[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Help needed with bufferoverflow in cvs]

From: Martin Schulze
Subject: Re: [Fwd: Help needed with bufferoverflow in cvs]
Date: Wed, 20 Feb 2002 19:33:35 +0100
User-agent: Mutt/1.3.27i

Tollef Fog Heen wrote:
> | it seems that cvs (version 1.10.7 from Debians stable repos) has a
> | bufferoverflow but I'm but sure if it's exploitable
> | 
> | ls -la /usr/bin/cvs
> | -rwxr-xr-x    1 root     root       490160 Mar 22  2000 /usr/bin/cvs
> | 
> | no suid bit but it's owned by root
> That it's owned by root shouldn't matter.  The issue might be whether
> it's possible to exploit this through pserver.  I just got this
> message and haven't had the time to look at it yet.

Unfortunately, it is.

klecker!joey(pts/15):~/tmp/webwml> cvs diff -C`perl -e "print 'a' x 300"`  
Makefile || echo noe
Index: Makefile
RCS file: /cvs/webwml/webwml/Makefile,v
retrieving revision 1.29
diff -u 
 -r1.29 Makefile
cvs server: invalid context length argument
Terminated with fatal signal 11
klecker!joey(pts/15):~/tmp/webwml> cat CVS/Root

I guess you can exploit the remote server's uid.  Not promising.

Good to know that we've got a new CVS maintainer who will fix the
problem for us, will make my evening a little bit saner. :)



No question is too silly to ask, but, of course, some are too silly
to answer.   -- Perl book

reply via email to

[Prev in Thread] Current Thread [Next in Thread]