Tollef Fog Heen wrote:
> | it seems that cvs (version 1.10.7 from Debians stable repos) has a
> | bufferoverflow but I'm but sure if it's exploitable
> |
> | ls -la /usr/bin/cvs
> | -rwxr-xr-x 1 root root 490160 Mar 22 2000 /usr/bin/cvs
> |
> | no suid bit but it's owned by root
>
> That it's owned by root shouldn't matter. The issue might be whether
> it's possible to exploit this through pserver. I just got this
> message and haven't had the time to look at it yet.
Unfortunately, it is.
klecker!joey(pts/15):~/tmp/webwml> cvs diff -C`perl -e "print 'a' x 300"` Makefile ||
echo noe
Index: Makefile
===================================================================
RCS file: /cvs/webwml/webwml/Makefile,v
retrieving revision 1.29
diff -u
-Caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-r1.29 Makefile
cvs server: invalid context length argument
Terminated with fatal signal 11
noe
klecker!joey(pts/15):~/tmp/webwml> cat CVS/Root
:pserver:[EMAIL PROTECTED]:/cvs/webwml
I guess you can exploit the remote server's uid. Not promising.
Good to know that we've got a new CVS maintainer who will fix the
problem for us, will make my evening a little bit saner. :)
Regards,
Joey
--
No question is too silly to ask, but, of course, some are too silly
to answer. -- Perl book
_______________________________________________
Bug-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/bug-cvs
