Thanks to Brad Smith for informing me that there is a patch for 3.5 & 3.4 stable trees which fixes a vulnerability in Concurrent Versions System (CVS) used by OpenBSD. Though http://www.openbsd.org/errata.html will be updated shortly, in the meantime you can find patches on the ftp mirrors here for 3.5-stable and here for
3.4-stable.
Mailing list archives of the CVS changelog messages are here and here.
By
netchan (68.52.36.255) netchan at cotse dot net
on
Does W^X or some other obsd magic protect against this kind of vulnerability?
Comments
By
Clint (24.131.187.140)
on
The advisory says that this is a heap overflow. W^X and such, as far as I know, only help protect against buffer overflow, not heap.
Comments
By
sean (139.142.208.98)
on
Buffers are normally allocated in heap space.
W^X and ProPolice protect you here but the application will crash instead of being exploitable.
Comments
By
Anonymous Coward (209.162.224.62)
on
No, propolice works on the stack, it doesn't help a heap overflow. Did all openbsd supported arches get non-executable heaps, or is it still just the good arches?
Some type of exploits may be caught by W^X, while others will not be caught.
An example of an potential exploit that uses various existing features of CVS (I did not check if this is really doable, but I am sure this or similar attacks are possible):
The CVS server can write files and execute external programs. This is all existing code. There is no need to insert new code into the heap to do the exploit.
The only thing we have to do is to trick the CVS server into executing existing code using arguments the malicious clients supplies. Some of these arguments might be data stored on the heap. By manipulating the heap the CVS server could be fooled into executing a file you just uploaded.
By netchan (68.52.36.255) netchan at cotse dot net on
Comments
By Clint (24.131.187.140) on
Comments
By sean (139.142.208.98) on
Comments
By Anonymous Coward (209.162.224.62) on
Comments
By tedu (128.12.75.69) on
By Otto (213.84.84.111) otto@drijf.net on http://www.drijf.net
An example of an potential exploit that uses various existing features of CVS (I did not check if this is really doable, but I am sure this or similar attacks are possible):
The CVS server can write files and execute external programs. This is all existing code. There is no need to insert new code into the heap to do the exploit.
The only thing we have to do is to trick the CVS server into executing existing code using arguments the malicious clients supplies. Some of these arguments might be data stored on the heap. By manipulating the heap the CVS server could be fooled into executing a file you just uploaded.