From owner-freebsd-security@FreeBSD.ORG Mon Dec 15 08:08:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A6C816A4CE for ; Mon, 15 Dec 2003 08:08:53 -0800 (PST) Received: from tx3.oucs.ox.ac.uk (tx3.oucs.ox.ac.uk [163.1.2.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EE1A43D31 for ; Mon, 15 Dec 2003 08:08:49 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan3.oucs.ox.ac.uk ([163.1.2.166] helo=localhost) by tx3.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1AVvH6-0002dM-N6 for freebsd-security@freebsd.org; Mon, 15 Dec 2003 16:08:48 +0000 Received: from rx3.oucs.ox.ac.uk ([163.1.2.165]) by localhost (scan3.oucs.ox.ac.uk [163.1.2.166]) (amavisd-new, port 25) with ESMTP id 09818-08 for ; Mon, 15 Dec 2003 16:08:47 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx3.oucs.ox.ac.uk with smtp (Exim 4.20) id 1AVvH5-0002bz-AC for freebsd-security@freebsd.org; Mon, 15 Dec 2003 16:08:47 +0000 Received: (qmail 14674 invoked by uid 0); 15 Dec 2003 16:08:45 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 1.456033 secs); 15 Dec 2003 16:08:45 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.456033 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 15 Dec 2003 16:08:43 -0000 Message-Id: <5.0.2.1.1.20031215155516.02e4e820@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Mon, 15 Dec 2003 16:08:42 +0000 To: Mike Tancsa , From: Colin Percival In-Reply-To: <6.0.1.1.0.20031215104607.04fd2b48@209.112.4.2> References: <5.0.2.1.1.20031211011207.01cb9d60@popserver.sfu.ca> <20031211010804.371685299@ftp.bjpu.edu.cn> <5.0.2.1.1.20031211011207.01cb9d60@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: cvs version 1.11.10 import? [security fix] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2003 16:08:53 -0000 At 10:46 15/12/2003 -0500, Mike Tancsa wrote: >Hi, did you ever find out if this security issue does effect FreeBSD ? I think it does. As far as I can tell, it seems to cause problems when CVSROOT is :local:/something. I'm not sure if this is actually exploitable -- I can't see any indication that the cvs people know, either -- but the buggy code is definitely in FreeBSD. Since they don't seem to have published it, I've extracted the relevant patch from CVS's CVS tree and included it below. Colin Percival =================================================================== RCS file: /usr/local/tigris/data/helm/cvs/repository/ccvs/src/expand_path.c,v retrieving revision 1.21 retrieving revision 1.21.6.1 diff -u -r1.21 -r1.21.6.1 --- ccvs/src/expand_path.c 2001/01/09 13:59:59 1.21 +++ ccvs/src/expand_path.c 2003/12/03 19:22:01 1.21.6.1 @@ -272,7 +272,7 @@ int line; { if (strcmp (name, CVSROOT_ENV) == 0) - return current_parsed_root->original; + return current_parsed_root->directory; else if (strcmp (name, "RCSBIN") == 0) { error (0, 0, "RCSBIN internal variable is no longer supported");