From owner-doc-jp-work@jp.FreeBSD.org Mon Sep 27 04:14:06 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id i8QJE6759997;
	Mon, 27 Sep 2004 04:14:06 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp.eos.ocn.ne.jp (eos.ocn.ne.jp [222.146.51.150])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id i8QJE6859991
	for <doc-jp-work@jp.FreeBSD.org>; Mon, 27 Sep 2004 04:14:06 +0900 (JST)
	(envelope-from hrs@FreeBSD.org)
Received: from delta.allbsd.org (p8036-adsau12honb4-acca.tokyo.ocn.ne.jp [220.97.145.36])
	by smtp.eos.ocn.ne.jp (Postfix) with ESMTP id 227BE35DE
	for <doc-jp-work@jp.FreeBSD.org>; Mon, 27 Sep 2004 04:14:05 +0900 (JST)
Received: from localhost (alph.allbsd.org [192.168.0.10])
	by delta.allbsd.org (8.12.9p2/8.12.9) with ESMTP id i8QJDlbT049161
	for <doc-jp-work@jp.FreeBSD.org>; Mon, 27 Sep 2004 04:13:47 +0900 (JST)
	(envelope-from hrs@FreeBSD.org)
Message-Id: <20040927.041303.98882889.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@FreeBSD.org>
In-Reply-To: <200409201350.i8KDoXvk029514@freefall.freebsd.org>
References: <200409201350.i8KDoXvk029514@freefall.freebsd.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 4.0.68 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
 micalg=pgp-sha1;
 boundary="--Security_Multipart0(Mon_Sep_27_04_13_03_2004_929)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Mon, 27 Sep 2004 04:13:03 +0900
X-Sequence: doc-jp-work 929
Subject: [doc-jp-work 929] Re: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory
 FreeBSD-SA-04:14.cvs
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@FreeBSD.org
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+040925

----Security_Multipart0(Mon_Sep_27_04_13_03_2004_929)--
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Mon_Sep_27_04_13_03_2004_268)--"
Content-Transfer-Encoding: 7bit

----Next_Part(Mon_Sep_27_04_13_03_2004_268)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 $BCY$/$J$j$^$7$?!#(B04:14 $B$G$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B

----Next_Part(Mon_Sep_27_04_13_03_2004_268)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="04:14"


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-04:14.cvs (2004-09-19)
 * CVS
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:14.cvs
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 20 Sep 2004 13:50:33 GMT
  Message-Id: <200409201350.i8KDoXvk029514@freefall.freebsd.org>
  X-Sequence: announce-jp 1246

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r$*$3$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-04:14.cvs.asc                                  Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:       CVS

$BJ,N`(B:           contrib
$B%b%8%e!<%k(B:     cvs
$B9pCNF|(B:         2004-09-19
$B%/%l%8%C%H(B:     Stefan Esser, Sebastian Krahmer, Derek Price,
                iDEFENSE
$B1F6AHO0O(B:       $B$9$Y$F$N%P!<%8%g%s$N(B FreeBSD
$B=$@5F|(B:         2004-06-29 16:10:50 UTC (RELENG_4)
                2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3)
                2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12)
                2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25)
                2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10)
CVE Name:       CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418,
                CAN-2004-0778
FreeBSD $B$K8GM-$+(B:       NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

$B>e5-$N9`L\$d%;%-%e%j%F%#%V%i%s%A!"0J2<$N3F@a$D$$$F$N@bL@$J$I!"(B
FreeBSD $B%;%-%e%j%F%#4+9p$K$D$$$F$N0lHLE*$J>pJs$O!"(B
<URL:http://www.freebsd.org/security/> $B$r$4Mw$/$@$5$$!#(B


I.   $BGX7J(B - Background

The Concurrent Versions System (CVS) is a version control system.  It
may be used to access a repository locally, or to access a `remote
repository' using a number of different methods.  When accessing a
remote repository, the target machine runs the CVS server to fulfill
client requests.

