[weejock () ferret lmh ox ac uk: Security issue with cvs (fwd)] (fwd)

[jkatz () CPIO NET (J. Joseph Max Katz)]

This was forwarded to misc () openbsd org. I don't remember seeing
anything about this in the past. Pardon the headers.

-Jon

---------- Forwarded message ----------
Date: Thu, 13 Aug 1998 13:37:54 +0100
From: Jon Ribbens <jon () oaktree co uk>
To: misc () openbsd org
Subject: [weejock () ferret lmh ox ac uk: Security issue with cvs (fwd)]

No idea if this is relevent.

--- Forwarded message from Matthew Kirkwood <weejock () ferret lmh ox ac uk> ---

Date: Thu, 13 Aug 1998 13:16:32 +0100 (GMT)
From: Matthew Kirkwood <weejock () ferret lmh ox ac uk>
To: security audit list <security-audit () ferret lmh ox ac uk>
Subject: Security issue with cvs (fwd)

Does this make any sense?

---------- Forwarded message ----------
Date: Thu, 13 Aug 1998 02:37:12 +0200 (CEST)
From: Carlo Wood <carlo () runaway xs4all nl>
To: "egcs () cygnus com" <egcs () cygnus com>
Subject: Security issue with cvs

Hi,

as might be well known, there is a security problem with
the read-only CVS access.  The problem is that when someone
manages to change or replace the CVSROOT/passwd file,
then he or she can get root.

The only way to avoid this is by making the restrictions
on CVSROOT (and all directories above it) as tight as
on /etc, which is clearly not the case for egcs because
I can checkout the CVSROOT directory (which demands the
anonymous user to set locks in there).

I wrote a patch for cvs-1.9.29 (although 1.9.30 is out now))
which reads a file /etc/cvs.passwd instead of CVSROOT/passwd.
The normal procedure for adding changes like this into
cvs seems to be that people use it first, as a patch :).

I am using it already myself on coder-com.undernet.org,
and I advise "egcs" to use it too.

I did put it on the web.  You can get it at
http://www.xs4all.nl/~carlo17/cvs/
for now.

Thanks

--
 Carlo Wood  <carlo () runaway xs4all nl>


--- End forwarded message ---

--
\/ Jon Ribbens / jon () oaktree co uk