Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SECURITY BUG in CVS 1.11.1

0 views
Skip to first unread message

Larry Jones

unread,
Feb 11, 2002, 5:09:03 PM2/11/02
to info...@gnu.org
It has been brought to my attention that CVS 1.11.1 and 1.11.1p1 have a
bug in pserver mode that allows read-only users to run the "tag"
command. This allows read-only users to add and, more importantly, move
or delete tags. The bug does not affect releases prior to 1.11.1 and
has been fixed in the current development version. Anyone with a
publicly-accessible pserver (or clumsy users) is urged to upgrade
immediately.

-Larry Jones

I don't think math is a science, I think it's a religion. -- Calvin

_______________________________________________
Info-cvs mailing list
Info...@gnu.org
http://mail.gnu.org/mailman/listinfo/info-cvs

Mark

unread,
Feb 12, 2002, 11:53:12 AM2/12/02
to Larry Jones, info...@gnu.org
posted last september to info...@gnu.org, no response from CVS community so I
thought it was as designed. Anyhow, I wrote a taginfo trigger to validate user
is in writers file to compensate.

Subject: Readonly user can manipulate tags?

http://www.mail-archive.com/info...@gnu.org/msg13105.html


__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

Larry Jones

unread,
Feb 12, 2002, 2:29:01 PM2/12/02
to Mark, info...@gnu.org
Mark writes:
>
> posted last september to info...@gnu.org, no response from CVS community so I
> thought it was as designed.

Sorry for overlooking it; if it was intentional, someone would likely
have said so.

-Larry Jones

See, it all makes sense. See? See?? They never see. -- Calvin

Douglas Finkle

unread,
Feb 12, 2002, 3:16:25 PM2/12/02
to info...@gnu.org
> It has been brought to my attention that CVS 1.11.1 and
> 1.11.1p1 have a
> bug in pserver mode that allows read-only users to run the "tag"
> command. This allows read-only users to add and, more
> importantly, move
> or delete tags. The bug does not affect releases prior to 1.11.1 and
> has been fixed in the current development version. Anyone with a
> publicly-accessible pserver (or clumsy users) is urged to upgrade
> immediately.


Sorry, but can you provide a reference url, or ftp path for this update?
I checked out on http://ccvs.cvshome.org/servlets/ProjectDownloadList
and the last version posted was v1.11p1 on 2001-10-16.

Thanks,
Doug

Larry Jones

unread,
Feb 12, 2002, 4:00:03 PM2/12/02
to Douglas Finkle, info...@gnu.org
Douglas Finkle writes:
>
> Sorry, but can you provide a reference url, or ftp path for this update?
> I checked out on http://ccvs.cvshome.org/servlets/ProjectDownloadList
> and the last version posted was v1.11p1 on 2001-10-16.

Sorry for the confusion -- at the moment, the fix is only in the current
development version of the code, it is not yet in a released version.
Anyone can get the current development version source code by checking
it out of CVS: see the checkout instructions at:

<http://ccvs.cvshome.org/servlets/ProjectSource>

-Larry Jones

My dreams are getting way too literal. -- Calvin

Douglas Finkle

unread,
Feb 12, 2002, 4:04:52 PM2/12/02
to info...@gnu.org
> > Douglas Finkle writes:
> >
> > Sorry, but can you provide a reference url, or ftp
> > path for this update?
> > I checked out on
> http://ccvs.cvshome.org/servlets/ProjectDownloadList
> > and the last version posted was v1.11p1 on 2001-10-16.
>
> Sorry for the confusion -- at the moment, the fix is only in
> the current
> development version of the code, it is not yet in a released version.
> Anyone can get the current development version source code by checking
> it out of CVS: see the checkout instructions at:
>
> <http://ccvs.cvshome.org/servlets/ProjectSource>


Is there any chance of you offering this as a smaller step by publishing the
fix as a patch? I'd feel much more comfortable applying a small patch
vs replacing the entire tool w/ a development version. I imagine many
others would feel similarly.

A cvs diff of the files requiring the fix would be most appreciatiated.

Regards,
Doug

Larry Jones

unread,
Feb 12, 2002, 5:03:22 PM2/12/02
to Douglas Finkle, info...@gnu.org
Douglas Finkle writes:
>
> Is there any chance of you offering this as a smaller step by publishing the
> fix as a patch? I'd feel much more comfortable applying a small patch
> vs replacing the entire tool w/ a development version. I imagine many
> others would feel similarly.

For what it's worth, the current development version is entirely stable
and contains many bug fixes; I have no qualms about suggesting that
people run it. On the other hand:

> A cvs diff of the files requiring the fix would be most appreciatiated.

Index: main.c
===================================================================
RCS file: /cvs/ccvs/src/main.c,v
retrieving revision 1.168
retrieving revision 1.169
diff -u -r1.168 -r1.169
--- main.c 4 Sep 2001 22:43:23 -0000 1.168
+++ main.c 8 Feb 2002 18:06:36 -0000 1.169
@@ -332,6 +332,8 @@
if (strcmp (cmd_name, cm->fullname) == 0)
break;
}
+ if (!cm->fullname)
+ error (1, 0, "unknown command: %s", cmd_name);
return cm->attr;
}

Index: server.c
===================================================================
RCS file: /cvs/ccvs/src/server.c,v
retrieving revision 1.271
retrieving revision 1.272
diff -u -r1.271 -r1.272
--- server.c 30 Jan 2002 16:53:06 -0000 1.271
+++ server.c 8 Feb 2002 18:06:36 -0000 1.272
@@ -3666,7 +3666,7 @@
serve_tag (arg)
char *arg;
{
- do_cvs_command ("cvstag", cvstag);
+ do_cvs_command ("tag", cvstag);
}

static void

-Larry Jones

What a waste to be going to school on a morning like this. -- Calvin

0 new messages