[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Old CVS vulnerability - ever fixed?

From: Michal Zalewski
Subject: Old CVS vulnerability - ever fixed?
Date: Sat, 13 Apr 2002 15:11:00 -0400 (EDT)


There is pretty old CVS client-side vulnerability, originally mentioned
here: http://www.mail-archive.com/bug-cvs%40gnu.org/msg00385.html.
Actually, this message mentions two vulnerabilities, one of them is server
side, and another - client-side. While the first one is pretty
questionable, as it can be exploited only by "trusted" users with write
privileges, other one is pretty nasty, especially for people who use
anonymous CVS - if the server is compromised or communication is spoofed,
the attacker can effectively compromise the client system. There was a
lengthy discussion on bug-cvs back then on the first issue, but the second
issue went unnoticed.

My question is, was it ever addressed? I can't find any references to it
in ChangeLog or in any other places. If not, what was the reason? The fix
wouldn't be very difficult to implement and should not break any
functionality, while protecting client systems when sources are downloaded
from a hostile system.

PS. I'm not a bug-cvs subscriber, Cc: would be greatly appreciated.

Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=

reply via email to

[Prev in Thread] Current Thread [Next in Thread]