Bugtraq mailing list archives

Re: CVS DoS

From: kris () FREEBSD ORG (Kris Kennaway)
Date: Mon, 24 Apr 2000 13:57:57 -0700


On Sun, 23 Apr 2000, Michal Szymanski wrote:

behaviour, so long as it has been properly done. Unfortunately method of
generating new file names is very simple and weak. Every file name is easily
predictable and consists of two parts: /tmp/cvs-serv string and PID of the
current working cvs server:


It's irrelevant whether the tempfile name is "weak" or not - it *has* to
be predictable to other cvs servers to tell whether the repository is
locked!

The vulnerability described here is that users can write to the same part
of the filesystem used by CVS to maintain its lock state. It's also not
quite as serious as it might first sound, because anyone who can
legitimately connect to the CVS server remotely via CVS can cause a lock
to be taken out over any part of the repository, with the same effect.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe () alum mit edu>

Current thread:

Re: freebsd libncurses overflow, (continued)
- - - Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
    - Re: freebsd libncurses overflow Przemyslaw Frasunek (Apr 25)
    - Re: freebsd libncurses overflow Bill Fumerola (Apr 24)
    - Re: freebsd libncurses overflow Theo de Raadt (Apr 26)
    - Denial of Service Against pcAnywhere. Vacuum (Apr 25)
  - Re: IE 5 security vulnerablity - circumventing Cross-framesecurity policy using Java/JavaScript (and disabling ActiveScripting is not that easy) Georgi Guninski (Apr 24)
  - Hotmail security hole - injecting JavaScript in IE using "@import url(http://host/hostile.css)" Georgi Guninski (Apr 24)
- ZoneAlarm Wally Whacker (Apr 20)
  - Re: ZoneAlarm Gary Buckmaster (Apr 22)
  - CVS DoS Michal Szymanski (Apr 23)
    - Re: CVS DoS Kris Kennaway (Apr 24)
    - Re: CVS DoS Kris Kennaway (Apr 24)
    - finding Meeting Maker passwords using tcpdump mhpower () MIT EDU (Apr 24)
    - ZoneAlarm Vulnerability Alfred Huger (Apr 25)
    - Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Laurent LEVIER (Apr 25)
    - Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Casper Dik (Apr 26)
    - Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Dimitri Avgoustakis (Apr 26)
    - Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Theodor R. Gislason (Apr 26)
    - SECURITY: UPDATED - RHSA-2000:014 New Piranha release available Cristian Gafton (Apr 26)
  - gpm-root initgroups() Koblinger Egmont (Apr 23)
  - Postgresql cleartext password storage Robert van der Meulen (Apr 23)

(Thread continues...)