-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2005-006

		 =================================
Topic:		Multiple vulnerabilities in CVS
Version:	NetBSD-current:	source prior to August 26, 2005

		NetBSD 2.1:	not affected

		NetBSD 2.0.3:	not affected

		NetBSD 2.0.2:	affected

		NetBSD 2.0:	affected

		NetBSD 1.6.2:	affected

		NetBSD 1.6.1:	affected

		NetBSD 1.6:	affected

		pkgsrc:		CVS packages prior to 1.11.20nb2
Severity:	Remote execution of arbitrary code, denial of service and

		local privilege escalation
Fixed:		NetBSD-current:		August 26, 2005

		NetBSD-3 branch:	August 26, 2005

						(3.0 will include the fix)

		NetBSD-2.0 branch:	August 26, 2005

						(2.0.3 includes the fix)

		NetBSD-2 branch:	August 26, 2005

						(2.1 includes the fix)

		NetBSD-1.6 branch:	August 26, 2005

						(1.6.3 will include the fix)

		pkgsrc:			cvs-1.11.20nb2 or higher

					correct the issues
Abstract

========
CVS has multiple vulnerabilities, ranging from remote execution of

arbitrary code to denial of service.  Most of the issues are when the

CVS server is running in pserver mode.
Technical Details

=================
There are multiple issues, summarised in the following list:
 * A heap overflow is present in the handling of "Entry" lines for CVS

   servers running in pserver mode.  An attacker would require write

   access to the repository to exploit this.
 * Problem handling malformed "Entry" lines and empty data lines,

   which could lead to a denial of service (crash), modification of

   critical program data or arbitrary code execution.
 * Double-free vulnerability in "error_prog_name" string leading to

   remote execution of arbitrary code.
 * Integer overflow in the "Max-dotdot" CVS protocol command resulting

   in denial of service.
 * The "serve_notify" function does not correctly handle empty data

   lines.  Using a crafted request an attacker could potentially

   execute arbitrary system commands.
 * An unspecified buffer overflow leading to remote execution of

   arbitrary code.
 * Insecure temporary file handling in cvsbug script which can lead to

   local privilege escalation.
Most of the issues are enabled when running CVS server mode (e.g. pserver).
CVE:	CAN-2004-0396, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417,

	CAN-2004-0418, CAN-2005-2693 and CAN-2005-0753
Solutions and Workarounds

=========================
If you run a CVS server we highly recommend you to upgrade your CVS

binary to 1.11.20, or 1.12.12 or higher.  This can be accomplished by

upgrading CVS in the base distribution or alternatively, deleting your

CVS binaries and updating from pkgsrc.  pkgsrc sources from 2005-08-27

in both HEAD and pkgsrc-2005Q2 contain the fix.
To check which version of CVS you are running enter "cvs -v" and look

for the version string.
The following instructions describe how to upgrade your CVS

binaries by updating your source tree and rebuilding and

installing a new version of CVS.
* NetBSD-current:
	Systems running NetBSD-current dated from before 2005-08-25

	should be upgraded to NetBSD-current dated 2005-08-26 or later.
	The following directories need to be updated from the

	netbsd-current CVS branch (aka HEAD):

		gnu/dist/cvs

		gnu/usr.bin/cvs
	To update from CVS, re-build, and re-install CVS:

		# cd src

		# cvs update -d -P gnu/dist/cvs gnu/usr.bin/cvs

		# cd gnu/usr.bin/cvs
		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
* NetBSD 2.0:
	The binary distribution of NetBSD 2.0 is vulnerable.
	NetBSD 2.1 and 2.0.3 include the fix.
	Systems running NetBSD 2.0 sources dated from before

	2005-08-25 should be upgraded from NetBSD 2.0 sources dated

	2005-08-26 or later.
	The following directories need to be updated from the

	netbsd-2-0 CVS branch:

		gnu/dist/cvs

		gnu/usr.bin/cvs
	To update from CVS, re-build, and re-install CVS:
		# cd src

		# cvs update -d -P -r netbsd-2-0 gnu/dist/cvs gnu/usr.bin/cvs

		# cd gnu/usr.bin/cvs
		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
* NetBSD 1.6, 1.6.1, 1.6.2:
	The binary distributions of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.
	NetBSD 1.6.3 will include the fix.
	Systems running NetBSD 1.6 sources dated from before

	2005-08-25 should be upgraded from NetBSD 1.6 sources dated

	2005-08-26 or later.
	NetBSD 1.6.3 will include the fix.
	The following directories need to be updated from the

	netbsd-1-6 CVS branch:

		gnu/dist/cvs

		gnu/usr.bin/cvs
	To update from CVS, re-build, and re-install CVS:
		# cd src

		# cvs update -d -P -r netbsd-1-6 gnu/dist/cvs gnu/usr.bin/cvs

		# cd gnu/usr.bin/cvs
		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
Thanks To

=========
Sebastian Krahmer and

Stefan Esser 			Discovery and notification
Jun-ichiro "itojun" Hagino	Initial research, fix and documentation 
Matthias Scheler and

Takahiro Kambe 			Further fixes
Revision History

================
	2005-10-31	Initial release
More Information

================
Advisories may be updated as new information becomes available.

The most recent version of this advisory (PGP signed) can be found at

  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-006.tx...
Information about NetBSD and NetBSD security can be found at

http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.

Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2005-006.txt,v 1.7 2005/10/31 06:40:04 gendalia Exp $
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2 (NetBSD)
iQCVAwUBQ2fKaj5Ru2/4N2IFAQKE4wP+KuycCCEBHqibLLE2k/Cv0RjDN3F9Ld9M

gLFySxpFwfYVkHAqs9J8A37qf6e07LbPQah8k89Rcy1lxhjKYzKXRsTWScLtZJcN

aZwGspv8lKQ5NUs+mWsf3FG1nSicroLgVwDbqOOQGp21zgPIGYecUnLfZ8vuD2jI

/XHPuVAQVsk=

=PcVV

-----END PGP SIGNATURE-----