Re: [Fwd: Help needed with bufferoverflow in cvs]

[Tollef Fog Heen]

* Martin Schulze 

| Matt Riechers wrote:
| > Martin Schulze wrote:
| > > 
| > > > | it seems that cvs (version 1.10.7 from Debians stable repos) has a
| > > > | bufferoverflow but I'm but sure if it's exploitable
| > ....
| > > klecker!joey(pts/15):~/tmp/webwml> cvs diff -C`perl -e "print 'a' x 300"` 
 Makefile || echo noe
| > ....
| > > cvs server: invalid context length argument
| > > Terminated with fatal signal 11
| > 
| > The current stable release of CVS (1.11.1p1) seems to have fixed this. It 
does
| > not segfault on this command.
| 
| Edit the local file and it will.

I can't reproduce that:

tfheen@arabella /tmp/f > cvs -d ':pserver:localhost:/var/lib/cvs' co kvakk
cvs server: Updating kvakk
U kvakk/foo
tfheen@arabella /tmp/f > cd kvakk 
tfheen@arabella /tmp/f/kvakk > ls
CVS/  foo
tfheen@arabella /tmp/f/kvakk > ls -l
totalt 1
drwxrwxr-x    2 tfheen   tfheen       1024 feb 21 02:08 CVS/
-rw-rw-r--    1 tfheen   tfheen          0 feb 21 02:05 foo
tfheen@arabella /tmp/f/kvakk > cat foo 
tfheen@arabella /tmp/f/kvakk > cvs diff -C`perl -e "print 'a' x 300"` foo 
tfheen@arabella /tmp/f/kvakk > echo a > foo 
tfheen@arabella /tmp/f/kvakk > cvs diff -C`perl -e "print 'a' x 300"` foo
Index: foo
===================================================================
RCS file: /var/lib/cvs/kvakk/foo,v
retrieving revision 1.1.1.1
diff -u 
-Caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 -r1.1.1.1 foo
cvs server: invalid context length argument
tfheen@arabella /tmp/f/kvakk >

Ditto for non-pserver:

tfheen@arabella /tmp/bla > cat d
foo
tfheen@arabella /tmp/bla > ls -l
totalt 5
drwxrwxr-x    3 tfheen   tfheen       1024 feb 20 00:21 b/
drwxrwxr-x    3 tfheen   tfheen       1024 feb 20 00:21 c/
drwxrwxr-x    2 tfheen   tfheen       1024 feb 20 00:41 CVS/
-rw-rw-r--    1 tfheen   tfheen          4 feb 20 00:21 d
-rw-rw-r--    1 tfheen   tfheen          4 feb 20 00:21 e
tfheen@arabella /tmp/bla > cvs diff -C`perl -e "print 'a' x 300"` d  
tfheen@arabella /tmp/bla > echo a > d
tfheen@arabella /tmp/bla > cvs diff -C`perl -e "print 'a' x 300"` d
Index: d
===================================================================
RCS file: /home/tfheen/data/cvs/bla/d,v
retrieving revision 1.5
diff -u 
-Caaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 -r1.5 d
cvs diff: invalid context length argument
tfheen@arabella /tmp/bla > cat CVS/Root 
/home/tfheen/data/cvs
tfheen@arabella /tmp/bla > 

Can you please tell me how to reproduce?

Note that this is 

tfheen@arabella /tmp/bla > cvs --version

Concurrent Versions System (CVS) 1.11.1p1 (client/server)

ii  cvs             1.11.1p1-7      Concurrent Versions System

(which isn't released yet, but I haven't made any changes which should
affect this, and I couldn't reproduce using -3 either)

-- 
Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.