SECURITY FIX: A double free in cvs(1)....

Contributed by jose on 2003-01-21 from the chunk-already-free dept.

"006: SECURITY FIX: January 20, 2003 A double free in cvs(1) could allow an attacker to execute code with the privileges of the user running CVS. This is only an issue when the cvs command is being run on a user's behalf as a different user. This means that, in most cases, the issue only exists for CVS configurations that use the pserver client/server connection method. A source code patch exists which remedies the problem."

The original advisory states the problem quite clearly, and this morning I noticed that patch006 is available which fixes the problem. Instructions on how to apply the patch and rebuild your cvs(1) installation are included in the patch.

(Comments are closed)

Comments

By Anonymous Coward () on 2003-01-21 15:16

Wow, that's fast! Congratulations to the OpenBSD team for making the patch available so fast!

(now where are the trolls who used to say that OpenBSD's patches are slow...)
By Anonymous Coward () on 2003-01-21 16:48

Where are the patches for Apache?

http://www.deadly.org/commentShow.php3?sid=20021105015933&pid=462
Re: Patches
by Miod Vallat (miod@openbsd.org) on Wednesday, November 06 @11:14AM
A patch for the various httpd problems is in the works. Please be patient.

Don't think that this is farst.
By jose () on 2003-01-21 19:58 http://monkey.org/~jose/

Date: Tue, 21 Jan 2003 12:05:28 -0700
From: Todd C. Miller
To: security-announce@openbsd.org
Subject: patch for cvs security issue available

There is a double free in cvs that could allow an attacker to execute
code with the privileges of the user running cvs. This is only an
issue when the cvs command is being run on a user's behalf as a
different user. This means that, in most cases, the issue only
exists for cvs configurations that use the "pserver" client/server
connection method. If you use cvs via ssh then there is no privilege
to escalate.

OpenBSD anoncvs mirrors should not be affected by this since cvs
is run in a chrooted environment where the anoncvs user does not
have write permission.

Credit goes to Stefan Esser for finding this issue.

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/006_cvs.patch

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/020_cvs.patch

The 3.2-stable branch has been updated with the patch and the
3.1-stable branch will be updated shortly.

- todd
By Michael van der Westhuizen () on 2003-01-23 00:29

I get the impression that there are some people who watch this site just to troll... grow up.

If you don't like the way OpenBSD works, don't use it.

If you're too lame to run -stable or maintain your own set of binary patches, don't use OpenBSD.

If you're _that_ worried about arbitrary fixes not having patches released (lynx CD/LF, httpd cross site scripting etc.), create the patches yourself. It's all there, it's all in CVS.

Most of the time the fixes released probably don't affect you at all anyway - you need to evaluate that yourself based on how you use OpenBSD.

Rather than moan all the time you could try to contribute code... or maybe buy a CD... or maybe make a donation - if you do none of these, then STFU.
By mra () on 2003-01-22 17:32

The person who found this bug said they managed to create a remote root exploit for it, but they aren't going to publish it. The zlib bug a while back was also a double free() bug although to my knowledge no exploit was ever made/released.

Does anyone know how a double free() is exploitable? I'm not trying to create an exploit for this issue, I'm just trying to understand how a running program can be hijacked by trying to free() a chunk of memory twice.
By Anonymous Coward () on 2003-01-22 22:09

Shouldn't we be using languages that don't even have dangerous memory operations like free()?

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]