From owner-freebsd-announce@FreeBSD.ORG Wed Sep 7 13:53:52 2005 Return-Path: X-Original-To: freebsd-announce@freebsd.org Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4485416A41F; Wed, 7 Sep 2005 13:53:52 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2428B43D53; Wed, 7 Sep 2005 13:53:51 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j87DrpRw091785; Wed, 7 Sep 2005 13:53:51 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j87Drpgf091783; Wed, 7 Sep 2005 13:53:51 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 7 Sep 2005 13:53:51 GMT Message-Id: <200509071353.j87Drpgf091783@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:20.cvsbug X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2005 13:53:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:20.cvsbug Security Advisory The FreeBSD Project Topic: Race condition in cvsbug Category: contrib Module: contrib_cvs Announced: 2005-09-07 Credits: Marcus Meissner Affects: All FreeBSD releases Corrected: 2005-09-07 13:43:05 UTC (RELENG_6, 6.0-BETA5) 2005-09-07 13:43:23 UTC (RELENG_5, 5.4-STABLE) 2005-09-07 13:43:36 UTC (RELENG_5_4, 5.4-RELEASE-p7) 2005-09-07 13:43:50 UTC (RELENG_5_3, 5.3-RELEASE-p21) 2005-09-07 13:44:06 UTC (RELENG_4, 4.11-STABLE) 2005-09-07 13:44:20 UTC (RELENG_4_11, 4.11-RELEASE-p12) 2005-09-07 13:44:36 UTC (RELENG_4_10, 4.10-RELEASE-p17) CVE Name: CAN-2005-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background cvsbug(1) is a utility for reporting problems in the CVS revision control system. It is based on the GNATS send-pr(1) utility. II. Problem Description A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file. While cvsbug(1) is based on the send-pr(1) utility, this problem does not exist in the version of send-pr(1) distributed with FreeBSD. III. Impact A local attacker could cause data to be written to any file to which the user running cvsbug(1) has write access. This may cause damage in itself (e.g., by destroying important system files or documents) or may be used to obtain elevated privileges. IV. Workaround Do not use the cvsbug(1) utility on any system with untrusted users. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cvs/cvsbug # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.13 src/sys/conf/newvers.sh 1.44.2.39.2.16 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.3.2.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.18 src/sys/conf/newvers.sh 1.44.2.34.2.19 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.2.6.1 RELENG_5 src/contrib/cvs/src/cvsbug.in 1.1.1.3.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.16 src/sys/conf/newvers.sh 1.62.2.18.2.12 src/contrib/cvs/src/cvsbug.in 1.1.1.3.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.24 src/sys/conf/newvers.sh 1.62.2.15.2.26 src/contrib/cvs/src/cvsbug.in 1.1.1.3.4.1 RELENG_6 src/contrib/cvs/src/cvsbug.in 1.1.1.3.8.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2693 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:20.cvsbug.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDHu/6FdaIBMps37IRAhxYAJ49MNDG679kpBjO2EXAWpoWez97KQCfS1fp 6Rte2l8JoEPFfgene8dVWy0= =d52A -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri Sep 9 19:34:13 2005 Return-Path: X-Original-To: freebsd-announce@freebsd.org Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49BAF16A41F; Fri, 9 Sep 2005 19:34:13 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3F8B43D78; Fri, 9 Sep 2005 19:34:11 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j89JYBPg032522; Fri, 9 Sep 2005 19:34:11 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j89JYB76032520; Fri, 9 Sep 2005 19:34:11 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 9 Sep 2005 19:34:11 GMT Message-Id: <200509091934.j89JYB76032520@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:20.cvsbug [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 19:34:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:20.cvsbug Security Advisory The FreeBSD Project Topic: Race condition in cvsbug Category: contrib Module: contrib_cvs Announced: 2005-09-07 Credits: Marcus Meissner Affects: All FreeBSD releases Corrected: 2005-09-07 13:43:05 UTC (RELENG_6, 6.0-BETA5) 2005-09-07 13:43:23 UTC (RELENG_5, 5.4-STABLE) 2005-09-07 13:43:36 UTC (RELENG_5_4, 5.4-RELEASE-p7) 2005-09-09 19:26:19 UTC (RELENG_5_3, 5.3-RELEASE-p22) 2005-09-07 13:44:06 UTC (RELENG_4, 4.11-STABLE) 2005-09-07 13:44:20 UTC (RELENG_4_11, 4.11-RELEASE-p12) 2005-09-09 19:24:22 UTC (RELENG_4_10, 4.10-RELEASE-p18) CVE Name: CAN-2005-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-07-07 Initial release. v1.1 2005-07-09 Additional related issues fixed in FreeBSD 4.10 and 5.3. I. Background cvsbug(1) is a utility for reporting problems in the CVS revision control system. It is based on the GNATS send-pr(1) utility. II. Problem Description A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file. While cvsbug(1) is based on the send-pr(1) utility, this problem does not exist in the version of send-pr(1) distributed with FreeBSD. In FreeBSD 4.10 and 5.3, some additional problems exist concerning temporary file usage in both cvsbug(1) and send-pr(1). III. Impact A local attacker could cause data to be written to any file to which the user running cvsbug(1) (or send-pr(1) in FreeBSD 4.10 and 5.3) has write access. This may cause damage in itself (e.g., by destroying important system files or documents) or may be used to obtain elevated privileges. IV. Workaround Do not use the cvsbug(1) utility on any system with untrusted users. Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3 system with untrusted users. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug410.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug410.patch.asc [FreeBSD 5.3] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug53.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug53.patch.asc [FreeBSD 4.11 and 5.4] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:20/cvsbug.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cvs/cvsbug # make obj && make depend && make && make install # cd /usr/src/gnu/usr.bin/send-pr # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.13 src/sys/conf/newvers.sh 1.44.2.39.2.16 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.3.2.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.19 src/sys/conf/newvers.sh 1.44.2.34.2.20 src/contrib/cvs/src/cvsbug.in 1.1.1.1.2.2.6.2 src/gnu/usr.bin/send-pr/send-pr.sh 1.13.2.13.2.1 RELENG_5 src/contrib/cvs/src/cvsbug.in 1.1.1.3.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.16 src/sys/conf/newvers.sh 1.62.2.18.2.12 src/contrib/cvs/src/cvsbug.in 1.1.1.3.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.25 src/sys/conf/newvers.sh 1.62.2.15.2.27 src/contrib/cvs/src/cvsbug.in 1.1.1.3.4.1 src/gnu/usr.bin/send-pr/send-pr.sh 1.35.6.1 RELENG_6 src/contrib/cvs/src/cvsbug.in 1.1.1.3.8.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2693 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:20.cvsbug.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDIeKFFdaIBMps37IRApOpAJ9RRKHLnuyFOuaM1pN09Sn3Rysv4gCgiF+/ QJ1c9krguLbujP/YL4LaDP0= =5W0R -----END PGP SIGNATURE-----