[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS/Checkin.prog security hole status?

From: Dan Kegel
Subject: CVS/Checkin.prog security hole status?
Date: Mon, 06 Nov 2000 20:01:50 -0800

Have the security issues identified in
been resolved yet?

They were: "CVS/Checkin.prog and CVS/Update.prog can be
replaced with an arbitrary binary, which will be blindly
executed on the server" 
and "the client trusts paths sent from the server too much,
so a malicious server can overwrite arbitrary files on client".

I just checked the latest dev sources via anonymous CVS,
and the quick and dirty fix suggested by that post for the first issue
hasn't been applied.  Has a more subtle fix been applied, or
is this still outstanding?

- Dan

reply via email to

[Prev in Thread] Current Thread [Next in Thread]