[Advisory] SECURITY BUG in BitKeeper

From: Carl-Daniel Hailfinger (hailfinger-listsat_private)
Date: Mon Aug 18 2003 - 16:09:44 PDT

Next message: pixcrowanat_private: "Intersystems Cache database permissions vuln. BID:8070"

Previous message: SecureNet Service(SNS) Spiffy Reviews: "[SNS Advisory No.67] The Return of the Content-Disposition Vulnerability in IE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SySS Security Advisory

Date: 2003-07-25 (Published 2003-08-19)

Author: Carl-Daniel Hailfinger <hailfinger-listsat_private>
        SySS GmbH
        72070 Tübingen / Germany
        Phone: +49-7071-407856-0
        http://www.syss.de

Permanent URL: http://www.syss.de/advisories.php?id=7&year=2003

Application: BitKeeper

Affected versions: All versions <3.0.2

Application notes: BitKeeper is an advanced source code control system
like CVS, see http://www.bitkeeper.com

Vendor status: The vendor of BitKeeper is aware of the problem and has
documented it since at least two years. BitMover has been contacted by me
on 2003-07-25.

Type: Configuration error: insecure by default, fix is documented

Description: Certain parts of the trigger functionality in BitKeeper can
be abused by an attacker if a user accepts a patch containing specially
crafted files.

Severity: Critical.

Affected persons: Any user running bitkeeper and accepting patches from
outside of a trusted network - possibly the majority of Linux Kernel
developers.

Additional notes: I have an exploit readily available.

Because of the severity of this issue, BitMover has been contacted and is
working with SySS and the BK users to resolve the issue before exposing
the details of the problem.  There will be a followup security advisory in
2-4 weeks, after people feel that the problem has been contained; the
followup will disclose the details of the problem.

Workaround: If you are worried about it you can add
	export BK_NO_TRIGGERS=YES
to your .profile and the trigger functionality will be disabled.


Regards,
Carl-Daniel

- --
Carl-Daniel Hailfinger
Security Consultant
SySS GmbH
Friedrich-Dannenmann-Str. 2
D-72070 Tuebingen
Phone: +49-7071-407856-0
Mail: hailfinger-listsat_private
http://www.syss.de
Key fingerprint: B35E 0E38 9A18 3B25 209F  002E 4743 1599 A495 B6E5

-----BEGIN PGP SIGNATURE-----

iD4DBQE/QVyyR0MVmaSVtuURAq+uAJ0bE5rl7Khcz6R2T+hM8NJH/9fLqACY+J/T
z5E2BbUC9xxR4IR4LdOxcw==
=p2oN
-----END PGP SIGNATURE-----

Next message: pixcrowanat_private: "Intersystems Cache database permissions vuln. BID:8070"
Previous message: SecureNet Service(SNS) Spiffy Reviews: "[SNS Advisory No.67] The Return of the Content-Disposition Vulnerability in IE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 11:08:42 PDT