bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security Breach Alert - CVS Home File Download Area Compromised


From: Conrad T. Pino
Subject: RE: Security Breach Alert - CVS Home File Download Area Compromised
Date: Tue, 25 Jan 2005 22:45:41 -0800

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Larry,

> From:  Larry Jones
> 
> Many browsers will automagically unzip the file without removing the .gz
> from the file name -- that may be all that's going on.

I'd buy this concept if it were a consistent behavior.

When I download a source "*.tar.gz" and corresponding "*.tar.gz.sig", I get
file sizes consistent with values on download page and a PGP signature check
reports a valid file.

I'm still unable to download "*.gz.sig" for binaries with Internet Explorer
6 and the same download with Netscape 4.8 saves a zero length file.

Working your idea a bit further, the file received with Internet Explorer 6
is the exact size and content of the uncompressed original which says "magic"
is taking place but I'm not sure it's client side magic because I expect the
client side "magic" to work against all servers and that's not currently true.

I get "magic" behavior with:
https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=92
and many other binary areas on CVS home but no "magic" with
https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=0
and no "magic" with
http://jakarta.apache.org/site/binindex.cgi
either.

The current situation may or may not be a security breach and I don't feel
qualified to make such a determination.  All I can say for sure is that
today it's not possible to download a binary file with it's corresponding
PGP signature file and verify the authenticity of the binary file with PGP.

The zero length signature files are one problem and the "magic" expansion
of the compressed file also defeats the ability to verify authenticity.
I recall in the past we could do so.

PGP signature verification does work for the source tar balls today and
the lack of consistency is what really troubles me.

Something is wrong with the process that downloads binary files and their
signature files but I can't tell you what is wrong.  I can only report the
symptoms.  I do know it seems specific to the CVS Home binary file areas.

In my opinion the lack of evidence in either direction other than my own
is seriously retarding the effort to understand and remedy this issue or
to know even if it rises to such a level.

Can you try to replicate my tests and provide another set of data points?

Am I the only Windows 2000 and Internet Explorer 6 person using CVS?
If no, can someone please try replicating this issue and report results?

> -Larry Jones

Conrad

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBQfc8lLNM28ubzTo9EQKVKwCfR85jxwdZNA7q0dN6Cwa9HKwuC5QAn2Jw
JaAyaNwwfMA2In7XPfywCat9
=ObpE
-----END PGP SIGNATURE-----





reply via email to

[Prev in Thread] Current Thread [Next in Thread]