[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: Help needed with bufferoverflow in cvs]
From: |
Martin Schulze |
Subject: |
Re: [Fwd: Help needed with bufferoverflow in cvs] |
Date: |
Wed, 20 Feb 2002 19:33:35 +0100 |
User-agent: |
Mutt/1.3.27i |
Tollef Fog Heen wrote:
> | it seems that cvs (version 1.10.7 from Debians stable repos) has a
> | bufferoverflow but I'm but sure if it's exploitable
> |
> | ls -la /usr/bin/cvs
> | -rwxr-xr-x 1 root root 490160 Mar 22 2000 /usr/bin/cvs
> |
> | no suid bit but it's owned by root
>
> That it's owned by root shouldn't matter. The issue might be whether
> it's possible to exploit this through pserver. I just got this
> message and haven't had the time to look at it yet.
Unfortunately, it is.
klecker!joey(pts/15):~/tmp/webwml> cvs diff -C`perl -e "print 'a' x 300"`
Makefile || echo noe
Index: Makefile
===================================================================
RCS file: /cvs/webwml/webwml/Makefile,v
retrieving revision 1.29
diff -u
-Caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-r1.29 Makefile
cvs server: invalid context length argument
Terminated with fatal signal 11
noe
klecker!joey(pts/15):~/tmp/webwml> cat CVS/Root
:pserver:anonymous@cvs.debian.org:/cvs/webwml
I guess you can exploit the remote server's uid. Not promising.
Good to know that we've got a new CVS maintainer who will fix the
problem for us, will make my evening a little bit saner. :)
Regards,
Joey
--
No question is too silly to ask, but, of course, some are too silly
to answer. -- Perl book
Re: [Fwd: Help needed with bufferoverflow in cvs], Larry Jones, 2002/02/20