Package: cvs Version: 2:1.12.13+real-21 Severity: grave zealot:d> umask 0002 zealot:d> cvs -d `pwd` init zealot:d> ll CVSROOT/ ... -rw-rw-rw- 1 ian ian 0 Mar 26 13:38 history ... -rw-rw-rw- 1 ian ian 0 Mar 26 13:38 val-tags ...
AFAICT from the text in cvs.txt.gz, a corrupted val-tags file can cause CVS to be oblivious to some tags and claim they do not exist. I don't know whether cvs's parser for val-tags is robust against malicious input. I haven't attempted a simulated attack. AIUI the history file is used to record even read-only operations. I'm not sure what the worste consequences could be of a corrupted or malicious history file. Instead, it would be better to make the file writeable only by those with wrote access to the repository, and simply not record the read-only opertaions. I have filed this bug with severity `serious' because it's a prima facie security bug and because I didn't find anything in the package or the bug system which provides a justification for why this is OK. (Note: what is needed is not an explanation of why this is necessary for CVS's current functionality. What is needed is an explanation of why these world-writeable control files cannot make cvs malfunction, if they are maliciously modified.) If these permissions are indeed safe, then please take this as a request for a documentation improvement and downgrade the bug accordingly. Thanks, Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.