bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GPG-Signed Commits and RCS Keyword exploit [long]


From: Jim Hyslop
Subject: Re: GPG-Signed Commits and RCS Keyword exploit [long]
Date: Thu, 22 Sep 2005 10:48:33 -0400
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Derek Price wrote:
Jim Hyslop wrote:


Either way, if the server is compromised, the local file ends up
containing the exploit.



Yes, but if I ignore keyword expansion entirely (other than giving a
warning or error when keywords are present in the file at commit time),
then you won't have a CVS executable that tells you you have a valid,
signed, base revision just before it installs compromised code in your
sandbox.

I'm working up a discussion paper, which outlines various attacks and compares how the two approaches can detect them. In order to do this properly, I need to know exactly how you propose to ignore RCS keywords (it's glossed over in the discussion document on the wiki).

Suppose I have rev 1.2 of a file checked out, and it contains:

#include <stdio.h>
int main( int argc, char ** argv )
{
  printf("Hello, revision $Revision: 1.2$\n");
  return 0;
}

will this be signed as if I am checking in the un-expanded keyword, i.e. as if the file contains:

#include <stdio.h>
int main( int argc, char ** argv )
{
  printf("Hello, revision $Revision$\n");
  return 0;
}

--
Jim





reply via email to

[Prev in Thread] Current Thread [Next in Thread]