-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve McIntyre wrote:
>On Fri, Dec 05, 2003 at 12:25:55AM -0500, Derek Robert Price wrote:
>
>>CVS feature version 1.12.3 has been released. Feature releases contain
>>new features as well as all the bug fixes from the stable release. This
>>release fixes a security issue with no known exploits that could cause
>>previous versions of CVS to attempt to create files and directories in
>>the filesystem root. This release also fixes several issues relevant to
>>case insensitive filesystems and some other bugs. We recommend this
>>upgrade for all CVS clients and servers already running the feature
>>release and those users who like to stay on the cutting edge!
>
>
>Derek, are you sure the simple fix in modules.c to check for
>!isabsolute() will fix the hole here? What about people specifying
>../../../../../../<something> ? Probably the easiest fix for that is
>to modify isabsolute() to check for .. entries in the path
>specified.
>
>Thoughts?
If you can send me a reproducible case where CVS doesn't abort with an
error, I'll be happy to look into it, but I am pretty sure CVS has been
catching the indirection case for years. Go ahead and try it.
Derek
- --
*8^)
Email: [EMAIL PROTECTED]
Get CVS support at <http://ximbiot.com>!
- --
I will return the seeing-eye dog.
I will return the seeing-eye dog.
I will return the seeing-eye dog...
- Bart Simpson on chalkboard, _The Simpsons_
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQE/3nr+LD1OTBfyMaQRAlquAJ4yytDbls+IFIGo3ylQWstqC+0MAgCgvY+b
WOb43T30fO3bVNDW18p5x04=
=RV9Q
-----END PGP SIGNATURE-----
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
