Vulnerabilities > CVE-2004-0417

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
cvs
openpkg
sgi
gentoo
openbsd
nessus

Summary

Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2004_015.NASL
    descriptionThe remote host is missing the patch for the advisory SuSE-SA:2004:015 (cvs). The Concurrent Versions System (CVS) offers tools which allow developers to share and maintain large software projects. Various remotely exploitable conditions have been found during a source code review of CVS done by Stefan Esser and Sebastian Krahmer (SuSE Security-Team). These bugs allow remote attackers to execute arbitrary code as the user the CVS server runs as. Since there is no easy workaround we strongly recommend to update the cvs package. The update packages fix vulnerabilities which have been assigned the CAN numbers CVE-2004-0416, CVE-2004-0417 and CVE-2004-0418. The cvs packages shipped by SUSE (as well as our recent updates for CVS) are not vulnerable to CVE-2004-0414. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command
    last seen2020-06-01
    modified2020-06-02
    plugin id13831
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13831
    titleSuSE-SA:2004:015: cvs
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SuSE-SA:2004:015
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(13831);
     script_version ("1.16");
     script_cve_id("CVE-2004-0416", "CVE-2004-0417", "CVE-2004-0418");
     
     name["english"] = "SuSE-SA:2004:015: cvs";
     
    
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SuSE-SA:2004:015 (cvs).
    
    
    The Concurrent Versions System (CVS) offers tools which allow developers
    to share and maintain large software projects.
    Various remotely exploitable conditions have been found during a
    source code review of CVS done by Stefan Esser and Sebastian Krahmer
    (SuSE Security-Team).
    These bugs allow remote attackers to execute arbitrary code as the user
    the CVS server runs as. Since there is no easy workaround we strongly
    recommend to update the cvs package.
    The update packages fix vulnerabilities which have been assigned the
    CAN numbers CVE-2004-0416, CVE-2004-0417 and CVE-2004-0418.
    The cvs packages shipped by SUSE (as well as our recent updates for CVS)
    are not vulnerable to CVE-2004-0414.
    
    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command 'rpm -Fhv file.rpm' to apply
    the update." );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/2004_15_cvs.html" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploited_by_malware", value:"true");
     script_cwe_id(119);
    
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/25");
     script_cvs_date("Date: 2019/10/25 13:36:27");
    
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the cvs package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"cvs-1.11.1p1-332", release:"SUSE8.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"cvs-1.11.1p1-332", release:"SUSE8.1") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"cvs-1.11.5-114", release:"SUSE8.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"cvs-1.11.6-83", release:"SUSE9.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"cvs-1.11.14-24.6", release:"SUSE9.1") )
    {
     security_hole(0);
     exit(0);
    }
    if (rpm_exists(rpm:"cvs-", release:"SUSE8.0")
     || rpm_exists(rpm:"cvs-", release:"SUSE8.1")
     || rpm_exists(rpm:"cvs-", release:"SUSE8.2")
     || rpm_exists(rpm:"cvs-", release:"SUSE9.0")
     || rpm_exists(rpm:"cvs-", release:"SUSE9.1") )
    {
     set_kb_item(name:"CVE-2004-0416", value:TRUE);
     set_kb_item(name:"CVE-2004-0417", value:TRUE);
     set_kb_item(name:"CVE-2004-0418", value:TRUE);
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2004-161-01.NASL
    descriptionNew cvs packages that have been upgraded to cvs-1.11.17 are available for Slackware 8.1, 9.0, 9.1, and -current to fix various security issues. Sites running a CVS server should upgrade to the new CVS package right away.
    last seen2020-06-01
    modified2020-06-02
    plugin id18779
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18779
    titleSlackware 8.1 / 9.0 / 9.1 / current : cvs (SSA:2004-161-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2004-161-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18779);
      script_version("1.20");
      script_cvs_date("Date: 2019/10/25 13:36:20");
    
      script_cve_id("CVE-2004-0414", "CVE-2004-0416", "CVE-2004-0417", "CVE-2004-0418");
      script_xref(name:"SSA", value:"2004-161-01");
    
