From owner-doc-jp-work@jp.FreeBSD.org Wed Feb  5 04:46:00 2003
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id h14Jk0v41537;
	Wed, 5 Feb 2003 04:46:00 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp.eos.ocn.ne.jp (eos.ocn.ne.jp [211.6.83.117])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id h14Jk0J41532
	for <doc-jp-work@jp.FreeBSD.org>; Wed, 5 Feb 2003 04:46:00 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.allbsd.org (p39026-adsao12honb4-acca.tokyo.ocn.ne.jp [219.161.136.26])
	by smtp.eos.ocn.ne.jp (Postfix) with ESMTP id ED6C140E9
	for <doc-jp-work@jp.FreeBSD.org>; Wed,  5 Feb 2003 04:45:59 +0900 (JST)
Received: from localhost (alph.allbsd.org [192.168.0.10])
	by mail.allbsd.org (8.12.6/3.7W/DomainMaster) with ESMTP id h14JjiJ8086609
	for <doc-jp-work@jp.FreeBSD.org>; Wed, 5 Feb 2003 04:45:45 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Message-Id: <20030205.044400.78763157.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <200302041846.h14IkYGD050787@freefall.freebsd.org>
References: <200302041846.h14IkYGD050787@freefall.freebsd.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 2.2 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Wed_Feb__5_04:44:00_2003_162)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Wed, 05 Feb 2003 04:44:00 +0900
X-Sequence: doc-jp-work 593
Subject: [doc-jp-work 593] Re: FreeBSD Security Advisory FreeBSD-SA-03:01.cvs
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+030107

----Next_Part(Wed_Feb__5_04:44:00_2003_162)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 03:01 $B$G$9!#(B

  # $B=P$k$NCY$9$.!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|                         <hrs@FreeBSD.org> (FreeBSD Project)

----Next_Part(Wed_Feb__5_04:44:00_2003_162)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="03:01"

FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-03:01.cvs (2003-02-04)
 * remotely exploitable vulnerability in cvs server
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-03:01.cvs
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
  Date: Tue, 4 Feb 2003 10:46:34 -0800 (PST)
  Message-Id: <200302041846.h14IkYGD050787@freefall.freebsd.org>
  X-Sequence: announce-jp xxx

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-03:01.cvs                                        Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:	cvs $B%5!<%P$K$*$1$k%j%b!<%H$+$i0-MQ2DG=$J%;%-%e%j%F%#>e$N<eE@(B
                (remotely exploitable vulnerability in cvs server)

$BJ,N`(B:		contrib
$B%b%8%e!<%k(B:	contrib_cvs
$B9pCNF|(B:		2003-02-04
$B%/%l%8%C%H(B:	Stefan Esser <s.esser@e-matters.de>
$B1F6AHO0O(B:	4.6-RELEASE-p7, 4.7-RELEASE-p4, 5.0-RELEASE-p1 $B$h$jA0$N(B
                $B$9$Y$F$N%P!<%8%g%s$N(B FreeBSD
$B=$@5F|(B:		2003-01-21 22:26:46 UTC (RELENG_4)
                2003-02-04 18:05:07 UTC (RELENG_5_0)
                2003-02-04 18:07:20 UTC (RELENG_4_7)
                2003-02-04 18:08:26 UTC (RELENG_4_6)
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

The Concurrent Versions System (CVS) is a version control system.  It
may be used to access a repository locally, or to access a `remote
repository' using several different methods, including `ext' (rsh),
and `pserver' (password-authenticated server).  When accessing a
remote repository, the target machine runs the CVS server to fulfill
client requests.

Concurrent Versions System (CVS) $B$O!"%P!<%8%g%s4IM}%7%9%F%`$N0l$D$G$9!#(B
CVS $B$G$O!"%j%]%8%H%j(B ($BLuCm(B: CVS $B$G4IM}$5$l$k%G!<%?$NJ]4I>l=j$N$3$H(B) $B$K(B
$B%m!<%+%k$+$i!"$"$k$$$O%j%b!<%H$G%"%/%;%9$9$k$3$H$,2DG=$G$9!#(B
$B%j%b!<%H$G%"%/%;%9$9$kJ}K!$K$O!"(B`ext' (rsh) $B$d(B `pserver' ($B%Q%9%o!<%I(B
$BG'>Z%5!<%P(B) $B$J$I!"$$$/$D$+$"$j$^$9!#%j%b!<%H$N%j%]%8%H%j$K%"%/%;%9$9$k(B
$B>l9g!"%/%i%$%"%s%H$+$i$NMW5a$r=hM}$9$k$?$a$K!"%"%/%;%9@h$N%^%7%s$G$O(B
CVS $B%5!<%P$,<B9T$5$l$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

The implementation of the CVS server contains a programming error which
can lead to a block of memory being freed more than once (i.e. a
double-free bug).

CVS $B%5!<%P$N<BAu$K$O!"(B($BLuCm(B: $BF0E*$K3NJ]$5$l$?(B) $B%a%b%j%V%m%C%/$,(B
$BJ#?t2s2rJ|$5$l$F$7$^$&$h$&$J%W%m%0%i%`>e$N8m$j(B (double-free bug;
$BFs=E2rJ|%P%0(B) $B$,B8:_$7$^$9!#(B

Separately, the CVS server allows clients with write access to specify
arbitrary commands to execute as part of an update (update-prog) or
commit (checkin-prog).  This is a dangerous feature that is generally
not needed: there are other, safer methods of triggering program
execution.

