In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Larry Jones) writes: > Update.prog just contains the name of the program to run, not the actual > code. If you can't commit, you can't upload arbitrary code to run, you > can only run pre-existing code on the server, and you have no control > over its input or arguments, so it's a very low-level threat. read-only user can create arbitrary code under /tmp/cvs-serv<PID> using Modified request. Update.prog cannot be used to execute it since Update.prog is disabled for read-only user, though. Actually, the code can created anywhere under /tmp by pathname_levels bug. (And anywhere under / if / is writable.) Usually, read-only user uses Modified request properly for `cvs diff'. -- Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Karl Fogel
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Mike Castle
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Karl Fogel
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson
- Re: [akr@M17N.ORG: cvs security problem] Pavel Roskin
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Pavel Roskin
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson