OpenBSD Journal

Patch available for CVS overflow

Contributed by grey on from the patches dept.

Thanks to Brad Smith for informing me that there is a patch for 3.5 & 3.4 stable trees which fixes a vulnerability in Concurrent Versions System (CVS) used by OpenBSD. Though http://www.openbsd.org/errata.html will be updated shortly, in the meantime you can find patches on the ftp mirrors here for 3.5-stable and here for 3.4-stable.

Mailing list archives of the CVS changelog messages are here and here.

The advisory to which these patches are in response may be found at: http://security.e-matters.de/advisories/072004.html

(Comments are closed)


Comments
  1. By netchan (68.52.36.255) netchan at cotse dot net on

    Does W^X or some other obsd magic protect against this kind of vulnerability?

    Comments
    1. By Clint (24.131.187.140) on

      The advisory says that this is a heap overflow. W^X and such, as far as I know, only help protect against buffer overflow, not heap.

      Comments
      1. By sean (139.142.208.98) on

        Buffers are normally allocated in heap space. W^X and ProPolice protect you here but the application will crash instead of being exploitable.

        Comments
        1. By Anonymous Coward (209.162.224.62) on

          No, propolice works on the stack, it doesn't help a heap overflow. Did all openbsd supported arches get non-executable heaps, or is it still just the good arches?

          Comments
          1. By tedu (128.12.75.69) on

            most archs, including i386, have non exec heaps.

        2. By Otto (213.84.84.111) otto@drijf.net on http://www.drijf.net

          Some type of exploits may be caught by W^X, while others will not be caught.

          An example of an potential exploit that uses various existing features of CVS (I did not check if this is really doable, but I am sure this or similar attacks are possible):

          The CVS server can write files and execute external programs. This is all existing code. There is no need to insert new code into the heap to do the exploit.

          The only thing we have to do is to trick the CVS server into executing existing code using arguments the malicious clients supplies. Some of these arguments might be data stored on the heap. By manipulating the heap the CVS server could be fooled into executing a file you just uploaded.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]