      script_name(english:"Slackware 8.1 / 9.0 / 9.1 / current : cvs (SSA:2004-161-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New cvs packages that have been upgraded to cvs-1.11.17 are available
    for Slackware 8.1, 9.0, 9.1, and -current to fix various security
    issues. Sites running a CVS server should upgrade to the new CVS
    package right away."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.427370
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?898d2588"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected cvs package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:cvs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"8.1", pkgname:"cvs", pkgver:"1.11.17", pkgarch:"i386", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"9.0", pkgname:"cvs", pkgver:"1.11.17", pkgarch:"i386", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"9.1", pkgname:"cvs", pkgver:"1.11.17", pkgarch:"i486", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"cvs", pkgver:"1.11.17", pkgarch:"i486", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idCVS_MALFORMED_ENTRY_LINES_FLAW.NASL
    descriptionThe remote CVS server, according to its version number, might allow an attacker to execute arbitrary commands on the remote system because of a flaw relating to malformed Entry lines which lead to a missing NULL terminator. Among the issues deemed likely to be exploitable were: - A double-free relating to the error_prog_name string. (CVE-2004-0416) - An argument integer overflow. (CVE-2004-0417) - Out-of-bounds writes in serv_notify. (CVE-2004-0418)
    last seen2020-06-01
    modified2020-06-02
    plugin id12265
    published2004-06-09
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/12265
    titleCVS < 1.11.17 / 1.12.9 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # Ref:
    #  Date: Wed, 9 Jun 2004 15:00:04 +0200
    #  From: Stefan Esser <[email protected]>
    #  To: [email protected], [email protected],
    #        [email protected], [email protected]
    #  Subject: Advisory 09/2004: More CVS remote vulnerabilities
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(12265);
     script_version("1.28");
    
     script_cve_id("CVE-2004-0414", "CVE-2004-0416", "CVE-2004-0417", "CVE-2004-0418", "CVE-2004-1471"); 
     script_bugtraq_id(10499);
     script_xref(name:"RHSA", value:"2004:233-017");
     
     script_name(english:"CVS < 1.11.17 / 1.12.9 Multiple Vulnerabilities");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote CVS server is affected by multiple issues." );
     script_set_attribute(attribute:"description", value:
    "The remote CVS server, according to its version number, might allow an
    attacker to execute arbitrary commands on the remote system because of
    a flaw relating to malformed Entry lines which lead to a missing NULL
    terminator. 
    
    Among the issues deemed likely to be exploitable were:
    
      - A double-free relating to the error_prog_name string. 
        (CVE-2004-0416)
    
      - An argument integer overflow. (CVE-2004-0417)
    
      - Out-of-bounds writes in serv_notify. (CVE-2004-0418)" );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Jun/234" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to CVS 1.12.9 or 1.11.17." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploited_by_malware", value:"true");
     script_cwe_id(119);
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/06/09");
     script_set_attribute(attribute:"vuln_publication_date", value: "2004/06/09");
     script_cvs_date("Date: 2018/11/15 20:50:23");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
     script_summary(english:"Logs into the remote CVS server and asks the version");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     script_family(english:"Misc.");
     script_require_ports("Services/cvspserver", 2401);
     script_dependencies("find_service1.nasl", "cvs_pserver_heap_overflow.nasl");
     exit(0);
    }
    
    include('global_settings.inc');
    
