Your message dated Sat, 06 Oct 2007 04:04:11 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#119402: Debian CVS bug triage - bug #119402
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: cvs
Version: 1.10.7-7
Severity: grave
>From the manual:
----
Unlike with previous versions of CVS, read-only users should be able
merely to read the repository, and not to execute programs on the
server or otherwise gain unexpected levels of access. Or to be more
accurate, the _known_ holes have been plugged. Because this feature is
new and has not received a comprehensive security audit, you should use
whatever level of caution seems warranted given your attitude concerning
security.
----
It seems that the cvs "init" command is not restricted. You have to
use the raw protocol to exploit it, however; like this:
(This is assuming ":pserver:[EMAIL PROTECTED]:/var/lib/cvs/root" is a
valid read-only user with password "foo".)
----
$ tcpconnect cvsserver cvspserver
BEGIN AUTH REQUEST
/var/lib/cvs/root
jrandom
AE00
END AUTH REQUEST
I LOVE YOU
init /tmp/foo
ok
----
This will create a new repository directory in /tmp/foo, provided that
the user that cvs runs as (either "jrandom" or the third field in the
CVSROOT/oasswd file) has write access there. But it does not matter
if "jrandom" is in the "readers" or the "writers" file or not.
That is rather bad. It does not even matter if
"--allow-root=/var/lib/cvs/root" is given to cvs in /etc/inetd.conf or
not.
This bug also seems to be present in cvs 1.11.1p1 (which is the latest
in both "testing" and "unstable").
/Teddy
-- System Information
Debian Release: 2.2
Architecture: i386
Kernel: Linux bilbo 2.2.19 #1 Wed Jun 13 05:57:42 MEST 2001 i686
Versions of packages cvs depends on:
ii debconf 0.2.80.17 Debian configuration management sy
ii libc6 2.1.3-19 GNU C Library: Shared libraries an
ii zlib1g [libz1] 1:1.1.3-5 compression library - runtime
-- Configuration Files:
--- End Message ---
--- Begin Message ---
Version: 1:1.12.2-1
Teddy Hogeborn wrote:
> Lior Kaplan <[EMAIL PROTECTED]> writes:
>
>> I would like your help with verifying your bug is still relevant or
>> getting your approval for closing it.
>
> As I wrote six years ago in <[EMAIL PROTECTED]>,
> comment #27 above, this bug can now be closed. Especially since the
> Debian-specific patch ("87_disable_init_cvs_server") seems to have
> been removed from the package.
Closing. The right part from the changelog:
> + 87_disable_init_cvs_server (upstream fixed a different way)
--
Lior Kaplan
[EMAIL PROTECTED]
GPG fingerprint:
C644 D0B3 92F4 8FE4 4662 B541 1558 9445 99E8 1DA0
--- End Message ---
