Your message dated Sun, 18 May 2008 01:47:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#169967: fixed in cvs 1:1.12.13-11 has caused the Debian Bug report #169967, regarding cvs: --allowroot on :ext: accepted but ignored to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 169967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169967 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: cvs Version: 1.11.2-5 Severity: normal Tags: security upstream patch upstream issue. --allow-root if used in a ~/.ssh/authorized_keys file as: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command=3D"/usr/bi= n/cvs --allow-root=3D/cvs/other server" ssh-dss AAAA...1Rys=3D [EMAIL PROTECTED] cvs accepts this option on the command line with no errors. This leads the admin to believe that it is in fact using the option. However the option is ignored by cvs and any CVSROOT is allowed on the server. Patch enables checking of the option. Other cvs security implications still apply of course. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux localhost 2.4.20-pre11 #4 Fri Oct 25 12:51:23 MDT 2002 i686 Locale: LANG=3Den_US, LC_CTYPE=3Den_US Versions of packages cvs depends on: ii debconf 1.2.11 Debian configuration managemen= t sy ii libc6 2.3.1-3 GNU C Library: Shared librarie= s an ii zlib1g 1:1.1.4-6 compression library - runtime -- debconf information: cvs/rotatekeep: 7 cvs/badrepositories: create cvs/pserver_warning: = cvs/rotatekeep_nondefault: no cvs/read_cvsconf: false cvs/rotate_individual: true cvs/pserver_repos_individual: yes cvs/pserver_setspawnlimit: yes cvs/rotatekeep_individual: 7 cvs/pserver_repos: all * cvs/pserver: false cvs/cvs_conf_is_dead: = * cvs/repositories: = cvs/pserver_spawnlimit: 400 cvs/rotatehistory: no diff -Naur cvs-1.11.1p1.orig/src/cvs.h cvs-1.11.1p1/src/cvs.h --- cvs-1.11.1p1.orig/src/cvs.h Tue Apr 24 12:14:53 2001 +++ cvs-1.11.1p1/src/cvs.h Wed Nov 20 22:15:40 2002 @@ -465,6 +465,7 @@ void Create_Root PROTO((char *dir, char *rootdir)); void root_allow_add PROTO ((char *)); void root_allow_free PROTO ((void)); +int root_allow_used PROTO ((void)); int root_allow_ok PROTO ((char *)); = char *gca PROTO((const char *rev1, const char *rev2)); diff -Naur cvs-1.11.1p1.orig/src/root.c cvs-1.11.1p1/src/root.c --- cvs-1.11.1p1.orig/src/root.c Thu Apr 19 13:45:33 2001 +++ cvs-1.11.1p1/src/root.c Wed Nov 20 22:09:25 2002 @@ -238,6 +238,12 @@ } = int +root_allow_used () +{ + return root_allow_count !=3D 0; +} + +int root_allow_ok (arg) char *arg; { diff -Naur cvs-1.11.1p1.orig/src/server.c cvs-1.11.1p1/src/server.c --- cvs-1.11.1p1.orig/src/server.c Wed Nov 20 22:00:49 2002 +++ cvs-1.11.1p1/src/server.c Wed Nov 20 22:12:54 2002 @@ -760,6 +760,13 @@ "E Protocol error: Duplicate Root request, for %s", arg); return; } + if (root_allow_used() && !root_allow_ok(arg)) + { + if (alloc_pending (80 + strlen (arg))) + sprintf (pending_error_text, + "E Bad root %s", arg); + return; + } = #ifdef AUTH_SERVER_SUPPORT if (Pserver_Repos !=3D NULL)
--- End Message ---
--- Begin Message ---Source: cvs Source-Version: 1:1.12.13-11 We believe that the bug you reported is fixed in the latest version of cvs, which is due to be installed in the Debian FTP archive: cvs_1.12.13-11.diff.gz to pool/main/c/cvs/cvs_1.12.13-11.diff.gz cvs_1.12.13-11.dsc to pool/main/c/cvs/cvs_1.12.13-11.dsc cvs_1.12.13-11_i386.deb to pool/main/c/cvs/cvs_1.12.13-11_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Steve McIntyre <[EMAIL PROTECTED]> (supplier of updated cvs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 27 Jan 2008 19:08:02 +0000 Source: cvs Binary: cvs Architecture: source i386 Version: 1:1.12.13-11 Distribution: unstable Urgency: low Maintainer: Steve McIntyre <[EMAIL PROTECTED]> Changed-By: Steve McIntyre <[EMAIL PROTECTED]> Description: cvs - Concurrent Versions System Closes: 169967 Changes: cvs (1:1.12.13-11) unstable; urgency=low . * Be more aggressive about checking --allow-root; can now be used for limiting allowed CVSROOTs using rsh/ssh as well. Closes: #169967, thanks to Tim Riker for the original patch. Checksums-Sha1: a8f60611d412ec360730b9131f81edc06add6105 1124 cvs_1.12.13-11.dsc 2937406899b16dfd183d6a416af10a14bd2751de 104593 cvs_1.12.13-11.diff.gz c5216c8cbffc4b032cf43c4d858a66b137c4eaa9 1681242 cvs_1.12.13-11_i386.deb Checksums-Sha256: 683a2b3a9e1718982c5d385727141b4bb50c6144cdc677e19a2adc8629ad53ef 1124 cvs_1.12.13-11.dsc 0644f8597e0fcb023c88a25be0a2aaef6eae912730cf34f6f0ea471df8ac7dc8 104593 cvs_1.12.13-11.diff.gz 5c52115e1ed017403d16c5d2f24c973f8bb2069c06a54b81409d1cad58a49922 1681242 cvs_1.12.13-11_i386.deb Files: 239e4bc4df796af0c9f786a2b2d0a6d6 1124 devel optional cvs_1.12.13-11.dsc ecd43903a2b018b967592d628ffa3f27 104593 devel optional cvs_1.12.13-11.diff.gz 5f934b229d76af3db72331e05f6a4bc1 1681242 devel optional cvs_1.12.13-11_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIL4n9fDt5cIjHwfcRAl2TAJ4/EAe0vYipkiyRY7EpyiByu6R20gCfY251 Ydt8aXBG7aEKYxF46cYRIvg= =b+q/ -----END PGP SIGNATURE-----
--- End Message ---
