[29683] in bugtraq
Immunix Secured OS 7+ cvs update
daemon@ATHENA.MIT.EDU (Immunix Security Team)
Mon Apr 7 16:08:43 2003
Date: Mon, 7 Apr 2003 12:25:31 -0700
From: Immunix Security Team <security@wirex.com>
To: bugtraq@securityfocus.com, immunix-announce@immunix.org,
linsec@lists.seifried.org
Message-ID: <20030407192531.GA23723@wirex.com>
Mail-Followup-To: bugtraq@securityfocus.com,
immunix-announce@immunix.org, linsec@lists.seifried.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO"
Content-Disposition: inline
--M9NhX3UHpAaciwkO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: cvs
Affected products: ImmunixOS 7.0, 7+
Bugs fixed: CAN-2003-0015
Date: Wed Apr 2 2003
Advisory ID: IMNX-2003-7+-004-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Stefan Esser discovered a double free() bug in CVS that can be
remotely exploited by anonymous users to gain write access to the CVS
repository. This write access can be converted into execute access
using the CVS protocol commands "Checkin-prog" and "Update-prog".
Igor Dobrovitski: "The impact of a successful exploitation is not
that great: an unprivileged access to the system, where your calls to
getuid() will return a number that's far from 0 (cvs drops provileges,
and does it right)."
We did not disable the Checkin-prog and Update-prog protocol commands;
be aware that granting CVS write access is tantamount to also giving
execute access on the repository.
References: http://security.e-matters.de/advisories/012003.html
http://www.securityfocus.com/archive/1/309913/2003-02-01/2003-02-04/0
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/cvs-1.11.1p1-4_imnx=
_2.i386.rpm
Immunix OS 7+ md5sums:
543c97b146ef652d2a8497e83822ffc2 cvs-1.11.1p1-4_imnx_2.i386.rpm
GPG verification: =
=20
Our public key is available at <http://wirex.com/security/GPG_KEY>. =
=20
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX=20
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--M9NhX3UHpAaciwkO
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj6R0KoACgkQVQcWL60UVMteagCfQjhkIKaFutcneCfVUFrI714g
AGIAn3vk+itixReDX88Fn3Loucx2DLWe
=5lLI
-----END PGP SIGNATURE-----
--M9NhX3UHpAaciwkO--
