J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: CVS Multiple Vulnerabilities

Severity: CRITICAL

Description:

CVS is prone to multiple vulnerabilities. Some of these issues may be leveraged to execute arbitrary code, while other issues may only result in a denial of service.

The following specific vulnerabilities were reported:

A vulnerability (CAN-2004-0414) related to null termination exists in the code that fixes BID 10384, potentially resulting in a denial of service. This issue would only affect versions 1.11.16 and 1.12.8.

A double free heap corruption vulnerability (CAN-2004-0416) is exposed through the "Argumentx" command. This issue has been reported to be exploitable to execute arbitrary code.

Format string vulnerabilities exist in the CVS wrapper file (wrapper.c). These issues could be triggered through a wrapper line that contains format specifiers, potentially allowing for arbitrary code execution. However, the attacker must possess CVSROOT commit access to exploit these issues.

An integer overflow exists in the "Max-dotdot" CVS protocol command. This could permit a denial of service condition to occur.

A vulnerability (CAN-2004-0418) exists in the Serve_notify() function, allowing for out of bound writes to occur. This issue is triggered when an empty data line is provided by an attacker, allowing for a single byte of memory to be corrupted. This issue is believed to be exploitable to execute arbitrary code in some circumstances but depends heavily on the memory layout and the underlying memory allocation routines.

A buffer underflow vulnerability exists when the server parses configuration files from CVSROOT that contain some empty lines. This may potentially pose a problem on big endian systems, however, the attacker must possess CVSROOT commit access to exploit this issue.

Multiple integer overflow vulnerabilities were also reported. Some were reported to exist in the Argument command (CAN-2004-0417) but specific details about the other issues have not been publicized. However, it has been stated that many of these issues need CVSROOT commit access to be triggered or require very large amounts of data to be sent to the server. These issues, if exploited, would likely result in a crash.

It is believed that most of these issues do require access to the CVS server, though anonymous access may sufficient in some cases. As noted above, some of the issues may require CVSROOT commit access, so may only be exploited by an attacker who has gained this level of access or an untrusted individual who has legitimate access.

This BID is pending further analysis and will be separated into individual BIDs corresponding to each specific vulnerability when analysis is complete.

Affected Products:

