Date: 28 Jul 2000 14:58:08 -0700 From: Ian Lance Taylor <[EMAIL PROTECTED]> Date: Fri, 28 Jul 2000 17:36:53 -0400 (EDT) From: Pavel Roskin <[EMAIL PROTECTED]> I hope that there is no immediate danger. Look at serve_update_prog() - it checks whether commits are allowed and exits if they are not. It prints a strange message though: E Flag -u in modules not allowed in readonly mode So unless somebody finds other holes, ther is no obvious way to exploit CVS/Update.prog without having write access. But serve_update_prog appears to permit any command which does not modify the repository. And cvs update does not modify the repository. Sorry, my error. I see what you mean. Good to hear. Ian
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Karl Fogel
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson
- Re: [akr@M17N.ORG: cvs security problem] Pavel Roskin
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Pavel Roskin
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson