Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Root Exploit in CVS

Posted by michael on from the checking-out dept.

RenHoek writes "Security expert Stefan Esser from E-matters discovered a bug in CVS version 1.11.4 and lower, that can give malignant users remote root access. The exploit was confirmed on BSD, but other OS's like Linux, Solaris and Windows are vulnerable too. A security advisory can be found here and there is also a patch available. CVS version 1.11.5 which is fixed can be downloaded as well."

5 of 209 comments (clear)

  1. cvs as root? by molo · · Score: 4, Interesting

    What fool runs their cvs pserver as root? Every installation I've ever seen has it running as a non-privelidged user. While of course any remote compromise is not good, lets not exagerate the severity of this problem.

    --
    Using your sig line to advertise for friends is lame.
    1. Re:cvs as root? by mustangdavis · · Score: 5, Interesting

      If I can get onto a Linux or BSD box as ANY USER, I can get root (well, 90% of the time, I can).

      Remember, many sys admins don't patch local software packages that have buffer overflows or other wonder exploits that can get you root, so just about ANY remote exploit that you can get shell access with can be viewed as a root exploit. This is especially true with University servers and other places that install all software packages that come with their Linux distribution in the name of "research" or "education".

      Just my $0.02 cents ...


      --
      HallmarkOrnaments.Com
  2. Re:Malignant? by jasonditz · · Score: 3, Interesting

    This is why I only offer access to benign users.

  3. Re:That's silly by The+Bungi · · Score: 2, Interesting
    Actually, it's like saying automoviles and airliners cause far too many deaths, so let's stop using them and just walk.

    Dropping C because it's susceptible to exploits is dumb, as is replacing it with some other technology that will eventually be hacked anyway.

  4. /POSSIBLE/? Jeez... by devphil · · Score: 4, Interesting
    Is it possible to build gcc with another compiler?

    Holy screaming fuckmonkeys, Batman. You have no idea how much work we/they go through to ensure that GCC is buildable by anything even resembling a C compiler. (I say "we/they" because I generally don't have to worry about it in my little corner of the world.)

    GCC was intended from its earliest days to replace whatever native (proprietary) compiler came with or was sold for your native (proprietary, evil, etc) Unix platform. When you build GCC, it actually is built three times:

    1. Your Proprietary Evil Compiler[tm] builds Copy #1 of gcc. However, YPEC could have bugs, which would make gcc#1 buggy. So...
    2. gcc#1 builds itself from scratch. Call this one gcc#2. In theory, gcc#2 can now be used. But just to be certain...
    3. gcc#2 builds itself from scratch. This is gcc#3. And if all is well, gcc#2 == gcc#3. So at the end, all of the various .o files from #2 and #3 are compared, and if there's a mismatch, the build aborts.

    Copy #3 is then used to build the rest of the compiler (other languages) and the runtime libraries. Copy #3 is what gets installed on your system.

    Huge chunks of the GCC source are still maintained in K&R C for those platforms which don't have an ISO (ANSI) C compiler. Chunks of the standard C library have homegrown replacements inside GCC, for those platforms which aren't ANSI/POSIX.

    Fortunately, the number of those systems has dwindled, but at one time they were the majority.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)