[Full-Disclosure] [OpenPKG-SA-2003.052] OpenPKG Security Advisory (cvs)

From: OpenPKG (openpkg_at_openpkg.org)
Date: 12/17/03

  • Next message: petard: "Re: [Full-Disclosure] Edonkey/Overnet Plugins Could Pose Harm"
    To: full-disclosure@lists.netsys.com
    Date: Wed, 17 Dec 2003 13:01:55 +0100
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-security@openpkg.org openpkg@openpkg.org
    OpenPKG-SA-2003.052 17-Dec-2003
    ________________________________________________________________________

    Package: cvs
    Vulnerability: filesystem intrusion
    OpenPKG Specific: no

    Affected Releases: Affected Packages: Corrected Packages:
    OpenPKG CURRENT <= cvs-1.12.2-20031027 >= cvs-1.12.3-20031205
    OpenPKG 1.3 <= cvs-1.12.1-1.3.0 >= cvs-1.12.1-1.3.1
    OpenPKG 1.2 <= cvs-1.11.5-1.2.2 >= cvs-1.11.5-1.2.3

    Dependent Packages: none

    Description:
      According to a CVS [0] security update [1], a malformed module
      request can cause the CVS server to attempt to create directories
      and possibly files at the root of the filesystem holding the CVS
      repository. Even though filesystem permissions usually prevent the
      creation of these misplaced directories, the corrected OpenPKG
      packages include a CVS server which rejects such malformed requests.
      The Common Vulnerabilities and Exposures (CVE) project assigned the id
      CAN-2003-0977 [2] to the problem.

      Please check whether you are affected by running "<prefix>/bin/rpm
      -q cvs". If the "cvs" package is indeed installed and its version
      is affected (see above), please upgrade it immediately according to
      OpenPKG recommendations (see Solution). [3][4]

    Solution:
      Select the updated source RPM appropriate for your OpenPKG release
      [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
      location, verify its integrity [9], build a corresponding binary RPM
      from it [3] and update your OpenPKG installation by applying the
      binary RPM [4]. For the current release OpenPKG 1.3, perform the
      following operations to permanently fix the security problem (for
      other releases adjust accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/1.3/UPD
      ftp> get cvs-1.12.1-1.3.1.src.rpm
      ftp> bye
      $ <prefix>/bin/rpm -v --checksig cvs-1.12.1-1.3.1.src.rpm
      $ <prefix>/bin/rpm --rebuild cvs-1.12.1-1.3.1.src.rpm
      $ su -
      # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/cvs-1.12.1-1.3.1.*.rpm
    ________________________________________________________________________

    References:
      [0] http://www.cvshome.org/
      [1] http://ccvs.cvshome.org/servlets/NewsItemView?newsID=85
      [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
      [3] http://www.openpkg.org/tutorial.html#regular-source
      [4] http://www.openpkg.org/tutorial.html#regular-binary
      [5] ftp://ftp.openpkg.org/release/1.2/UPD/cvs-1.11.5-1.2.3.src.rpm
      [6] ftp://ftp.openpkg.org/release/1.3/UPD/cvs-1.12.1-1.3.1.src.rpm
      [7] ftp://ftp.openpkg.org/release/1.2/UPD/
      [8] ftp://ftp.openpkg.org/release/1.3/UPD/
      [9] http://www.openpkg.org/security.html#signature
    ________________________________________________________________________

    For security reasons, this advisory was digitally signed with the
    OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
    OpenPKG project which you can retrieve from http://pgp.openpkg.org and
    hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
    for details on how to verify the integrity of this advisory.
    ________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Comment: OpenPKG <openpkg@openpkg.org>

    iD8DBQE/4ESigHWT4GPEy58RAqlHAKDWNcptxAw/fBrCZlCt9EB3oOZYHQCg4/yJ
    2L2AHtnVJFxsDz7DosQUeeI=
    =NJuM
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: petard: "Re: [Full-Disclosure] Edonkey/Overnet Plugins Could Pose Harm"

    Relevant Pages

    • [OpenPKG-SA-2003.052] OpenPKG Security Advisory (cvs)
      ... and possibly files at the root of the filesystem holding the CVS ... the corrected OpenPKG ... packages include a CVS server which rejects such malformed requests. ... $ ftp ftp.openpkg.org ...
      (Bugtraq)
    • [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
      ... According to an ISS X-Force security advisory, a vulnerability ... when transferring files from the FTP server in ASCII mode. ... and a buffer overflow can manifest if ProFTPD parses a specially ... Select the updated source RPM appropriate for your OpenPKG release ...
      (Bugtraq)
    • [Full-Disclosure] [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
      ... According to an ISS X-Force security advisory, a vulnerability ... when transferring files from the FTP server in ASCII mode. ... and a buffer overflow can manifest if ProFTPD parses a specially ... Select the updated source RPM appropriate for your OpenPKG release ...
      (Full-Disclosure)
    • [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl)
      ... Affected Releases: Dependent Packages: ... Their attack requires the attacker to open millions of SSL/TLS ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ...
      (Bugtraq)
    • [OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml)
      ... Affected Releases: Dependent Packages: ... A flaw in the HTTP and FTP client sub-library of libxml2 ... If you have the "libxml" package installed and its version ... Select the updated source RPM appropriate for your OpenPKG release ...
      (Bugtraq)