[PLSN-0005] new cvs package available

From: Peachtree Linux Security Team (security_at_peachtree.burdell.org)
Date: 04/26/05

  • Next message: ViPeR: "IE - cross site click detection?"
    Date: Mon, 25 Apr 2005 22:12:54 -0400
    To: peachlnx-security@lists.sourceforge.net, bugtraq@securityfocus.com

    Peachtree Linux Security Notice PLSN-0005
    April 22, 2005

    Buffer overflow, memory leaks, and NULL pointer dereference in CVS
    CAN-2005-0753, http://www.cvshome.org/

    The following Peachtree Linux releases are affected:

       Peachtree Linux release 1 ("Atlanta")


       From the CVS changelog:

       Thanks to a report from Alen Zukich <alen.zukich@klocwork.com>, several
       minor security issues have been addressed. One was a buffer overflow
       that is potentially serious but which may not be exploitable, assigned
       CAN-2005-0753 by the Common Vulnerabilities and Exposures Project
       <http://www.cve.mitre.org>. Other fixes resulting from Alen's report
       include repair of an arbitrary free with no known exploit and several
       plugged memory leaks and potentially freed NULL pointers which may have
       been exploitable for a denial of service attack.

       Thanks to a report from Craig Monson <craig@malachiarts.com>, minor
       potential vulnerabilities in the contributed Perl scripts have been
       fixed. The confirmed vulnerability could allow the execution of
       arbitrary code on the CVS server, but only if a user already had commit
       access and if one of the contrib scripts was installed improperly, a
       condition which should have been quickly visible to any administrator.
       The complete description of the problem is here:
       <https://ccvs.cvshome.org/issues/show_bug.cgi?id=224>. If you were
       making use of any of the contributed trigger scripts on a CVS server,
       you should probably still replace them with the new versions, to be on
       the safe side.

       Unfortunately, our fix is incomplete. Taint-checking has been enabled
       in all the contributed Perl scripts intended to be run as trigger
       scripts, but no attempt has been made to ensure that they still run in
       taint mode. You will most likely have to tweak the scripts in some way
       to make them run. Please send any patches you find necessary back to
       <bug-cvs@gnu.org> so that we may again ship fully enabled scripts in
       the future.

       You should also make sure that any home-grown Perl scripts that you
       might have installed as CVS triggers also have taint-checking enabled.
       This can be done by adding `-T' on the scripts' #! lines. Please try
       running `perldoc perlsec' if you would like more information on
       general Perl security and taint-checking.


          177d487f2b06c39b844fa934609bed73 cvs-1.11.20.alpha.dist

          007de7131e2eb367b0f88b7f336052ed cvs-1.11.20.i686.dist

          81ebb3159903205c189f808368d20dc5 cvs-1.11.20.ppc.dist


       Download the appropriate package for your release of Peachtree linux.
       Upgrade your system to the new package:

          distadd -u packagename

       Where package name is the name of the package file from the list above.

       After upgrading the cvs package, you'll want to kill and restart any
       server processes you have running.

    Peachtree Linux Security Team

  • Next message: ViPeR: "IE - cross site click detection?"

    Relevant Pages

    • How can I specify email address for log_accum.in (CVS)
      ... projects using CVS to send mails to a mailing list. ... other scripts but they didn't work well with the last format of message. ... So I've installed the scripts on CVSROOT on a project. ... constant to use the new info format string, ...
    • Re: passing paremeters to ANT
      ... solution by looking at our current build scripts and reading up on ANT but haven't been able to find a solution yet. ... basically I'm responsible for the CVS and BASH scripts for checking out ... CVS to the ANT script so that a developer can then take that tag and ...
    • Re: version control of server scripts
      ... > I am in fact looking for some kind of scripts using RCS or CVS or other ... Store your scripts in a repository, check them out into some reference directory in readable format ... and use diff to compare the actual content. ...
    • Re: version control of server scripts
      ... > Hello Dana, thanks for the answer. ... > I am in fact looking for some kind of scripts using RCS or CVS or other ...
    • Re: version control of server scripts
      ... > Hello Dana, thanks for the answer. ... > I am in fact looking for some kind of scripts using RCS or CVS or other ...