bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cvs: temporary file handling fixes


From: Derek Robert Price
Subject: Re: cvs: temporary file handling fixes
Date: Mon, 26 May 2003 23:08:59 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Mark D. Baushke wrote:

Hi Alexander,

You write:
In particular, I was looking for a (security) bug reporting address
that wouldn't automatically reach a public mailing list, -- but it
seems you find unsafe temporary file handling to be a minor enough
issue to be discussed in public.  This is OK with me, but I thought
that some vendor-sec members could prefer to handle it differently.

I do not know anyone on the development team that believes that cvs is a
'secure' program today. It should be improved, but it was not designed
with security in mind and is often too trusting of the data is has on
hand.


Besides which, my specialty is not security. If you don't clearly label something dangerous to distribute as such, I might not always catch it. I've always thought temp file bugs were minor, but no one has ever explained the exploit to me. Can they be particularly dangerous?

Also, as Mark said, there are many security flaws in CVS. Without a lot of extra work by the system administrator, it is relatively easy to run a script as the user the CVS server is run as. Until release 1.11.6 and 1.12.1, it was even easier. This makes me tend not to worry too much about exploit dissemination, though I do usually try and fix the bugs as reported.

I personally would find it desirable to remove as many of the 'known'
security holes as possible in cvs. For now, this means that you need to
air them on the address@hidden list.


I agree, and I tend to use bug-cvs for many reasons. For instance, it maintains a public archive which potential bug reporters and developers can search for answers. This way, we don't have to answer the same questions as often as we otherwise might, and sometimes when I don't have time to deal with the issues myself others can find them and get to them. In this case, I didn't feel I had time to decipher your patches and was hoping someone else would jump in if it was important.

I'll add some more in response to Simon's earlier mail.

Derek

--
               *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
--
There is not a truth on earth which I fear or would disguise.  But secret
slanders cannot be disarmed, because they are secret.

                        - Thomas Jefferson to William Duane, 1806







reply via email to

[Prev in Thread] Current Thread [Next in Thread]