On Wed, Feb 20, 2002 at 08:46:14AM +0100, knat_private wrote: > Hi all, > > it seems that cvs (version 1.10.7 from Debians stable repos) has a > bufferoverflow but I'm but sure if it's exploitable > > ls -la /usr/bin/cvs > -rwxr-xr-x 1 root root 490160 Mar 22 2000 /usr/bin/cvs > > no suid bit but it's owned by root > > cvs diff -C`perl -e "print 'a' x 300"` tables.sql > > Index: tables.sql > =================================================================== > RCS file: /opt/CVSROOT/procedit/sql/tables.sql,v > retrieving revision 1.1 > diff -u -3 -p > -Caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-r1.1 tables.sql > cvs diff: context length specified twice > Segmentation fault (core dumped) > > but couldn't it help someone to get access to the system ? Depending on what sorts of things you are doing with setuid/setgid cvs to allow access to the repo, possibly... And possibly with a program that acts as a front-end for CVS, you may see a problem, but this depends largely on what CVS's code is doing at that point, anyway. I'd suggest looking at the source around the address CVS dies at, and seeing what exactly is going on. FWIW, people _do_ often make cvs setuid or setgid, for example doing something like: # who am i root # cvs -d /repo init And then make cvs run with root's gid (the group of /repo/*) so that everyone with access to the cvs executable can commit to /repo... First though, see if you can exploit it, then look for the impact.
This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 14:22:44 PST