Custom Search

Thursday, May 27, 2004

OpenBSD Patching

Applied patch couple of nights ago to my "aging" OpenBSD 3.3 system on my Toshiba laptop. Everything went okay! Following is the patch itself, & then some info on the into the nature of the vulnerability: ------------------------------------------------------------ Apply by doing: cd /usr/src patch -p0 < 022_cvs.patch And then rebuild and install cvs: cd gnu/usr.bin/cvs make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper make -f Makefile.bsd-wrapper install Index: gnu/usr.bin/cvs/src/client.c =========================================================== RCS file: /cvs/src/gnu/usr.bin/cvs/src/client.c,v retrieving revision 1.10 retrieving revision 1.10.4.1 diff -u -p -r1.10 -r1.10.4.1 --- gnu/usr.bin/cvs/src/client.c 6 Jul 2002 04:41:29 -0000 1.10 +++ gnu/usr.bin/cvs/src/client.c 1 May 2004 00:17:34 -0000 1.10.4.1 @@ -1003,6 +1003,20 @@ call_in_directory (pathname, func, data) char *rdirp; int reposdirname_absolute; + /* + * For security reasons, if PATHNAME is absolute or attempts to + * ascend outside of the current sandbox, we abort. The server should not + * send us anything but relative paths which remain inside the sandbox + * here. Anything less means a trojan CVS server could create and edit + * arbitrary files on the client. + */ + if (isabsolute (pathname) || pathname_levels (pathname) > 0) + { + error (0, 0, + "Server attempted to update a file via an invalid pathname:"); + error (1, 0, "`%s'.", pathname); + } + reposname = NULL; read_line (&reposname); assert (reposname != NULL); Index: gnu/usr.bin/cvs/src/modules.c =========================================================== RCS file: /cvs/src/gnu/usr.bin/cvs/src/modules.c,v retrieving revision 1.1.1.14 retrieving revision 1.1.1.14.8.2 diff -u -p -r1.1.1.14 -r1.1.1.14.8.2 --- gnu/usr.bin/cvs/src/modules.c 28 Sep 2001 22:45:38 -0000 1.1.1.14 +++ gnu/usr.bin/cvs/src/modules.c 1 May 2004 00:17:35 -0000 1.1.1.14.8.2 @@ -159,6 +159,24 @@ do_module (db, mname, m_type, msg, callb } #endif + /* Don't process absolute directories. Anything else could be a security + * problem. Before this check was put in place: + * + * $ cvs -d:fork:/cvsroot co /foo + * cvs server: warning: cannot make directory CVS in /: Permission denied + * cvs [server aborted]: cannot make directory /foo: Permission denied + * $ + */ + if (isabsolute (mname)) + error (1, 0, "Absolute module reference invalid: `%s'", mname); + + /* Similarly for directories that attempt to step above the root of the + * repository. + */ + if (pathname_levels (mname) > 0) + error (1, 0, "up-level in module reference (`..') invalid: `%s'.", + mname); + /* if this is a directory to ignore, add it to that list */ if (mname[0] == '!' && mname[1] != '\0') { ============================================================ ------------------------------------------------------------ Info on cvs vulnerability from: http://www.securitytracker.com/alerts/2004/May/1010074.html SecurityTracker Alert ID: 1010074 CVE Reference: CAN-2004-0405 (Links to External Site) Date: May 5 2004 Impact: Disclosure of user information Fix Available: Yes Vendor Confirmed: Yes Version(s): 1.11.15 Description: A vulnerability was reported in CVS. A remote authenticated user may be able to view arbitrary RCS files on the server. It is reported that a remote authenticated user can invoke a piped checkout of paths above $CVSROOT to view the contents of RCS archive files anywhere on a CVS server. This flaw can reportedly be triggered using relative pathnames containing the '../' directory traversal strings. Debian credited Derek Robert Price with discovering this flaw. Impact: A remote authenticated user can view RCS files located anywhere on the target system. Solution: OpenBSD has issued the following patches: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/comm on/017_cvs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/022_cvs.patch Vendor URL: www.cvshome.org/ (Links to External Site) Cause: Access control error, Input validation error Underlying OS: UNIX (OpenBSD) Underlying OS Comments: 3.3, 3.4, 3.5 Reported By: Otto Moerbeek Message History: This archive entry is a follow-up to the message listed below. Apr 19 2004 CVS Server Piped Checkout Input Validation Flaw Discloses RCS Files to Remote Authenticated Users