Concurrent Versions System (CVS) $B$O!"%P!<%8%g%s4IM}%7%9%F%`$N0l$D$G$9!#(B
CVS $B$r;H$&$H!"%j%]%8%H%j(B ($BLuCm(B: CVS $B$G4IM}$5$l$k%G!<%?$NJ]4I>l=j$N(B
$B$3$H(B) $B$K%m!<%+%k$+$i%"%/%;%9$7$?$j!"$5$^$6$^$JJ}K!$r;H$C$F%j%b!<%H$+$i(B
$B%"%/%;%9$9$k$3$H$,$G$-$^$9!#%j%b!<%H$N%j%]%8%H%j$K%"%/%;%9$9$k>l9g!"(B
$B%/%i%$%"%s%H$+$i$NMW5a$r=hM}$9$k$?$a$K!"%"%/%;%9@h$N%^%7%s$G$O(B
CVS $B%5!<%P$,<B9T$5$l$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

A number of vulnerabilities were discovered in CVS by Stefan Esser,
Sebastian Krahmer, and Derek Price.

Stefan Esser $B;a!"(BSebastian Krahmer $B;a!"(BDerek Price $B;a$K$h$j!"(B
CVS $B$K$*$$$F?tB?$/$N%;%-%e%j%F%#>e$N<eE@$,H/8+$5$l$^$7$?!#(B

 . Insufficient input validation while processing "Entry" lines.
   (CAN-2004-0414)

 . $B!V(BEntry$B!W9T$N=hM}$K$*$1$k!"IT==J,$JF~NOCM8!::(B (CAN-2004-0414)

 . A double-free resulting from erroneous state handling while
   processing "Argumentx" commands. (CAN-2004-0416)

 . $B!V(BArgumentx$B!W%3%^%s%I$K$*$1$k!">uBV4IM}$N8m$j$K5/0x$9$k(B
   $B%a%b%j$NFs=E2rJ|(B (double-free) (CAN-2004-0416)$B!#(B

 . Integer overflow while processing "Max-dotdot" commands.
   (CAN-2004-0417)

 . $B!V(BMax-dotdot$B!W%3%^%s%I$K$*$1$k!"@0?t1i;;$N%*!<%P%U%m!<(B
   (CAN-2004-0417)

 . Erroneous handling of empty entries handled while processing
   "Notify" commands. (CAN-2004-0418)

 . $B!V(BNotify$B!W%3%^%s%I$K$*$1$k!"6u%(%s%H%j=hM}$N%(%i!<(B (CAN-2004-0418)

 . A format string bug while processing CVS wrappers.

 . CVS wrappers $B$N=hM}$K$*$1$k!"=q<0;XDjJ8;zNs$N%P%0(B

 . Single-byte buffer underflows while processing configuration files
   from CVSROOT.

 . CVSROOT $B$KCV$+$l$?@_Dj%U%!%$%k$N=hM}$K$*$1$k!"(B1 $B%P%$%HJ,$N(B
   $B%P%C%U%!%"%s%@%U%m!<(B

 . Various other integer overflows.

 . $B$=$NB>!"$5$^$6$^$J@0?t%G!<%?$N1i;;=hM}$K$*$1$k%*!<%P%U%m!<(B

Additionally, iDEFENSE reports an undocumented command-line flag used
in debugging does not perform input validation on the given path
names.

$B$^$?(B iDEFENSE $B$O!"%G%P%C%0MQ$K;H$o$l$kJ8=q2=$5$l$F$$$J$$(B
$B%3%^%s%I%i%$%s%U%i%0$G$O!"F~NO%G!<%?$H$7$FM?$($i$l$k%Q%9L>$KBP$9$k(B
$B8!::$,$*$3$o$l$F$$$J$$$HJs9p$7$F$$$^$9!#(B


III. $B1F6AHO0O(B - Impact

CVS servers ("cvs server" or :pserver: modes) are affected by these
vulnerabilities.  They vary in impact but include information disclosure
(the iDEFENSE-reported bug), denial-of-service (CAN-2004-0414,
CAN-2004-0416, CAN-2004-0417 and other bugs), or possibly arbitrary code
execution (CAN-2004-0418).  In very special situations where the
attacker may somehow influence the contents of CVS configuration files
in CVSROOT, additional attacks may be possible.

