denial-of-service attack prohibits all users from creating new repositories

[Bruno Haible]

Hi,

This has been reported by at least 4 users:
  <http://lists.gnu.org/archive/html/bug-gnu-utils/2010-05/msg00063.html>
  <https://bugzilla.redhat.com/show_bug.cgi?id=509387>
  <http://pastebin.com/f6d75a039>
  <http://trac.navit-project.org/ticket/317>

The common point between these reports is that they use the 'autopoint'
program (part of GNU gettext), which uses the 'cvs' program to extract
particular versions of files from an archive, and the error message

  cvs [init aborted]: Cannot initialize repository under existing CVSROOT

'autopoint' creates an empty directory and attempts to create an empty
CVS repository in it, and this fails.

How to reproduce:

1) Preparation:
  $ sudo mkdir -p /home/CVSROOT/Emptydir
  $ sudo mkdir -p /tmp/CVSROOT/Emptydir
  $ sudo mkdir -p /var/tmp/CVSROOT/Emptydir

2) Now observe that no non-root user can use 'cvs init' any more:

  $ cvs --version
  Concurrent Versions System (CVS) 1.12.13.1 (client/server)
  # Actually it's the build from today's CVS HEAD of
  # http://cvs.savannah.gnu.org/viewvc/ccvs/?root=cvs

  $ pwd
  /home/bruno/dev/gettext/tmp
  $ cvs -d `pwd`/tmp837456 init
  cvs [init aborted]: Cannot initialize repository under existing CVSROOT: 
`/home'
  $ cvs -d /tmp/tmp837456 init
  cvs [init aborted]: Cannot initialize repository under existing CVSROOT: 
`/tmp'

  Using a relative directory name does not help:
  $ cvs -d tmp83745q init
  cvs init: CVSROOT must be an absolute pathname (not `tmp83745q')
  cvs init: when using local access method.
  cvs [init aborted]: Bad CVSROOT: `tmp83745q'.

This error message "Cannot initialize repository under existing CVSROOT"
was introduced here:
  
<http://cvs.savannah.gnu.org/viewvc/ccvs/src/mkmodules.c?root=cvs&r1=1.100&r2=1.101>

Is there any workaround?

Bruno