[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS/Checkin.prog security hole status?
From: |
Dan Kegel |
Subject: |
CVS/Checkin.prog security hole status? |
Date: |
Mon, 06 Nov 2000 20:01:50 -0800 |
Have the security issues identified in
http://www.mail-archive.com/bug-cvs%40gnu.org/msg00384.html
been resolved yet?
They were: "CVS/Checkin.prog and CVS/Update.prog can be
replaced with an arbitrary binary, which will be blindly
executed on the server"
and "the client trusts paths sent from the server too much,
so a malicious server can overwrite arbitrary files on client".
I just checked the latest dev sources via anonymous CVS,
and the quick and dirty fix suggested by that post for the first issue
hasn't been applied. Has a more subtle fix been applied, or
is this still outstanding?
- Dan
- CVS/Checkin.prog security hole status?,
Dan Kegel <=