Vigil@nce - CVS: buffer overflow via proxy_connect
February 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the CVS client uses a malicious HTTP proxy, it can generate
an overflow in the client, in order to stop it, or to execute code.
Severity: 2/4
Creation date: 09/02/2012
IMPACTED PRODUCTS
– CVS
– Debian Linux
– Fedora
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The CVS client can be configured to use an HTTP proxy, in order to
connect to a remote CVS server.
The proxy_connect() function of the src/client.c file analyzes the
HTTP reply of the proxy, which is for example:
HTTP/1.0 200 OK
[...]
In order to do so, it calls the sscanf() function, to split the
reply as the "HTTP/1.0" string followed by the error code (200 in
the example).
However, if the string before the error code is too long, a buffer
overflow occurs.
When the CVS client uses a malicious HTTP proxy, it can therefore
generate an overflow in the client, in order to stop it, or to
execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/CVS-buffer-overflow-via-proxy-connect-11349