Re: cvs: temporary file handling fixes

[Derek Robert Price]

Solar Designer wrote:

> Hi,
>
> We've recently officially added CVS 1.11.5 to Openwall GNU/*/Linux.
> One of the things this required is a review of CVS code for possible
> unsafe temporary file handling and making the corresponding fixes.
> Our patches are available via:
>
> cvs -d :pserver:anoncvs:anoncvs@anoncvs.owl.openwall.com:/cvs co 
> Owl/packages/cvs
>
> Of course, the worst were the scripts under contrib/ and our fixes to
> them require Todd Miller's mktemp (1.3.1 or newer) most of the time
> (but not always, so that some may be applied to the official CVS even
> if requiring mktemp is decided to be unacceptable).  There're
> intentionally no fallbacks to not be fail-open.
>
> Also note the patch which makes CVS use vitmp, our wrapper around
> the VIM editor.  Without it, the uses of vi by CVS are unsafe at
> least with VIM 6.1.386 (the VIM 6.1 patchlevel we're at currently)
> when $TMPDIR is set to a directory that VIM doesn't recognize as a
> temporary file one.  It may be easily seen with strace how, without
> vitmp, a temporary file is unlinked and then re-created under the
> same name and without the use of O_EXCL.  vitmp is in the public
> domain and may be had via:
>
> cvs -d :pserver:anoncvs:anoncvs@anoncvs.owl.openwall.com:/cvs co 
> Owl/packages/vim/
>  

At first glance, these fixes are mostly either misguided or already 
incorporated in, at least, the 1.12 feature branch.  The fixes that 
might be usable are going to need at least ChangeLog entries to 
accompany them, some may need more documentation or tests in sanity.sh, 
and all will need to have their purposes explained more fully to be 
accepted.  Please see the HACKING file in the top level of the CVS 
source distribution for more on how to submit patches.  Please note in 
particular that they should be sent to the <bug-cvs@gnu.org> mailing 
list and not directly to me.

Finally, fixes to the diff/* library code, unless its only purpose is 
CVS integration, should be sent to the GNU diffutils project.  The home 
page is located at <http://www.gnu.org/software/diffutils/> and their 
bug report mailing list is <bug-gnu-utils@gnu.org>.  After the GNU 
diffutils project has incorporated a needed fix, please then notify us 
that it would be a good idea to import the new version of the diffutils 
library into CVS and why.

Thank you for your time,

Derek

--
               *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
--
Tar is not a plaything.
Tar is not a plaything.
Tar is not a plaything...

         - Bart Simpson on chalkboard, _The Simpsons_