Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1998: [weejock<img src="/imgs/at.gif" align="middle" border="0">ferret.lmh.ox.ac.uk: Security issue with cvs (fwd)] (fwd)

[weejockferret.lmh.ox.ac.uk: Security issue with cvs (fwd)] (fwd)

J. Joseph Max Katz (jkatzCPIO.NET)
Thu, 13 Aug 1998 05:51:24 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: *Hobbit*: "mail.local"
Previous message: security-alertcisco.com: "Cisco CRM security notice"

This was forwarded to miscopenbsd.org. I don't remember seeing
anything about this in the past. Pardon the headers.

-Jon

---------- Forwarded message ----------
Date: Thu, 13 Aug 1998 13:37:54 +0100
From: Jon Ribbens <jonoaktree.co.uk>
To: miscopenbsd.org
Subject: [weejockferret.lmh.ox.ac.uk: Security issue with cvs (fwd)]

No idea if this is relevent.

--- Forwarded message from Matthew Kirkwood <weejockferret.lmh.ox.ac.uk> ---

Date: Thu, 13 Aug 1998 13:16:32 +0100 (GMT)
From: Matthew Kirkwood <weejockferret.lmh.ox.ac.uk>
To: security audit list <security-auditferret.lmh.ox.ac.uk>
Subject: Security issue with cvs (fwd)

Does this make any sense?

---------- Forwarded message ----------
Date: Thu, 13 Aug 1998 02:37:12 +0200 (CEST)
From: Carlo Wood <carlorunaway.xs4all.nl>
To: "egcscygnus.com" <egcscygnus.com>
Subject: Security issue with cvs

Hi,

as might be well known, there is a security problem with
the read-only CVS access.  The problem is that when someone
manages to change or replace the CVSROOT/passwd file,
then he or she can get root.

The only way to avoid this is by making the restrictions
on CVSROOT (and all directories above it) as tight as
on /etc, which is clearly not the case for egcs because
I can checkout the CVSROOT directory (which demands the
anonymous user to set locks in there).

I wrote a patch for cvs-1.9.29 (although 1.9.30 is out now))
which reads a file /etc/cvs.passwd instead of CVSROOT/passwd.
The normal procedure for adding changes like this into
cvs seems to be that people use it first, as a patch :).

I am using it already myself on coder-com.undernet.org,
and I advise "egcs" to use it too.

I did put it on the web.  You can get it at
http://www.xs4all.nl/~carlo17/cvs/
for now.

Thanks

--
 Carlo Wood  <carlorunaway.xs4all.nl>

--- End forwarded message ---

--
\/ Jon Ribbens / jonoaktree.co.uk

Next message: *Hobbit*: "mail.local"
Previous message: security-alertcisco.com: "Cisco CRM security notice"