$B$^$?!"$=$l$H$OJL$K!"=q$-9~$_%"%/%;%98"8B$r;}$C$?%/%i%$%"%s%H$+$i$O(B
update (update-prog) $B$b$7$/$O(B commit (checkin-prog) $B=hM}$N:]$K(B
CVS $B%5!<%P$,G$0U$N%3%^%s%I$r<B9T$9$k$h$&$K;XDj$9$k$3$H$,2DG=$G$9!#(B
$B$3$l$O4m81$J5!G=$G$"$j!"I,MW$K$J$k$3$H$O$[$H$s$I$"$j$^$;$s!#%5!<%P>e$G(B
$B%W%m%0%i%`$r<B9T$5$;$kJ}K!$O!"$h$j0BA4$J$b$N$,JL$KB8:_$9$k$+$i$G$9!#(B


III. $B1F6AHO0O(B - Impact

An attacker may exploit the double-free bug in order to bypass write
access checks.  Combined with the update-prog/checkin-prog feature,
the attacker may be able to execute arbitrary commands with the
privileges of the CVS server.  The impact is most severe when running
the CVS server in `pserver' mode to provide read-only access to the
world (anoncvs).

$B967b<T$OFs=E2rJ|%P%0(B (double-free bug) $B$r0-MQ$9$k$3$H$G!"=q$-9~$_8"8B$N(B
$B%A%'%C%/$r%P%$%Q%9$G$-$k2DG=@-$,$"$j$^$9!#$^$?!"(Bupdate-prog/checkin-prog $B5!G=$H(B
$BAH$_9g$o$;$k$3$H$G!"(BCVS $B%5!<%P$N8"8B$GG$0U$N%3%^%s%I$r<B9T$9$k$3$H$,(B
$B$G$-$k$+$bCN$l$^$;$s!#ITFCDjB??t$KFI$_$H$j@lMQ%"%/%;%9$rDs6!$9$kL\E*$G(B
CVS $B%5!<%P$r(B `pserver' $B%b!<%I$GF0$+$7$F$$$k>l9g!"$3$NLdBj$N1F6A$OHs>o$K(B
$B?<9o$J$b$N$K$J$j$^$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

Do not use `pserver' mode directly.  Instead, use one of the safer
methods described in the following online resources:

`pserver' $B%b!<%I$rD>@\;H$o$J$$$h$&$K$7$^$9!#Be$o$j$K!"<!$N%*%s%i%$%s;qNA$G(B
$B>R2p$5$l$F$$$k$h$&$J!"$h$j0BA4$JJ}K!$r;H$&$h$&$K$7$F$/$@$5$$!#(B

<URL:http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps>
<URL:http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt>


V.   $B2r7h:v(B - Solution

($BLuCm(B: $B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B)

1) Upgrade your vulnerable system to 4.7-STABLE; or to the RELENG_4_7
(4.7-RELEASE-p4), RELENG_4_6 (4.6-RELEASE-p7), or RELENG_5_0
(5.0-RELEASE-p1) security branch dated after the correction date.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4.7-STABLE$B!"$b$7$/$O=$@5F|0J9_$N(B
   RELENG_4_7 (4.7-RELEASE-p4)$B!"(BRELENG_4_6 (4.6-RELEASE-p7)$B!"(B
   RELENG_5_0 (5.0-RELEASE-p1) $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K(B
   $B%"%C%W%0%l!<%I$9$k!#(B

2) To patch your present system:
2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

The following patch has been verified to apply to FreeBSD 4.6, 4.7, and
5.0 systems.

$B0J2<$N=$@5%Q%C%A$O!"(BFreeBSD 4.6$B!"(BFreeBSD 4.7$B!"(BFreeBSD 5.0 $B$N3F%7%9%F%`$K(B
$BE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$^$9!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:01/cvs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:01/cvs.patch.asc

b) Execute the following commands as root:
b) root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/cvs
# make obj && make depend && make && make install

 ($BLuCm(B: /path/to/patch $B$NItJ,$O=$@5%Q%C%A$N%Q%9L>$KCV$-49$($F$/$@$5$$(B)


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.
FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B

Path                                                             Revision
$B%Q%9L>(B                                                          $B%j%S%8%g%s(B
  Branch
  $B%V%i%s%A(B
- -------------------------------------------------------------------------
src/contrib/cvs/src/server.c
  RELENG_5_0                                                     1.17.2.1
  RELENG_4_7                                                 1.13.2.2.6.1
  RELENG_4_6                                                 1.13.2.2.4.1
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL:http://online.securityfocus.com/archive/1/72584>
<URL:http://security.e-matters.de/advisories/012003.html>
<URL:http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51>
<URL:http://www.kb.cert.org/vuls/id/650937>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html ($B1QJ8(B)
 http://www.FreeBSD.org/doc/ja_JP.eucJP/books/handbook/mirrors.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/03:01,v 1.3 2003/02/04 19:43:56 hrs Exp $

----Next_Part(Wed_Feb__5_04:44:00_2003_162)----
