	CVS Version Control \| Other Software \| All Downloads \| Buy Online \| Get Support Now \| Documentation Library

Last Modified: Monday, April 15, 2010

Home > CVS > Security > Note 5871

What is CVE?

CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

What is a "vulnerability"?

An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE Web site.

Vulnerability or Exposure Note 5871 (CVE-2010-1326)

March Hare Software CVSNT branch name ACL

Overview

March Hare Software CVSNT contains a branch name ACL vulnerability or exposure in the cvs.exe, cvsnt.exe or /usr/bin/cvs file, which may allow a remote, unauthorised attacker to execute arbitrary code on any installed operating system.

I. Description

March Hare Software CVSNT provides support for Access Control Lists and Branches through the use of the cvs.exe, cvsnt.exe or /usr/bin/cvs component. The cvs.exe, cvsnt.exe or /usr/bin/cvs contains a vulnerability or exposure in the use of a branch name to authenticate an access control list, which affects CVSNT on all operating systems: CVSNT 2.0.58 and later (including all builds of 2.5.01, 2.5.02, 2.5.03 before build 3736 and 2.5.04 releases before build 2862; CVS Suite 2.5.03, CVS Suite 2008 before build 3736 and CVS Suite 2009 pre-releases before 3729.

Exploit code for this vulnerability or exposure has been tested by March Hare Software.

II. Impact

A non-privileged user may create a branch (or fake a branch on a client sandbox) with a specially crafted name to gain write access to any module/directory including CVSROOT. Then by modifying an existing CVSROOT administrative script or introducing a new administrative script to CVSROOT an attacker may be able to execute arbitrary code on the server (regardless of server operating system) - including the ability to delete repository history, install a back door, or other additional exploit.

III. Solution

Apply an update

This issue is addressed in CVS Suite 2008 Build 3736 and CVS Suite 2009 Build 3729 (and higher), which modifies the way CVSNT handles branch names and Access Control Lists. Customers with an active software maintenance contract may download the update from the customer area of the march-hare.com web site.

CVSNT 2.5.04 build 2862 and later (including CVSNT 2.5.05) are not vulnerable because the ACL code was rewritten when XML processing was changed from expat to libxml2 2.6.2x (compatible libxml2 libraries are shipped with Red Hat Enterprise Linux 5 and Solaris 10). CVSNT source code for 2.5.05 and 2.5.04 may be downloaded from the download page of the march-hare.com web site.

Use a chroot jail with CVSNT on Linux/Unix

March Hare Software has published more information on chroot jail as a mitigation for this vulnerability or exposure.

Systems Affected

Vendor	Status	Date Notified	Date Updated
March Hare Software	Vulnerable		2010-03-16

References

http://customer.march-hare.com/webtools/bugzilla/ttshow_bug.cgi?id=5871&tt=1
http://march-hare.com/cvspro/security.htm

Credit

This document was written by March Hare Software.

Other Information

Date Public:	2010-04-06
Date First Published:	2010-04-06
Date Last Updated:	2010-04-15
CERT Advisory:
CVE-ID(s):	CVE-2010-1326
NVD-ID(s):
US-CERT Technical Alerts: