Bugtraq mailing list archives
[weejock () ferret lmh ox ac uk: Security issue with cvs (fwd)] (fwd)
From: jkatz () CPIO NET (J. Joseph Max Katz)
Date: Thu, 13 Aug 1998 05:51:24 -0700
This was forwarded to misc () openbsd org. I don't remember seeing anything about this in the past. Pardon the headers. -Jon ---------- Forwarded message ---------- Date: Thu, 13 Aug 1998 13:37:54 +0100 From: Jon Ribbens <jon () oaktree co uk> To: misc () openbsd org Subject: [weejock () ferret lmh ox ac uk: Security issue with cvs (fwd)] No idea if this is relevent. --- Forwarded message from Matthew Kirkwood <weejock () ferret lmh ox ac uk> --- Date: Thu, 13 Aug 1998 13:16:32 +0100 (GMT) From: Matthew Kirkwood <weejock () ferret lmh ox ac uk> To: security audit list <security-audit () ferret lmh ox ac uk> Subject: Security issue with cvs (fwd) Does this make any sense? ---------- Forwarded message ---------- Date: Thu, 13 Aug 1998 02:37:12 +0200 (CEST) From: Carlo Wood <carlo () runaway xs4all nl> To: "egcs () cygnus com" <egcs () cygnus com> Subject: Security issue with cvs Hi, as might be well known, there is a security problem with the read-only CVS access. The problem is that when someone manages to change or replace the CVSROOT/passwd file, then he or she can get root. The only way to avoid this is by making the restrictions on CVSROOT (and all directories above it) as tight as on /etc, which is clearly not the case for egcs because I can checkout the CVSROOT directory (which demands the anonymous user to set locks in there). I wrote a patch for cvs-1.9.29 (although 1.9.30 is out now)) which reads a file /etc/cvs.passwd instead of CVSROOT/passwd. The normal procedure for adding changes like this into cvs seems to be that people use it first, as a patch :). I am using it already myself on coder-com.undernet.org, and I advise "egcs" to use it too. I did put it on the web. You can get it at http://www.xs4all.nl/~carlo17/cvs/ for now. Thanks -- Carlo Wood <carlo () runaway xs4all nl> --- End forwarded message --- -- \/ Jon Ribbens / jon () oaktree co uk
Current thread:
- [weejock () ferret lmh ox ac uk: Security issue with cvs (fwd)] (fwd) J. Joseph Max Katz (Aug 13)