[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS and ssh command injection (see CVE-2017-1000117, etc.)

From: Thorsten Glaser
Subject: Re: CVS and ssh command injection (see CVE-2017-1000117, etc.)
Date: Sun, 13 Aug 2017 21:49:17 +0000 (UTC)

Hank Leininger dixit:

>Of course, the repo specification looks very odd, so tricking a victim
>may be harder than for SCM tools where it's prefixed by an ssh://, or

It’s also immediately obvious and quite hard to exploit at all, I agree.

>  https://marc.info/?l=oss-security&m=150241876103454&w=2

This was forwarded to me via Debian, and I fixed it in MirBSD and Debian
and wrote about it, publishing a patch:


Incidentally, CVS has too many mailing lists, I’m subscribed on some,
but not this one (I prefer having one list only, plus one for commits,
I’ve not fully taken over CVS upstream yet, though). But if you have
to deal with CVS again, feel free to Cc me or so.

13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜<Draget:#cvs> Thank god I found you =)   20:03│«bioe007:#cvs» mira2k: ty
17:14⎜<ldiain:#cvs> Thanks big help you are :-)   <bioe007> mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW!  23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜<bhuey:#cvs> yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou            18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜<paolo:#cvs> i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD.     18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh.  Okay.  Sorry for the dumb question.  Thank you
21:34⎜<centosian:#cvs> mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated  «garrett__:#cvs» thanks for your time
23:39⎜<symons:#cvs> this worked, thank you very much 16:26⎜<schweizer:#cvs> ok
thx, i'll try that     20:00⎜«stableable:#cvs» Thank you.    20:50⎜«s833:#cvs»
mirabilos: thanks a lot.        19:34⎜<bobbytek:#cvs> Thanks for confirming :)
20:08⎜<tsolox:#cvs> ...works like a charm.. thanks mirabilos

reply via email to

[Prev in Thread] Current Thread [Next in Thread]