  • CVS CVS 1.10.7
  • CVS CVS 1.10.8
  • CVS CVS 1.11.0
  • CVS CVS 1.11.1
  • CVS CVS 1.11.1 p1
  • CVS CVS 1.11.10
  • CVS CVS 1.11.11
  • CVS CVS 1.11.14
  • CVS CVS 1.11.15
  • CVS CVS 1.11.16
  • CVS CVS 1.11.2
  • CVS CVS 1.11.3
  • CVS CVS 1.11.4
  • CVS CVS 1.11.5
  • CVS CVS 1.11.6
  • CVS CVS 1.12.1
  • CVS CVS 1.12.2
  • CVS CVS 1.12.5
  • CVS CVS 1.12.7
  • CVS CVS 1.12.8
  • Caldera OpenLinux Server 3.1.0
  • Caldera OpenLinux Server 3.1.1
  • Caldera OpenLinux Workstation 3.1.0
  • Caldera OpenLinux Workstation 3.1.1
  • Conectiva Linux 6.0.0
  • Conectiva Linux 7.0.0
  • Conectiva Linux 8.0.0
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 IA-32
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • FreeBSD FreeBSD 1.1.5 .1
  • FreeBSD FreeBSD 2.0.0
  • FreeBSD FreeBSD 2.0.5
  • FreeBSD FreeBSD 2.1.0
  • FreeBSD FreeBSD 2.1.0 x
  • FreeBSD FreeBSD 2.1.5
  • FreeBSD FreeBSD 2.1.6
  • FreeBSD FreeBSD 2.1.6 .1
  • FreeBSD FreeBSD 2.1.7 .1
  • FreeBSD FreeBSD 2.2.0
  • FreeBSD FreeBSD 2.2.0 x
  • FreeBSD FreeBSD 2.2.2
  • FreeBSD FreeBSD 2.2.3
  • FreeBSD FreeBSD 2.2.4
  • FreeBSD FreeBSD 2.2.5
  • FreeBSD FreeBSD 2.2.6
  • FreeBSD FreeBSD 2.2.8
  • FreeBSD FreeBSD 2.x
  • FreeBSD FreeBSD 3.0.0
  • FreeBSD FreeBSD 3.0.0 -RELENG
  • FreeBSD FreeBSD 3.1.0
  • FreeBSD FreeBSD 3.1.0 x
  • FreeBSD FreeBSD 3.2.0
  • FreeBSD FreeBSD 3.2.0 x
  • FreeBSD FreeBSD 3.3.0
  • FreeBSD FreeBSD 3.3.0 x
  • FreeBSD FreeBSD 3.4.0
  • FreeBSD FreeBSD 3.4.0 x
  • FreeBSD FreeBSD 3.5.0
  • FreeBSD FreeBSD 3.5.0 -STABLE
  • FreeBSD FreeBSD 3.5.0 -STABLEpre050201
  • FreeBSD FreeBSD 3.5.0 -STABLEpre122300
  • FreeBSD FreeBSD 3.5.0 x
  • FreeBSD FreeBSD 3.5.1
  • FreeBSD FreeBSD 3.5.1 -RELEASE
  • FreeBSD FreeBSD 3.5.1 -STABLE
  • FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20
  • FreeBSD FreeBSD 3.x
  • FreeBSD FreeBSD 4.0.0
  • FreeBSD FreeBSD 4.0.0 -RELENG
  • FreeBSD FreeBSD 4.0.0 .x
  • FreeBSD FreeBSD 4.0.0 alpha
  • FreeBSD FreeBSD 4.1.0
  • FreeBSD FreeBSD 4.1.1
  • FreeBSD FreeBSD 4.1.1 -RELEASE
  • FreeBSD FreeBSD 4.1.1 -STABLE
  • FreeBSD FreeBSD 4.10-PRERELEASE
  • FreeBSD FreeBSD 4.10.0
  • FreeBSD FreeBSD 4.10.0 -RELEASE
  • FreeBSD FreeBSD 4.10.0 -RELENG
  • FreeBSD FreeBSD 4.2.0
  • FreeBSD FreeBSD 4.2.0 -RELEASE
  • FreeBSD FreeBSD 4.2.0 -STABLE
  • FreeBSD FreeBSD 4.2.0 -STABLEpre050201
  • FreeBSD FreeBSD 4.2.0 -STABLEpre122300
  • FreeBSD FreeBSD 4.3.0
  • FreeBSD FreeBSD 4.3.0 -RELEASE
  • FreeBSD FreeBSD 4.3.0 -RELEASE-p38
  • FreeBSD FreeBSD 4.3.0 -RELENG
  • FreeBSD FreeBSD 4.3.0 -STABLE
  • FreeBSD FreeBSD 4.4.0
  • FreeBSD FreeBSD 4.4.0 -RELEASE-p42
  • FreeBSD FreeBSD 4.4.0 -RELENG
  • FreeBSD FreeBSD 4.4.0 -RELENG
  • FreeBSD FreeBSD 4.4.0 -STABLE
  • FreeBSD FreeBSD 4.5.0
  • FreeBSD FreeBSD 4.5.0 -RELEASE
  • FreeBSD FreeBSD 4.5.0 -RELEASE-p32
  • FreeBSD FreeBSD 4.5.0 -RELENG
  • FreeBSD FreeBSD 4.5.0 -STABLE
  • FreeBSD FreeBSD 4.5.0 -STABLEpre2002-03-07
  • FreeBSD FreeBSD 4.6.0
  • FreeBSD FreeBSD 4.6.0 -RELEASE
  • FreeBSD FreeBSD 4.6.0 -RELEASE-p20
  • FreeBSD FreeBSD 4.6.0 -RELENG
  • FreeBSD FreeBSD 4.6.0 -STABLE
  • FreeBSD FreeBSD 4.6.2
  • FreeBSD FreeBSD 4.7.0
  • FreeBSD FreeBSD 4.7.0 -RELEASE
  • FreeBSD FreeBSD 4.7.0 -RELEASE-p17
  • FreeBSD FreeBSD 4.7.0 -RELENG
  • FreeBSD FreeBSD 4.7.0 -STABLE
  • FreeBSD FreeBSD 4.8.0
  • FreeBSD FreeBSD 4.8.0 -PRERELEASE
  • FreeBSD FreeBSD 4.8.0 -RELEASE-p7
  • FreeBSD FreeBSD 4.8.0 -RELENG
  • FreeBSD FreeBSD 4.9.0
  • FreeBSD FreeBSD 4.9.0 -PRERELEASE
  • FreeBSD FreeBSD 4.9.0 -RELENG
  • FreeBSD FreeBSD 5.0.0
  • FreeBSD FreeBSD 5.0.0 -RELEASE-p14
  • FreeBSD FreeBSD 5.0.0 -RELENG
  • FreeBSD FreeBSD 5.0.0 alpha
  • FreeBSD FreeBSD 5.1.0
  • FreeBSD FreeBSD 5.1.0 -RELEASE
  • FreeBSD FreeBSD 5.1.0 -RELEASE-p5
  • FreeBSD FreeBSD 5.1.0 -RELEASE/Alpha
  • FreeBSD FreeBSD 5.1.0 -RELENG
  • FreeBSD FreeBSD 5.2.0
  • FreeBSD FreeBSD 5.2.0 -RELEASE
  • FreeBSD FreeBSD 5.2.0 -RELENG
  • FreeBSD FreeBSD 5.2.1 -RELEASE
  • Gentoo Linux 1.4.0
  • MandrakeSoft Corporate Server 2.1.0
  • MandrakeSoft Corporate Server 2.1.0 x86_64
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • MandrakeSoft Linux Mandrake 9.1.0
  • MandrakeSoft Linux Mandrake 9.1.0 ppc
  • MandrakeSoft Linux Mandrake 9.2.0
  • MandrakeSoft Linux Mandrake 9.2.0 amd64
  • MandrakeSoft Single Network Firewall 7.2.0
  • OpenBSD OpenBSD -current
  • OpenBSD OpenBSD 3.1
  • OpenBSD OpenBSD 3.2
  • OpenBSD OpenBSD 3.3
  • OpenBSD OpenBSD 3.4
  • OpenBSD OpenBSD 3.5
  • OpenPKG OpenPKG 1.2.0
  • OpenPKG OpenPKG 1.3.0
  • OpenPKG OpenPKG 2.0.0
  • OpenPKG OpenPKG Current
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.0.0 sparc
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 alpha
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 7.3.0
  • RedHat Linux 7.3.0 i386
  • RedHat Linux 8.0.0
  • RedHat Linux 8.0.0 i386
  • S.u.S.E. Linux 8.0.0
  • S.u.S.E. Linux 8.1.0
  • S.u.S.E. Linux Personal 8.2.0
  • S.u.S.E. Linux Personal 9.0.0
  • S.u.S.E. Linux Personal 9.0.0 x86_64
  • SGI ProPack 2.4.0
  • SGI ProPack 3.0.0
  • Slackware Linux 8.1.0
  • WireX Immunix OS 7+
  • WireX Immunix OS 7.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.