From owner-freebsd-security@FreeBSD.ORG Fri Sep 9 19:34:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1320416A421; Fri, 9 Sep 2005 19:34:14 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD89843D79; Fri, 9 Sep 2005 19:34:11 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j89JYBjC032531; Fri, 9 Sep 2005 19:34:11 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j89JYBf4032529; Fri, 9 Sep 2005 19:34:11 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 9 Sep 2005 19:34:11 GMT Message-Id: <200509091934.j89JYBf4032529@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:20.cvsbug [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 19:34:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:20.cvsbug Security Advisory The FreeBSD Project Topic: Race condition in cvsbug Category: contrib Module: contrib_cvs Announced: 2005-09-07 Credits: Marcus Meissner Affects: All FreeBSD releases Corrected: 2005-09-07 13:43:05 UTC (RELENG_6, 6.0-BETA5) 2005-09-07 13:43:23 UTC (RELENG_5, 5.4-STABLE) 2005-09-07 13:43:36 UTC (RELENG_5_4, 5.4-RELEASE-p7) 2005-09-09 19:26:19 UTC (RELENG_5_3, 5.3-RELEASE-p22) 2005-09-07 13:44:06 UTC (RELENG_4, 4.11-STABLE) 2005-09-07 13:44:20 UTC (RELENG_4_11, 4.11-RELEASE-p12) 2005-09-09 19:24:22 UTC (RELENG_4_10, 4.10-RELEASE-p18) CVE Name: CAN-2005-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-07-07 Initial release. v1.1 2005-07-09 Additional related issues fixed in FreeBSD 4.10 and 5.3. I. Background cvsbug(1) is a utility for reporting problems in the CVS revision control system. It is based on the GNATS send-pr(1) utility. II. Problem Description A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file. While cvsbug(1) is based on the send-pr(1) utility, this problem does not exist in the version of send-pr(1) distributed with FreeBSD. In FreeBSD 4.10 and 5.3, some additional problems exist concerning temporary file usage in both cvsbug(1) and send-pr(1). III. Impact A local attacker could cause data to be written to any file to which the user running cvsbug(1) (or send-pr(1) in FreeBSD 4.10 and 5.3) has write access. This may cause damage in itself (e.g., by destroying important system files or documents) or may be used to obtain elevated privileges. IV. Workaround Do not use the cvsbug(1) utility on any system with untrusted users. Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3 system with untrusted users. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug410.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug410.patch.asc [FreeBSD 5.3] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug53.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug53.patch.asc [FreeBSD 4.11 and 5.4] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cvs/cvsbug # make obj && make depend && make && make install # cd /usr/src/gnu/usr.bin/send-pr # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.13 src/sys/conf/newvers.sh 1.44.2.39.2.16 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.3.2.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.19 src/sys/conf/newvers.sh 1.44.2.34.2.20 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.2.6.2 src/gnu/usr.bin/send-pr/send-pr.sh 1.13.2.13.2.1 RELENG_5 src/contrib/cvs/src/cvsbug.in 1.1.1.3.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.16 src/sys/conf/newvers.sh 1.62.2.18.2.12 src/contrib/cvs/src/cvsbug.in 1.1.1.3.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.25 src/sys/conf/newvers.sh 1.62.2.15.2.27 src/contrib/cvs/src/cvsbug.in 1.1.1.3.4.1 src/gnu/usr.bin/send-pr/send-pr.sh 1.35.6.1 RELENG_6 src/contrib/cvs/src/cvsbug.in 1.1.1.3.8.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2693 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:20.cvsbug.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDIeKFFdaIBMps37IRApOpAJ9RRKHLnuyFOuaM1pN09Sn3Rysv4gCgiF+/ QJ1c9krguLbujP/YL4LaDP0= =5W0R -----END PGP SIGNATURE-----