patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
		
			
				
	
	
		
			148 lines
		
	
	
	
		
			5.6 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			148 lines
		
	
	
	
		
			5.6 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
| -----BEGIN PGP SIGNED MESSAGE-----
 | |
| Hash: SHA1
 | |
| 
 | |
| =============================================================================
 | |
| FreeBSD-SA-05:20.cvsbug                                     Security Advisory
 | |
|                                                           The FreeBSD Project
 | |
| 
 | |
| Topic:          Race condition in cvsbug
 | |
| 
 | |
| Category:       contrib
 | |
| Module:         contrib_cvs
 | |
| Announced:      2005-09-07
 | |
| Credits:        Marcus Meissner
 | |
| Affects:        All FreeBSD releases
 | |
| Corrected:      2005-09-07 13:43:05 UTC (RELENG_6, 6.0-BETA5)
 | |
|                 2005-09-07 13:43:23 UTC (RELENG_5, 5.4-STABLE)
 | |
|                 2005-09-07 13:43:36 UTC (RELENG_5_4, 5.4-RELEASE-p7)
 | |
|                 2005-09-09 19:26:19 UTC (RELENG_5_3, 5.3-RELEASE-p22)
 | |
|                 2005-09-07 13:44:06 UTC (RELENG_4, 4.11-STABLE)
 | |
|                 2005-09-07 13:44:20 UTC (RELENG_4_11, 4.11-RELEASE-p12)
 | |
|                 2005-09-09 19:24:22 UTC (RELENG_4_10, 4.10-RELEASE-p18)
 | |
| CVE Name:       CAN-2005-2693
 | |
| 
 | |
| For general information regarding FreeBSD Security Advisories,
 | |
| including descriptions of the fields above, security branches, and the
 | |
| following sections, please visit
 | |
| <URL:http://www.freebsd.org/security/>.
 | |
| 
 | |
| 0.   Revision History
 | |
| 
 | |
| v1.0 2005-07-07  Initial release.
 | |
| v1.1 2005-07-09  Additional related issues fixed in FreeBSD 4.10 and 5.3.
 | |
| 
 | |
| I.   Background
 | |
| 
 | |
| cvsbug(1) is a utility for reporting problems in the CVS revision
 | |
| control system.  It is based on the GNATS send-pr(1) utility.
 | |
| 
 | |
| II.  Problem Description
 | |
| 
 | |
| A temporary file is created, used, deleted, and then re-created with
 | |
| the same name.  This creates a window during which an attacker could
 | |
| replace the file with a link to another file.  While cvsbug(1) is based
 | |
| on the send-pr(1) utility, this problem does not exist in the version
 | |
| of send-pr(1) distributed with FreeBSD.
 | |
| 
 | |
| In FreeBSD 4.10 and 5.3, some additional problems exist concerning
 | |
| temporary file usage in both cvsbug(1) and send-pr(1).
 | |
| 
 | |
| III. Impact
 | |
| 
 | |
| A local attacker could cause data to be written to any file to which
 | |
| the user running cvsbug(1) (or send-pr(1) in FreeBSD 4.10 and 5.3) has
 | |
| write access.  This may cause damage in itself (e.g., by destroying
 | |
| important system files or documents) or may be used to obtain elevated
 | |
| privileges.
 | |
| 
 | |
| IV.  Workaround
 | |
| 
 | |
| Do not use the cvsbug(1) utility on any system with untrusted users.
 | |
| 
 | |
| Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3 system with
 | |
| untrusted users.
 | |
| 
 | |
| V.   Solution
 | |
| 
 | |
| Perform one of the following:
 | |
| 
 | |
| 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
 | |
| RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
 | |
| dated after the correction date.
 | |
| 
 | |
| 2) To patch your present system:
 | |
| 
 | |
| The following patches have been verified to apply to FreeBSD 4.10, 
 | |
| 4.11, 5.3, and 5.4 systems.
 | |
| 
 | |
| a) Download the relevant patch from the location below, and verify the
 | |
| detached PGP signature using your PGP utility.
 | |
| 
 | |
| [FreeBSD 4.10]
 | |
| # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug410.patch
 | |
| # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug410.patch.asc
 | |
| 
 | |
| [FreeBSD 5.3]
 | |
| # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug53.patch
 | |
| # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug53.patch.asc
 | |
| 
 | |
| [FreeBSD 4.11 and 5.4]
 | |
| # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch
 | |
| # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch.asc
 | |
| 
 | |
| b) Execute the following commands as root:
 | |
| 
 | |
| # cd /usr/src
 | |
| # patch < /path/to/patch
 | |
| # cd /usr/src/gnu/usr.bin/cvs/cvsbug
 | |
| # make obj && make depend && make && make install
 | |
| # cd /usr/src/gnu/usr.bin/send-pr
 | |
| # make obj && make depend && make && make install
 | |
| 
 | |
| VI.  Correction details
 | |
| 
 | |
| The following list contains the revision numbers of each file that was
 | |
| corrected in FreeBSD.
 | |
| 
 | |
| Branch                                                           Revision
 | |
|   Path
 | |
| - -------------------------------------------------------------------------
 | |
| RELENG_4
 | |
|   src/contrib/cvs/src/cvsbug.in                               1.1.1.1.2.4
 | |
| RELENG_4_11
 | |
|   src/UPDATING                                             1.73.2.91.2.13
 | |
|   src/sys/conf/newvers.sh                                  1.44.2.39.2.16
 | |
|   src/contrib/cvs/src/cvsbug.in                           1.1.1.1.2.3.2.1
 | |
| RELENG_4_10
 | |
|   src/UPDATING                                             1.73.2.90.2.19
 | |
|   src/sys/conf/newvers.sh                                  1.44.2.34.2.20
 | |
|   src/contrib/cvs/src/cvsbug.in                           1.1.1.1.2.2.6.2
 | |
|   src/gnu/usr.bin/send-pr/send-pr.sh                        1.13.2.13.2.1
 | |
| RELENG_5
 | |
|   src/contrib/cvs/src/cvsbug.in                               1.1.1.3.2.1
 | |
| RELENG_5_4
 | |
|   src/UPDATING                                            1.342.2.24.2.16
 | |
|   src/sys/conf/newvers.sh                                  1.62.2.18.2.12
 | |
|   src/contrib/cvs/src/cvsbug.in                               1.1.1.3.6.1
 | |
| RELENG_5_3
 | |
|   src/UPDATING                                            1.342.2.13.2.25
 | |
|   src/sys/conf/newvers.sh                                  1.62.2.15.2.27
 | |
|   src/contrib/cvs/src/cvsbug.in                               1.1.1.3.4.1
 | |
|   src/gnu/usr.bin/send-pr/send-pr.sh                             1.35.6.1
 | |
| RELENG_6
 | |
|   src/contrib/cvs/src/cvsbug.in                               1.1.1.3.8.1
 | |
| - -------------------------------------------------------------------------
 | |
| 
 | |
| VII. References
 | |
| 
 | |
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2693
 | |
| 
 | |
| The latest revision of this advisory is available at
 | |
| ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:20.cvsbug.asc
 | |
| -----BEGIN PGP SIGNATURE-----
 | |
| Version: GnuPG v1.4.1 (FreeBSD)
 | |
| 
 | |
| iD8DBQFDIeKFFdaIBMps37IRApOpAJ9RRKHLnuyFOuaM1pN09Sn3Rysv4gCgiF+/
 | |
| QJ1c9krguLbujP/YL4LaDP0=
 | |
| =5W0R
 | |
| -----END PGP SIGNATURE-----
 |