[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</stron

From: Steve McIntyre
Subject: Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</strong>
Date: Sun, 14 Dec 2003 02:04:16 +0000
User-agent: Mutt/1.5.4i

On Fri, Dec 05, 2003 at 12:25:55AM -0500, Derek Robert Price wrote:
>CVS feature version 1.12.3 has been released.  Feature releases contain
>new features as well as all the bug fixes from the stable release.  This
>release fixes a security issue with no known exploits that could cause
>previous versions of CVS to attempt to create files and directories in
>the filesystem root.  This release also fixes several issues relevant to
>case insensitive filesystems and some other bugs.  We recommend this
>upgrade for all CVS clients and servers already running the feature
>release and those users who like to stay on the cutting edge!

Derek, are you sure the simple fix in modules.c to check for
!isabsolute() will fix the hole here? What about people specifying
../../../../../../<something> ? Probably the easiest fix for that is
to modify isabsolute() to check for .. entries in the path


Steve McIntyre, Cambridge, UK.                                address@hidden
Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]