Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</strong>

[Steve McIntyre]

On Fri, Dec 05, 2003 at 12:25:55AM -0500, Derek Robert Price wrote:
>
>CVS feature version 1.12.3 has been released.  Feature releases contain
>new features as well as all the bug fixes from the stable release.  This
>release fixes a security issue with no known exploits that could cause
>previous versions of CVS to attempt to create files and directories in
>the filesystem root.  This release also fixes several issues relevant to
>case insensitive filesystems and some other bugs.  We recommend this
>upgrade for all CVS clients and servers already running the feature
>release and those users who like to stay on the cutting edge!

Derek, are you sure the simple fix in modules.c to check for
!isabsolute() will fix the hole here? What about people specifying
../../../../../../<something> ? Probably the easiest fix for that is
to modify isabsolute() to check for .. entries in the path
specified.

Thoughts?

-- 
Steve McIntyre, Cambridge, UK.                                address@hidden
Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...

signature.asc
Description: Digital signature