Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</strong>

[Derek Robert Price]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve McIntyre wrote:

>On Fri, Dec 05, 2003 at 12:25:55AM -0500, Derek Robert Price wrote:
>
>>CVS feature version 1.12.3 has been released.  Feature releases contain
>>new features as well as all the bug fixes from the stable release.  This
>>release fixes a security issue with no known exploits that could cause
>>previous versions of CVS to attempt to create files and directories in
>>the filesystem root.  This release also fixes several issues relevant to
>>case insensitive filesystems and some other bugs.  We recommend this
>>upgrade for all CVS clients and servers already running the feature
>>release and those users who like to stay on the cutting edge!
>
>
>Derek, are you sure the simple fix in modules.c to check for
>!isabsolute() will fix the hole here? What about people specifying
>../../../../../../<something> ? Probably the easiest fix for that is
>to modify isabsolute() to check for .. entries in the path
>specified.
>
>Thoughts?


If you can send me a reproducible case where CVS doesn't abort with an
error, I'll be happy to look into it, but I am pretty sure CVS has been
catching the indirection case for years.  Go ahead and try it.

Derek

- --
                *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
- --
I will return the seeing-eye dog.
I will return the seeing-eye dog.
I will return the seeing-eye dog...

          - Bart Simpson on chalkboard, _The Simpsons_
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/3nr+LD1OTBfyMaQRAlquAJ4yytDbls+IFIGo3ylQWstqC+0MAgCgvY+b
WOb43T30fO3bVNDW18p5x04=
=RV9Q
-----END PGP SIGNATURE-----