OpenBSD Patching
Applied patch couple of nights ago to my “aging” OpenBSD 3.3
system on my Toshiba laptop. Everything went okay! Following
is the patch itself, & then some info on the into the nature
of the vulnerability:
————————————————————
Apply by doing:
cd /usr/src
patch -p0 0)
+ {
+ error (0, 0,
+ “Server attempted to update a file via an invalid pathname:”);
+ error (1, 0, “`%s’.”, pathname);
+ }
+
reposname = NULL;
read_line (&reposname);
assert (reposname != NULL);
Index: gnu/usr.bin/cvs/src/modules.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/cvs/src/modules.c,v
retrieving revision 1.1.1.14
retrieving revision 1.1.1.14.8.2
diff -u -p -r1.1.1.14 -r1.1.1.14.8.2
— gnu/usr.bin/cvs/src/modules.c 28 Sep 2001 22:45:38 -0000 1.1.1.14
+++ gnu/usr.bin/cvs/src/modules.c 1 May 2004 00:17:35 -0000 1.1.1.14.8.2
@@ -159,6 +159,24 @@ do_module (db, mname, m_type, msg, callb
}
#endif
+ /* Don’t process absolute directories. Anything else could be a security
+ * problem. Before this check was put in place:
+ *
+ * $ cvs -d:fork:/cvsroot co /foo
+ * cvs server: warning: cannot make directory CVS in /: Permission denied
+ * cvs [server aborted]: cannot make directory /foo: Permission denied
+ * $
+ */
+ if (isabsolute (mname))
+ error (1, 0, “Absolute module reference invalid: `%s’”, mname);
+
+ /* Similarly for directories that attempt to step above the root of the
+ * repository.
+ */
+ if (pathname_levels (mname) > 0)
+ error (1, 0, “up-level in module reference (`..’) invalid: `%s’.”,
+ mname);
+
/* if this is a directory to ignore, add it to that list */
if (mname[0] == ‘!’ && mname[1] != ”)
{
============================================================
————————————————————
Info on cvs vulnerability from:
http://www.securitytracker.com/alerts/2004/May/1010074.html
SecurityTracker Alert ID: 1010074
CVE Reference: CAN-2004-0405 (Links to External Site)
Date: May 5 2004
Impact: Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 1.11.15
Description: A vulnerability was reported in CVS. A remote
authenticated user may be able to view arbitrary RCS files on
the server.
It is reported that a remote authenticated user can invoke a piped
checkout of paths above $CVSROOT to view the contents of RCS archive
files anywhere on a CVS server. This flaw can reportedly be triggered
using relative pathnames containing the ‘../’ directory traversal strings.
Debian credited Derek Robert Price with discovering this flaw.
Impact: A remote authenticated user can view RCS files located anywhere
on the target system.
Solution: OpenBSD has issued the following patches:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/comm on/017_cvs.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/022_cvs.patch
Vendor URL: www.cvshome.org/ (Links to External Site)
Cause: Access control error, Input validation error
Underlying OS: UNIX (OpenBSD)
Underlying OS Comments: 3.3, 3.4, 3.5
Reported By: Otto Moerbeek
Message History: This archive entry is a follow-up to the message
listed below. Apr 19 2004 CVS Server Piped Checkout Input Validation
Flaw Discloses RCS Files to Remote Authenticated Users
ISO Making Batchfile
Here’s the batch file I use to create OpenBSD
ISO’s from the snapshots I download:
cd c:cd c:\openbsd
c:\cdrtools\mkisofs -v -r -T -l -L -J -V “OpenBSD3.5-current” -b
3.5/i386/cdrom35.fs -c boot.catalog -o
c:/openbsd/snapshot/iso/OpenBSD3.5-current.iso -A “OpenBSD 3.5-current
Install”
