Vulnerabilities > CVE-2003-0977

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cvs
slackware
nessus

Summary

CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-112.NASL
    descriptionA vulnerability was discovered in the CVS server < 1.11.10 where a malformed module request could cause the CVS server to attempt to create directories and possibly files at the root of the filesystem holding the CVS repository. Updated packages are available that fix the vulnerability by providing CVS 1.11.10 on all supported distributions. Update : The previous updates had an incorrect temporary directory hard-coded in the cvs binary for 9.1 and 9.2. This update corrects the problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id14094
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14094
    titleMandrake Linux Security Advisory : cvs (MDKSA-2003:112-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:112. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14094);
      script_version ("1.21");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2003-0977");
      script_xref(name:"MDKSA", value:"2003:112-1");
    
      script_name(english:"Mandrake Linux Security Advisory : cvs (MDKSA-2003:112-1)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered in the CVS server < 1.11.10 where a
    malformed module request could cause the CVS server to attempt to
    create directories and possibly files at the root of the filesystem
    holding the CVS repository.
    
    Updated packages are available that fix the vulnerability by providing
    CVS 1.11.10 on all supported distributions.
    
    Update :
    
    The previous updates had an incorrect temporary directory hard-coded
    in the cvs binary for 9.1 and 9.2. This update corrects the problem."
      );
      # http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?534d3f6a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cvs package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cvs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/12/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"cvs-1.11.10-0.2.91mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.2", reference:"cvs-1.11.10-0.2.92mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-004.NASL
    descriptionUpdated cvs packages closing a vulnerability that could allow cvs to attempt to create files and directories in the root file system are now available. CVS is a version control system frequently used to manage source code repositories. A flaw was found in versions of CVS prior to 1.11.10 where a malformed module request could cause the CVS server to attempt to create files or directories at the root level of the file system. However, normal file system permissions would prevent the creation of these misplaced directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0977 to this issue. Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue. For Red Hat Enterprise Linux 2.1, these updates also fix an off-by-one overflow in the CVS PreservePermissions code. The PreservePermissions feature is not used by default (and can only be used for local CVS). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-0844 to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id12446
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12446
    titleRHEL 2.1 / 3 : cvs (RHSA-2004:004)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:004. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12446);
      script_version ("1.27");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2002-0844", "CVE-2003-0977");
      script_xref(name:"RHSA", value:"2004:004");
    
      script_name(english:"RHEL 2.1 / 3 : cvs (RHSA-2004:004)");
      script_summary(english:"Checks the rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated cvs packages closing a vulnerability that could allow cvs to
    attempt to create files and directories in the root file system are
    now available.
    
    CVS is a version control system frequently used to manage source code
    repositories.
    
    A flaw was found in versions of CVS prior to 1.11.10 where a malformed
    module request could cause the CVS server to attempt to create files
    or directories at the root level of the file system. However, normal
    file system permissions would prevent the creation of these misplaced
    directories. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2003-0977 to this issue.
    
    Users of CVS are advised to upgrade to these erratum packages, which
    contain a patch correcting this issue.
    
    For Red Hat Enterprise Linux 2.1, these updates also fix an off-by-one
    overflow in the CVS PreservePermissions code. The PreservePermissions
    feature is not used by default (and can only be used for local CVS).
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2002-0844 to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-0844"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0977"
      );
      # http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?15fcc3b2"
      );
      # http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0081.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3767cc0a"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:004"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cvs package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cvs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:004";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"cvs-1.11.1p1-9")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"cvs-1.11.2-14")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cvs");
      }
    }
    
  • NASL familyMisc.
    NASL idCVS_DIR_CREATE.NASL
    descriptionAccording to its version number, the CVS server running on the remote remote host may allow an attacker to create directories (and possibly files) at the root of the filesystem where the CVS repository is located.
    last seen2020-06-01
    modified2020-06-02
    plugin id11947
    published2003-12-11
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11947
    titleCVS pserver Crafted Module Request Arbitrary File / Directory Creation

Oval

  • accepted2013-04-29T04:14:35.172-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    descriptionCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
    familyunix
    idoval:org.mitre.oval:def:11528
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
    version27
  • accepted2007-04-25T19:53:01.591-04:00
    classvulnerability
    contributors
    • nameJay Beale
      organizationBastille Linux
    • nameMatt Busby
      organizationThe MITRE Corporation
    • nameThomas R. Jones
      organizationMaitreya Security
    descriptionCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
    familyunix
    idoval:org.mitre.oval:def:855
    statusaccepted
    submitted2004-03-20T12:00:00.000-04:00
    titleRed Hat CVS Server root Directory Access Vulnerability
    version37
  • accepted2007-04-25T19:53:04.168-04:00
    classvulnerability
    contributors
    • nameJay Beale
      organizationBastille Linux
    • nameMatt Busby
      organizationThe MITRE Corporation
    • nameThomas R. Jones
      organizationMaitreya Security
    descriptionCVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests.
    familyunix
    idoval:org.mitre.oval:def:866
    statusaccepted
    submitted2004-03-20T12:00:00.000-04:00
    titleRed Hat Enterprise 3 CVS Server root Directory Access Vulnerability
    version38

Redhat

advisories
  • rhsa
    idRHSA-2004:003
  • rhsa
    idRHSA-2004:004
rpmscvs-0:1.11.2-14