    port = get_kb_item("Services/cvspserver");
    if(!port)port = 2401;
    if(!get_port_state(port))exit(0);
    version =  get_kb_item(string("cvs/", port, "/version"));
    if ( ! version ) exit(0);
    if(ereg(pattern:".* 1\.([0-9]\.|10\.|11\.([0-9][^0-9]|1[0-6])|12\.[0-8][^0-9]).*", string:version))
         	security_hole(port);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_CVS_11117.NASL
    descriptionThe following package needs to be updated: FreeBSD
    last seen2016-09-26
    modified2011-10-02
    plugin id14282
    published2004-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=14282
    titleFreeBSD : cvs -- numerous vulnerabilities (29)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_CVS_NUMEROUS_VULNS.NASL
    descriptionThe remote host is running a version of FreeBSD which contains a version of the 'cvs' utility containing several issues : - An insufficient input validation while processing 'Entry' lines - A double-free issue - An integer overflow when processing 'Max-dotdot' commands - A format string bug when processing cvs wrappers - A single-byte buffer overflow when processing configuration files - Various other integers overflows
    last seen2016-09-26
    modified2011-10-02
    plugin id14812
    published2004-09-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=14812
    titleFreeBSD : SA-04:14.cvs
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-169.NASL
    descriptionWhile investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed
    last seen2020-06-01
    modified2020-06-02
    plugin id13723
    published2004-07-23
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13723
    titleFedora Core 1 : cvs-1.11.17-1 (2004-169)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2004-170.NASL
    descriptionWhile investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed
    last seen2020-06-01
    modified2020-06-02
    plugin id13724
    published2004-07-23
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13724
    titleFedora Core 2 : cvs-1.11.17-2 (2004-170)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-519.NASL
    descriptionSebastian Krahmer and Stefan Esser discovered several vulnerabilities in the CVS server, which serves the popular Concurrent Versions System. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-0416: double-free() in error_prog_name - CAN-2004-0417: argument integer overflow - CAN-2004-0418: out of bound writes in serve_notify()
    last seen2020-06-01
    modified2020-06-02
    plugin id15356
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15356
    titleDebian DSA-519-1 : cvs - several vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_D2102505F03D11D881B0000347A4FA7D.NASL
    descriptionA number of vulnerabilities were discovered in CVS by Stefan Esser, Sebastian Krahmer, and Derek Price. - Insufficient input validation while processing
    last seen2020-06-01
    modified2020-06-02
    plugin id37427
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37427
    titleFreeBSD : cvs -- numerous vulnerabilities (d2102505-f03d-11d8-81b0-000347a4fa7d)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200406-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200406-06 (CVS: additional DoS and arbitrary code execution vulnerabilities) A team audit of the CVS source code performed by Stefan Esser and Sebastian Krahmer resulted in the discovery of several remotely exploitable vulnerabilities including: no-null-termination of
    last seen2020-06-01
    modified2020-06-02
    plugin id14517
    published2004-08-30
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14517
    titleGLSA-200406-06 : CVS: additional DoS and arbitrary code execution vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-233.NASL
    descriptionAn updated cvs package that fixes several server vulnerabilities, which could be exploited by a malicious client, is now available. CVS is a version control system frequently used to manage source code repositories. While investigating a previously fixed vulnerability, Derek Price discovered a flaw relating to malformed
    last seen2020-06-01
    modified2020-06-02
    plugin id12500
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12500
    titleRHEL 2.1 / 3 : cvs (RHSA-2004:233)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-517.NASL
    descriptionDerek Robert Price discovered a potential buffer overflow vulnerability in the CVS server, based on a malformed Entry, which serves the popular Concurrent Versions System.
    last seen2020-06-01
    modified2020-06-02
    plugin id15354
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15354
    titleDebian DSA-517-1 : cvs - buffer overflow
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-058.NASL
    descriptionAnother vulnerability was discovered related to
    last seen2020-06-01
    modified2020-06-02
    plugin id14157
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14157
    titleMandrake Linux Security Advisory : cvs (MDKSA-2004:058)

Oval

  • accepted2004-08-04T12:00:00.000-04:00
    classvulnerability
    contributors
    nameJay Beale
    organizationBastille Linux
    descriptionInteger overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.
    familyunix
    idoval:org.mitre.oval:def:1001
    statusaccepted
    submitted2004-06-29T12:00:00.000-04:00
    titleInteger overflow in the "Max-dotdot" CVS protocol command
    version4
  • accepted2013-04-29T04:11:50.001-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    descriptionInteger overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.
    familyunix
    idoval:org.mitre.oval:def:11145
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleInteger overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.
    version26

Redhat

advisories
rhsa
idRHSA-2004:233
rpms
  • cvs-0:1.11.2-24
  • cvs-debuginfo-0:1.11.2-24