CVS/Checkin.prog security hole status?

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS/Checkin.prog security hole status?

From:	Dan Kegel
Subject:	CVS/Checkin.prog security hole status?
Date:	Mon, 06 Nov 2000 20:01:50 -0800

Have the security issues identified in
http://www.mail-archive.com/bug-cvs%40gnu.org/msg00384.html
been resolved yet?

They were: "CVS/Checkin.prog and CVS/Update.prog can be
replaced with an arbitrary binary, which will be blindly
executed on the server" 
and "the client trusts paths sent from the server too much,
so a malicious server can overwrite arbitrary files on client".

I just checked the latest dev sources via anonymous CVS,
and the quick and dirty fix suggested by that post for the first issue
hasn't been applied.  Has a more subtle fix been applied, or
is this still outstanding?

- Dan

[Prev in Thread]

Current Thread

[Next in Thread]

CVS/Checkin.prog security hole status?, Dan Kegel <=
- Re: CVS/Checkin.prog security hole status?, Derek R. Price, 2000/11/07

Prev by Date: Re: (no subject)
Next by Date: Timezone-conflict between client and server
Previous by thread: problem w/ commitinfo file
Next by thread: Re: CVS/Checkin.prog security hole status?
Index(es):
- Date
- Thread