Re: CVS/Checkin.prog security hole status?

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS/Checkin.prog security hole status?

From:	Derek R. Price
Subject:	Re: CVS/Checkin.prog security hole status?
Date:	Tue, 07 Nov 2000 11:39:22 -0500

Dan Kegel wrote:

> Have the security issues identified in
> http://www.mail-archive.com/bug-cvs%40gnu.org/msg00384.html
> been resolved yet?
>
> They were: "CVS/Checkin.prog and CVS/Update.prog can be
> replaced with an arbitrary binary, which will be blindly
> executed on the server"
> and "the client trusts paths sent from the server too much,
> so a malicious server can overwrite arbitrary files on client".
>
> I just checked the latest dev sources via anonymous CVS,
> and the quick and dirty fix suggested by that post for the first issue
> hasn't been applied.  Has a more subtle fix been applied, or
> is this still outstanding?

I can't find anything in the ChangeLog, but following the thread, it
seems that the people who might have worked on a fix decided that the
urgency was low as it didn't affect users with read-only access but was
only possible if the attacker already had write access to the repository.

Derek
--
Derek Price                      CVS Solutions Architect (
http://CVSHome.org )
mailto:address@hidden     OpenAvenue ( http://OpenAvenue.com )
--
"I wish you and yours every joy in life, old chap, and tons of money, and

may you never die till I shoot you."

 -James Joyce, "Dubliners"

[Prev in Thread]

Current Thread

[Next in Thread]

CVS/Checkin.prog security hole status?, Dan Kegel, 2000/11/06
- Re: CVS/Checkin.prog security hole status?, Derek R. Price <=

Prev by Date: Re: Converting a branch into the main trunk
Next by Date: File sharing restriction
Previous by thread: CVS/Checkin.prog security hole status?
Next by thread: Timezone-conflict between client and server
Index(es):
- Date
- Thread