OpenBSD Patching

Applied patch couple of nights ago to my "aging" OpenBSD 3.3 system on my Toshiba laptop. Everything went okay! Following is the patch itself, & then some info on the into the nature of the vulnerability: ------------------------------------------------------------ Apply by doing: cd /usr/src patch -p0 < 022_cvs.patch And then rebuild and install cvs: cd gnu/usr.bin/cvs make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper make -f Makefile.bsd-wrapper install Index: gnu/usr.bin/cvs/src/client.c =========================================================== RCS file: /cvs/src/gnu/usr.bin/cvs/src/client.c,v retrieving revision 1.10 retrieving revision 1.10.4.1 diff -u -p -r1.10 -r1.10.4.1 --- gnu/usr.bin/cvs/src/client.c 6 Jul 2002 04:41:29 -0000 1.10 +++ gnu/usr.bin/cvs/src/client.c 1 May 2004 00:17:34 -0000 1.10.4.1 @@ -1003,6 +1003,20 @@ call_in_directory (pathname, func, data) char *rdirp; int reposdirname_absolute; + /* + * For security reasons, if PATHNAME is absolute or attempts to + * ascend outside of the current sandbox, we abort. The server should not + * send us anything but relative paths which remain inside the sandbox + * here. Anything less means a trojan CVS server could create and edit + * arbitrary files on the client. + */ + if (isabsolute (pathname) || pathname_levels (pathname) > 0) + { + error (0, 0, + "Server attempted to update a file via an invalid pathname:"); + error (1, 0, "`%s'.", pathname); + } + reposname = NULL; read_line (&reposname); assert (reposname != NULL); Index: gnu/usr.bin/cvs/src/modules.c =========================================================== RCS file: /cvs/src/gnu/usr.bin/cvs/src/modules.c,v retrieving revision 1.1.1.14 retrieving revision 1.1.1.14.8.2 diff -u -p -r1.1.1.14 -r1.1.1.14.8.2 --- gnu/usr.bin/cvs/src/modules.c 28 Sep 2001 22:45:38 -0000 1.1.1.14 +++ gnu/usr.bin/cvs/src/modules.c 1 May 2004 00:17:35 -0000 1.1.1.14.8.2 @@ -159,6 +159,24 @@ do_module (db, mname, m_type, msg, callb } #endif + /* Don't process absolute directories. Anything else could be a security + * problem. Before this check was put in place: + * + * $ cvs -d:fork:/cvsroot co /foo + * cvs server: warning: cannot make directory CVS in /: Permission denied + * cvs [server aborted]: cannot make directory /foo: Permission denied + * $ + */ + if (isabsolute (mname)) + error (1, 0, "Absolute module reference invalid: `%s'", mname); + + /* Similarly for directories that attempt to step above the root of the + * repository. + */ + if (pathname_levels (mname) > 0) + error (1, 0, "up-level in module reference (`..') invalid: `%s'.", + mname); + /* if this is a directory to ignore, add it to that list */ if (mname[0] == '!' && mname[1] != '\0') { ============================================================ ------------------------------------------------------------ Info on cvs vulnerability from: http://www.securitytracker.com/alerts/2004/May/1010074.html SecurityTracker Alert ID: 1010074 CVE Reference: CAN-2004-0405 (Links to External Site) Date: May 5 2004 Impact: Disclosure of user information Fix Available: Yes Vendor Confirmed: Yes Version(s): 1.11.15 Description: A vulnerability was reported in CVS. A remote authenticated user may be able to view arbitrary RCS files on the server. It is reported that a remote authenticated user can invoke a piped checkout of paths above $CVSROOT to view the contents of RCS archive files anywhere on a CVS server. This flaw can reportedly be triggered using relative pathnames containing the '../' directory traversal strings. Debian credited Derek Robert Price with discovering this flaw. Impact: A remote authenticated user can view RCS files located anywhere on the target system. Solution: OpenBSD has issued the following patches: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/comm on/017_cvs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/022_cvs.patch Vendor URL: www.cvshome.org/ (Links to External Site) Cause: Access control error, Input validation error Underlying OS: UNIX (OpenBSD) Underlying OS Comments: 3.3, 3.4, 3.5 Reported By: Otto Moerbeek Message History: This archive entry is a follow-up to the message listed below. Apr 19 2004 CVS Server Piped Checkout Input Validation Flaw Discloses RCS Files to Remote Authenticated Users