Vulnerability Development mailing list archives
Re: Help needed with bufferoverflow in cvs
From: "J. Mallett" <jmallett () NewGold NET>
Date: Wed, 20 Feb 2002 17:09:13 +0000
On Wed, Feb 20, 2002 at 08:46:14AM +0100, kn () insecurity dk wrote:
Hi all, it seems that cvs (version 1.10.7 from Debians stable repos) has a bufferoverflow but I'm but sure if it's exploitable ls -la /usr/bin/cvs -rwxr-xr-x 1 root root 490160 Mar 22 2000 /usr/bin/cvs no suid bit but it's owned by root cvs diff -C`perl -e "print 'a' x 300"` tables.sql Index: tables.sql =================================================================== RCS file: /opt/CVSROOT/procedit/sql/tables.sql,v retrieving revision 1.1 diff -u -3 -p -Caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-r1.1 tables.sql cvs diff: context length specified twice Segmentation fault (core dumped) but couldn't it help someone to get access to the system ?
Depending on what sorts of things you are doing with setuid/setgid cvs to allow access to the repo, possibly... And possibly with a program that acts as a front-end for CVS, you may see a problem, but this depends largely on what CVS's code is doing at that point, anyway. I'd suggest looking at the source around the address CVS dies at, and seeing what exactly is going on. FWIW, people _do_ often make cvs setuid or setgid, for example doing something like: # who am i root # cvs -d /repo init And then make cvs run with root's gid (the group of /repo/*) so that everyone with access to the cvs executable can commit to /repo... First though, see if you can exploit it, then look for the impact.
Current thread:
- Help needed with bufferoverflow in cvs kn (Feb 20)
- Re: Help needed with bufferoverflow in cvs Charles 'core' Stevenson (Feb 21)
- Re: Help needed with bufferoverflow in cvs kn (Feb 21)
- Re: Help needed with bufferoverflow in cvs J. Mallett (Feb 21)
- Re: Help needed with bufferoverflow in cvs Michel Arboi (Feb 21)
- Re: Help needed with bufferoverflow in cvs Charles 'core' Stevenson (Feb 21)