OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 14-Apr-2004 19:46:50
Branch: OPENPKG_2_0_SOLID Handle: 2004041418465000
Modified files: (Branch: OPENPKG_2_0_SOLID)
openpkg-src/cvs cvs.patch cvs.spec
Log:
fix security bugs (OpenPKG-SA-2004.013-cvs, CAN-2004-0180)
Summary:
Revision Changes Path
1.4.2.1 +47 -0 openpkg-src/cvs/cvs.patch
1.82.2.2 +1 -1 openpkg-src/cvs/cvs.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/cvs/cvs.patch
============================================================================
$ cvs diff -u -r1.4 -r1.4.2.1 cvs.patch
--- openpkg-src/cvs/cvs.patch 30 Jun 2003 08:40:35 -0000 1.4
+++ openpkg-src/cvs/cvs.patch 14 Apr 2004 17:46:50 -0000 1.4.2.1
@@ -23,3 +23,50 @@
#ifdef SYSTEM_INITIALIZE
/* Hook for OS-specific behavior, for example socket subsystems on
+
+=============================================================================
+
+Security Bugfixes
+(OpenPKG-SA-2004.013-cvs, CAN-2004-0180)
+
+Index: src/client.c
+--- src/client.c.orig 2003-11-25 21:51:59.000000000 +0100
++++ src/client.c 2004-04-14 19:22:49.000000000 +0200
+@@ -602,6 +602,19 @@
+ char *rdirp;
+ int reposdirname_absolute;
+
++ /* For security reasons, if PATHNAME is absolute or attemps to ascend
++ * outside of the current sanbbox, we abort. The server should not send us
++ * anything but relative paths which remain inside the sandbox here.
++ * Anything less means a trojan CVS server could create and edit arbitrary
++ * files on the client.
++ */
++ if (isabsolute (pathname) || pathname_levels (pathname) > 0)
++ {
++ error (0, 0,
++ "Server attempted to update a file via an invalid pathname:");
++ error (1, 0, "`%s'.", pathname);
++ }
++
+ reposname = NULL;
+ read_line (&reposname);
+ assert (reposname != NULL);
+Index: src/modules.c
+--- src/modules.c.orig 2003-11-25 17:11:48.000000000 +0100
++++ src/modules.c 2004-04-14 19:22:53.000000000 +0200
+@@ -142,6 +142,14 @@
+ if (isabsolute (mname))
+ error (1, 0, "Absolute module reference invalid: `%s'", mname);
+
++ /* Similarly for directories that attempt to step above the root of the
++ * repository.
++ */
++ if (pathname_levels (mname) > 0)
++ error (1, 0, "up-level in module reference (`..') invalid: `%s'.",
++ mname);
++
++
+ /* if this is a directory to ignore, add it to that list */
+ if (mname[0] == '!' && mname[1] != '\0')
+ {
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/cvs/cvs.spec
============================================================================
$ cvs diff -u -r1.82.2.1 -r1.82.2.2 cvs.spec
--- openpkg-src/cvs/cvs.spec 18 Feb 2004 14:48:41 -0000 1.82.2.1
+++ openpkg-src/cvs/cvs.spec 14 Apr 2004 17:46:50 -0000 1.82.2.2
@@ -38,7 +38,7 @@
Group: SCM
License: GPL
Version: %{V_cvs}
-Release: 2.0.0
+Release: 2.0.1
# package options
%option with_fsl yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
