Re: Help needed with bufferoverflow in cvs

["J. Mallett" <jmallett () NewGold NET>]

On Wed, Feb 20, 2002 at 08:46:14AM +0100, kn () insecurity dk wrote:
> Hi all,
>
> it seems that cvs (version 1.10.7 from Debians stable repos) has a
> bufferoverflow but I'm but sure if it's exploitable
>
> ls -la /usr/bin/cvs
> -rwxr-xr-x    1 root     root       490160 Mar 22  2000 /usr/bin/cvs
>
> no suid bit but it's owned by root
>
> cvs diff -C`perl -e "print 'a' x 300"` tables.sql
>
> Index: tables.sql
> ===================================================================
> RCS file: /opt/CVSROOT/procedit/sql/tables.sql,v
> retrieving revision 1.1
> diff -u -3 -p
> -Caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-r1.1
>  tables.sql
> cvs diff: context length specified twice
> Segmentation fault (core dumped)
>
> but couldn't it help someone to get access to the system ?

Depending on what sorts of things you are doing with setuid/setgid
cvs to allow access to the repo, possibly...  And possibly with a
program that acts as a front-end for CVS, you may see a problem, but
this depends largely on what CVS's code is doing at that point, anyway.

I'd suggest looking at the source around the address CVS dies at,
and seeing what exactly is going on.

FWIW, people _do_ often make cvs setuid or setgid, for example doing
something like:

        # who am i
        root
        # cvs -d /repo init

And then make cvs run with root's gid (the group of /repo/*) so that
everyone with access to the cvs executable can commit to /repo...

First though, see if you can exploit it, then look for the impact.