From owner-freebsd-bugs Fri May 31 8:50: 7 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D169737B404 for ; Fri, 31 May 2002 08:50:03 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g4VFo3739248; Fri, 31 May 2002 08:50:03 -0700 (PDT) (envelope-from gnats) Date: Fri, 31 May 2002 08:50:03 -0700 (PDT) Message-Id: <200205311550.g4VFo3739248@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Makoto Matsushita Subject: Re: bin/38765: CVS Daemon Vulnerability in 1.11.1p1 Reply-To: Makoto Matsushita Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR bin/38765; it has been noted by GNATS. From: Makoto Matsushita To: Alex Dupre Cc: bug-followup@FreeBSD.org Subject: Re: bin/38765: CVS Daemon Vulnerability in 1.11.1p1 Date: Sat, 01 Jun 2002 00:48:05 +0900 sysadmin> Due to a boundry condition error, it may be possible for a sysadmin> local attacker to execute arbitrary code. The rcs.c file sysadmin> contains an off-by-one error that could result in an sysadmin> attacker overwriting portions of stack memory, and executing sysadmin> arbitrary code. Is this bug fixed *really* in cvs-1.11.2? How did you confirm that? According to http://ccvs.cvshome.org/source/browse/ccvs/src/rcs.c, rev 1.259 is the fix. However, this change is occured *after* 1.11.2 was released. And, cvs-1.11.1 doesn't have this code. Sorry if I'm wrong. -- - Makoto `MAR' Matsushita To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message