for Immunix 7+ are available at: http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/cvs-1.11.1p1-4_imnx_2.i386.rpm Immunix OS 7+ md5sums: 543c97b146ef652d2a8497e83822ffc2 cvs-1.11.1p1-4_imnx_2.i386.rpm GPG verification: Our public key is available at <http://wirex.com/security/GPG_KEY>. NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html ImmunixOS 6.2 is no longer officially supported. ImmunixOS 7.0 is no longer officially supported. Contact information: To report vulnerabilities, please contact security@wirex.com. WireX attempts to conform to the RFP vulnerability disclosure protocol <http://www.wiretrip.net/rfp/policy.html>.
Attachment:
pgp00333.pgp
Description: PGP signature
