Loophole in cvs_acls script allows restricted files to be committed

[Peter Connolly]

There appears to be a loophole in the cvs_acls script that allows 
someone to bypass an 'unavail' on a specific file and commit changes to 
that file.

It seems that all one needs to do is update another file in that same
directory. Then a commit of that unrestricted file will include the
restricted file, which commits successfully.

The avail file would look something like this:

unavail||CVSROOT/avail
avail|cvsadmin|CVSROOT/avail

So that only 'cvsadmin' should be able to update the 'avail' file.

But if a non-cvsadmin user updates **any other file** in the CVSROOT
directory (e.g., loginfo) and commits that file, the commit includes the
'avail' file and successfully commits it.

Here is some sample output when done under :ext: (ssh):

   address@hidden ssh]$ vi CVSROOT/avail
   address@hidden ssh]$ cvs ci -m"" CVSROOT/avail
   cvs commit: Examining CVSROOT
   address@hidden's password:
   **** Access denied: Insufficient permission for this dir/file
(wimp|CVSROOT|)
   cvs commit: Pre-commit check failed
   cvs [commit aborted]: correct above errors first!
   address@hidden ssh]$ vi CVSROOT/loginfo
   address@hidden ssh]$ cvs ci -m"" CVSROOT/loginfo
   cvs commit: Examining CVSROOT
   address@hidden's password:
   Checking in CVSROOT/avail;
   /usr/cvsroot/CVSROOT/avail,v  <--  avail
   new revision: 1.7; previous revision: 1.6
   done
   Checking in CVSROOT/loginfo;
   /usr/cvsroot/CVSROOT/loginfo,v  <--  loginfo
   new revision: 1.139; previous revision: 1.138
   done
   cvs commit: Rebuilding administrative file database


This exposure occurs under both pserver and ext access modes. Client and
server were using CVS 1.11.10 under Redhat Linux 9.0.

Any help would be appreciated...
pc