bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Feature Request and Security Bug


From: Stefan Esser
Subject: Feature Request and Security Bug
Date: Tue, 14 Jan 2003 18:44:08 +0100
User-agent: Mutt/1.4i

Hi,

first of all we would like to see our patch applied. It adds the functionality
to disable Update-prog and Checkin-prog from the configuration. Both functions
make it absolutely impossible to work with multiple commiters on a CVS pserver.
I do not want to hear the old song: "pserver is insecure" There is f.e. nothing
insecure if you have a documentation repository. If someone is able to sniff a
password he should not be able to execute commands on the server. If he wants
to change the documentation then one can see this change his password and the
wrong commit is restored. With both commands enabled any writer can execute
arbitrary commands on the server.

My second wish is more important. There is a remotely exploitable bug in CVS
that allows anyone to execute arbitrary code. I want someone from the project
to contact me because of this bug. Derek R. Price was mailed about it over 10
days ago and he hasnt replied yet. Seems he is on vacation. I will only talk
about this bug in private GPG encrypted mail and only with a person that is
a main commiter. (so do not forget your keys)

Stefan Esser

Attachment: cvs.diff
Description: Text document

Attachment: pgpmivGPtWRSp.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]