bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security Breach Alert - CVS Home File Download Area Compromised


From: Conrad T. Pino
Subject: RE: Security Breach Alert - CVS Home File Download Area Compromised
Date: Wed, 26 Jan 2005 01:39:12 -0800

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Kenneth,

I agree the issue is sensitive to the client platform and/or
browser but that's insufficient to prove it's a client side
issue only.

I have evidence pointing towards a server side issue:

1. The download behavior is inconsistent between file areas
on the CVS Home site i.e. downloading a "*.tar.gz" from the
source area works differently than a "*.gz" from a binary
file area such as Solaris i386 or Mac OS X.  The difference
with Window 2000 and Internet Explorer 6 is source files
arrive compressed and binary files are uncompressed.  The
same issue appears to occur with Windows 2000 and Netscape
4.8 with the exception the file is larger than the expected
uncompressed size.  I've verified with Internet Explorer 6
binary files are compressed and compare exactly with my
reference copy.  I didn't compare Netscape 4.8 download
because my compare tool stops on a file size difference.
I've carefully check my platform and browser setting to
make sure they don't attempt to uncompress the file and
that seems to be true as follows:

2. The "odd" download behavior I experience only occurs on
the CVS Home site as I get "normal" behavior with "*.gz"
files when downloading Tomcat 4.1.31 from Apache Jakarta
project.

3. Both Safari and Internet Explorer 5 on Apple Mac OS X
can download correctly sized binary files from affected
file areas whose MD5 hash agrees with expected values as
this is the platform and/or browser sensitive difference
but this isn't the only discrepancy.

4. Both Safari and Internet Explorer 5 on Apple Mac OS X
can download correctly sized SOURCE files and signature
"*.sig" file whose PGP signature is verifiable from the
https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=0
file area.  This behavior is consistent with Windows 2000
and Internet Explorer 6 combination.

5. Neither Safari nor Internet Explorer 5 on Apple Mac OS
X can download a PGP signature "*.sig" file from affected
binary file areas.  Safari reports "bad server response"
error message.  Internet Explorer 5 fails to save the file
opting to displays the contents in a browser window.  Area
https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=92
demonstrates this failure.  The failure to download "*.sig"
files is consistent with Windows 2000 and Internet Explorer
6 combination.

6. The inconsistent behavior when downloading "*.sig" files
between the source and binary areas occurs across ALL of the
following:

        Windows 2000    Internet Explorer 6
        Windows 2000    Netscape 4.8
        Mac OS X                Internet Explorer 5
        Mac OS X                Safari 1.2.4

7. At a minimum the Java servlet sending "*.sig" files from
the binary file areas is behaving poorly enough to cause the
Safari browser to report "bad server response" error.

I would appreciate hearing your Engineering team is taking a
a second look to focus on these questions:

A. Why do "*.gz" files from the source area arrive compressed
when using Windows 2000 with Internet Explorer 6 and "*.gz"
files from the binary area arrive uncompressed?

B. Why do "*.sig" files from the source area download correctly
and "*.sig" files from the binary file areas fail to download?

Best regards,

Conrad

> -----Original Message-----
> From: Kenneth Schwartzman [mailto:address@hidden
> Sent: Tuesday, January 25, 2005 15:14
> To: address@hidden
> Subject: re cvs home email
> 
> Conrad:
> 
> Here's the latest info I have from the engineers.
> 
> <snip>
> [Eng] correctly pointed out that this is a browser issue--if you
> download the file (at least the MacOSX binary) and compare it with its
> respective 
> checksum here: 
> 
> http://lists.gnu.org/archive/html/info-cvs/2005-01/msg00260.html
> 
> The checksum matches.
> 
> I'm guessing this isn't an issue after all.
> </snip>
> 
> Thanks,
> Kenneth
> 
> ........................................
> Kenneth Schwartzman
> Technical Support Engineer
> CollabNet
> 650.228.2568
........................................

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBQfdlP7NM28ubzTo9EQKIyACg+Ys3pGNkBkaFB9d7SeOt3dFxaS4An3+S
RmAYh/1vlatlR5vmi5ba7unZ
=g+Wm
-----END PGP SIGNATURE-----





reply via email to

[Prev in Thread] Current Thread [Next in Thread]