$B$3$l$i$N%;%-%e%j%F%#>e$N<eE@$O!"(BCVS $B%5!<%P(B ("cvs server" $B$b$7$/$O(B
:pserver: $B%b!<%I(B) $B$K1F6A$9$k$b$N$G$9!#6qBNE*$J1F6AHO0O$O$5$^$6$^$G!"(B
$B>pJs$NO31L(B (iDEFENSE $B$NJs9p$K$h$k%P%0(B)$B!"%5!<%S%9K832(B (CAN-2004-0414,
CAN-2004-0416, CAN-2004-0417 $B$J$I(B)$B!"G$0U$N%3!<%I$,<B9T$G$-$k2DG=@-(B
(CAN-2004-0418) $B$J$I$,9M$($i$l$^$9!#FC$K!"967b<T$,(B CVSROOT $B$K$"$k(B
CVS $B$N@_Dj%U%!%$%k$NFbMF$rA`:n$G$-$k>l9g!"$3$N<eE@$r;H$C$F!"$5$i$K(B
$BJL$N967b$r$*$3$J$&$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

Disable the use of remote CVS repositories.

$B%j%b!<%H$+$i$N(B CVS $B%j%]%8%H%jA`:n$rL58z$K$7$F$/$@$5$$!#(B


V.   $B2r7h:v(B - Solution

Do one of the following:
$B<!$N$$$:$l$+$R$H$D$K=>$C$F$/$@$5$$!#(B

1) Upgrade your vulnerable system to the RELENG_4 stable branch, or to
the RELENG_5_2, RELENG_4_10, RELENG_4_9, or RELENG_4_8 security branch
dated after the correction date.
1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4-STABLE $B$K99?7$9$k$+!"(B
   $B$"$k$$$O=$@5F|0J9_$N(B RELENG_5_2, RELENG_4_10, RELENG_4_9, RELENG_4_8
   $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

OR
$B$b$7$/$O(B

2) Patch your present system:
2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

The following patches have been verified to apply to FreeBSD 4.8, 4.9,
4.10 and 5.2.1 systems.  Note that one *must* have previously applied
the patches pertaining to FreeBSD-SA-04:10.cvs in order to use these
patches.

$B0J2<$N=$@5%Q%C%A$O!"(BFreeBSD 4.8, FreeBSD 4.9, FreeBSD 4.10,
FreeBSD 5.2.1 $B$N3F%7%9%F%`$KE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$k$b$N$G$9!#(B
$B$?$@$7!"$3$N=$@5%Q%C%A$rE,MQ$9$k$K$O!"$=$NA0$KI,$:(B FreeBSD-SA-04:10.cvs
$B$N=$@5%Q%C%A$rE,MQ$7$F$*$+$J$1$l$P$J$j$^$;$s!#(B

Note that FreeBSD 4.10-STABLE systems built from sources dated
2004-06-29 16:20:00 UTC or later include cvs 1.11.17, which has all
of these issues fixed.  These patches should not be applied to those
systems.

$B$^$?!"(B2004-06-29 16:20:00 UTC $B0J9_$N%=!<%9$+$i9=C[$7$?(B
FreeBSD 4.10-STABLE $B%7%9%F%`$K$O!"$3$l$i$NLdBj$r$9$Y$F=$@5$7$?(B
CVS $B%P!<%8%g%s(B 1.11.17 $B$,4^$^$l$F$$$^$9!#$=$N$h$&$J%7%9%F%`$N>l9g!"(B
$B0J2<$N=$@5%Q%C%A$rE,MQ$9$kI,MW$O$"$j$^$;$s!#(B

a) Download the relevant patches from the location below, and verify the
detached PGP signature using your PGP utility.
a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:14/cvs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:14/cvs.patch.asc

b) Execute the following commands as root:
b) root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/cvs
# make obj && make depend && make && make install

($BLuCm(B: /path/to/patch $B$NItJ,$O=$@5%Q%C%A$N%Q%9L>$KCV$-49$($F$/$@$5$$(B)

VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B

Branch                                                           Revision
$B%V%i%s%A(B                                                         $B%j%S%8%g%s(B
  Path
  $B%Q%9L>(B
- -------------------------------------------------------------------------
RELENG_4_10
  src/UPDATING                                              1.73.2.90.2.4
  src/sys/conf/newvers.sh                                   1.44.2.34.2.5
  src/contrib/cvs/lib/xsize.h                                 1.1.1.1.6.1
  src/contrib/cvs/src/commit.c                                1.8.2.5.6.1
  src/contrib/cvs/src/cvs.h                                  1.11.2.6.6.1
  src/contrib/cvs/src/filesubr.c                              1.6.2.4.6.1
  src/contrib/cvs/src/history.c                           1.1.1.6.2.4.6.1
  src/contrib/cvs/src/modules.c                           1.1.1.5.2.4.2.1
  src/contrib/cvs/src/server.c                               1.13.2.5.6.3
  src/contrib/cvs/src/wrapper.c                           1.1.1.7.2.3.6.1
  src/gnu/usr.bin/cvs/lib/config.h.proto                     1.16.2.1.6.1
RELENG_4_9
  src/UPDATING                                             1.73.2.89.2.13
  src/sys/conf/newvers.sh                                  1.44.2.32.2.13
  src/contrib/cvs/lib/xsize.h                                 1.1.1.1.8.1
  src/contrib/cvs/src/commit.c                                1.8.2.5.4.1
  src/contrib/cvs/src/cvs.h                                  1.11.2.6.4.1
  src/contrib/cvs/src/filesubr.c                              1.6.2.4.4.1
  src/contrib/cvs/src/history.c                           1.1.1.6.2.4.4.1
  src/contrib/cvs/src/modules.c                           1.1.1.5.2.3.4.2
  src/contrib/cvs/src/server.c                               1.13.2.5.4.3
  src/contrib/cvs/src/wrapper.c                           1.1.1.7.2.3.4.1
  src/gnu/usr.bin/cvs/lib/config.h.proto                     1.16.2.1.4.1
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.28
  src/sys/conf/newvers.sh                                  1.44.2.29.2.26
  src/contrib/cvs/lib/xsize.h                                1.1.1.1.10.1
  src/contrib/cvs/src/commit.c                                1.8.2.5.2.1
  src/contrib/cvs/src/cvs.h                                  1.11.2.6.2.1
  src/contrib/cvs/src/filesubr.c                              1.6.2.4.2.1
  src/contrib/cvs/src/history.c                           1.1.1.6.2.4.2.1
  src/contrib/cvs/src/modules.c                           1.1.1.5.2.3.2.2
  src/contrib/cvs/src/server.c                               1.13.2.5.2.3
  src/contrib/cvs/src/wrapper.c                           1.1.1.7.2.3.2.1
  src/gnu/usr.bin/cvs/lib/config.h.proto                     1.16.2.1.2.1
RELENG_5_2
  src/UPDATING                                                 1.282.2.18
  src/sys/conf/newvers.sh                                       1.56.2.17
  src/contrib/cvs/lib/xsize.h                                1.1.1.1.12.1
  src/contrib/cvs/src/commit.c                                   1.13.4.1
  src/contrib/cvs/src/cvs.h                                      1.17.4.1
  src/contrib/cvs/src/filesubr.c                                 1.10.6.1
  src/contrib/cvs/src/history.c                              1.1.1.10.6.1
  src/contrib/cvs/src/modules.c                               1.1.1.8.6.3
  src/contrib/cvs/src/server.c                                   1.19.4.4
  src/contrib/cvs/src/wrapper.c                              1.1.1.10.6.1
  src/gnu/usr.bin/cvs/lib/config.h.proto                         1.17.2.1
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL: http://security.e-matters.de/advisories/092004.html >


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html ($B1QJ8(B)
 http://www.FreeBSD.org/doc/ja_JP.eucJP/books/handbook/mirrors.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/04:14,v 1.3 2004/09/26 19:13:00 hrs Exp $

----Next_Part(Mon_Sep_27_04_13_03_2004_268)----

----Security_Multipart0(Mon_Sep_27_04_13_03_2004_929)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBBVxS/TyzT2CeTzy0RAo76AJ9JnyMg0fqQTcyO0HshmQ6b6obm1wCgsslk
zWYCChr7CC+bOv2CKRUFZhY=
=FiD7
-----END PGP SIGNATURE-----

----Security_Multipart0(Mon_Sep_27_04_13_03_2004_929)----
