bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: denial-of-service attack prohibits all users from creating new repos


From: Mark D. Baushke
Subject: Re: denial-of-service attack prohibits all users from creating new repositories
Date: Tue, 1 Jun 2010 01:25:51 -0700

Hi Bruno,

Bruno Haible <address@hidden> writes:

> This has been reported by at least 4 users:
>   <http://lists.gnu.org/archive/html/bug-gnu-utils/2010-05/msg00063.html>
>   <https://bugzilla.redhat.com/show_bug.cgi?id=509387>
>   <http://pastebin.com/f6d75a039>
>   <http://trac.navit-project.org/ticket/317>
> 
> The common point between these reports is that they use the 'autopoint'
> program (part of GNU gettext), which uses the 'cvs' program to extract
> particular versions of files from an archive, and the error message
> 
>   cvs [init aborted]: Cannot initialize repository under existing CVSROOT
> 
> 'autopoint' creates an empty directory and attempts to create an empty
> CVS repository in it, and this fails.

The only workaround would be to use chroot... probably not desirable for
this use case.

Failing that, you would need to hack ccvs/src/init.c::init() to ignore
the error of finding a CVSROOT looking hierarchy in the parent directory
chain. Again probably not desirable for this use case.

If there is sufficient demand, a '-f' option to force overwrite of an
existing repository may be able to be added.

        -- Mark

Attachment: pgpCKrUhDwTjc.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]