-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve McIntyre wrote:
>On Fri, Dec 05, 2003 at 12:25:55AM -0500, Derek Robert Price wrote: > >>CVS feature version 1.12.3 has been released. Feature releases contain >>new features as well as all the bug fixes from the stable release. This >>release fixes a security issue with no known exploits that could cause >>previous versions of CVS to attempt to create files and directories in >>the filesystem root. This release also fixes several issues relevant to >>case insensitive filesystems and some other bugs. We recommend this >>upgrade for all CVS clients and servers already running the feature >>release and those users who like to stay on the cutting edge! > > >Derek, are you sure the simple fix in modules.c to check for >!isabsolute() will fix the hole here? What about people specifying >../../../../../../<something> ? Probably the easiest fix for that is >to modify isabsolute() to check for .. entries in the path >specified. > >Thoughts? If you can send me a reproducible case where CVS doesn't abort with an error, I'll be happy to look into it, but I am pretty sure CVS has been catching the indirection case for years. Go ahead and try it. Derek - -- *8^) Email: [EMAIL PROTECTED] Get CVS support at <http://ximbiot.com>! - -- I will return the seeing-eye dog. I will return the seeing-eye dog. I will return the seeing-eye dog... - Bart Simpson on chalkboard, _The Simpsons_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQE/3nr+LD1OTBfyMaQRAlquAJ4yytDbls+IFIGo3ylQWstqC+0MAgCgvY+b WOb43T30fO3bVNDW18p5x04= =RV9Q -----END PGP SIGNATURE----- _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs