Debian Bug report logs - #119402
cvs pserver allows "init" in any dir; even if user is in "readers" file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Teddy Hogeborn <teddy@bilbo.fukt.bth.se>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cvs pserver allows "init" in any dir; even if user is in "readers" file

Date: Tue, 13 Nov 2001 07:49:46 +0100

Package: cvs
Version: 1.10.7-7
Severity: grave

From the manual:

----
   Unlike with previous versions of CVS, read-only users should be able
merely to read the repository, and not to execute programs on the
server or otherwise gain unexpected levels of access.  Or to be more
accurate, the _known_ holes have been plugged.  Because this feature is
new and has not received a comprehensive security audit, you should use
whatever level of caution seems warranted given your attitude concerning
security.
----

It seems that the cvs "init" command is not restricted.  You have to
use the raw protocol to exploit it, however; like this:

(This is assuming ":pserver:jrandom@cvsserver:/var/lib/cvs/root" is a
valid read-only user with password "foo".)

----
$ tcpconnect cvsserver cvspserver
BEGIN AUTH REQUEST
/var/lib/cvs/root
jrandom
AE00
END AUTH REQUEST
I LOVE YOU
init /tmp/foo
ok
----

This will create a new repository directory in /tmp/foo, provided that
the user that cvs runs as (either "jrandom" or the third field in the
CVSROOT/oasswd file) has write access there.  But it does not matter
if "jrandom" is in the "readers" or the "writers" file or not.

That is rather bad.  It does not even matter if
"--allow-root=/var/lib/cvs/root" is given to cvs in /etc/inetd.conf or
not.

This bug also seems to be present in cvs 1.11.1p1 (which is the latest
in both "testing" and "unstable").

/Teddy

-- System Information
Debian Release: 2.2
Architecture: i386
Kernel: Linux bilbo 2.2.19 #1 Wed Jun 13 05:57:42 MEST 2001 i686

Versions of packages cvs depends on:
ii  debconf                       0.2.80.17  Debian configuration management sy
ii  libc6                         2.1.3-19   GNU C Library: Shared libraries an
ii  zlib1g [libz1]                1:1.1.3-5  compression library - runtime     

-- Configuration Files:

Message #10 received at 119402@bugs.debian.org (full text, mbox, reply):

From: Gordon Matzigkeit <gord@fig.org>

To: 119402@bugs.debian.org

Subject: better safe than sorry

Date: 19 Nov 2001 10:14:04 -0600

Hi,

Until this bug can be analyzed upstream, I suggest that remote access
to the init function be disabled.  The appended patch does this.

Thanks,

-- 
 Gordon Matzigkeit <gord@fig.org>  //\ I'm a FIG (http://fig.org/)
Committed to freedom and diversity \// I use GNU (http://fig.org/gnu/)

--- cvs-1.11.1p1/src/server.c.orig      Mon Nov 19 10:07:08 2001
+++ cvs-1.11.1p1/src/server.c   Mon Nov 19 10:10:48 2001
@@ -4796,7 +4796,10 @@
   REQ_LINE("watch-remove", serve_watch_remove, 0),
   REQ_LINE("watchers", serve_watchers, 0),
   REQ_LINE("editors", serve_editors, 0),
+/* Disable init until it can't be used outside of the repository. */
+#if 0
   REQ_LINE("init", serve_init, RQ_ROOTLESS),
+#endif
   REQ_LINE("annotate", serve_annotate, 0),
   REQ_LINE("rannotate", serve_rannotate, 0),
   REQ_LINE("noop", serve_noop, RQ_ROOTLESS),

Message #15 received at 119402@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: 119402@bugs.debian.org

Subject: Update

Date: Mon, 19 Nov 2001 15:20:16 -0500

This patch looks reasonable.  Will you be able to do an upload soon?  This
bug must be fixed within the next 7 days in order to meet the woody freeze
deadline.  I am able to NMU if necessary.

-- 
 - mdz

Message #20 received at 119402@bugs.debian.org (full text, mbox, reply):

From: "Eric Gillespie, Jr." <epg@pretzelnet.org>

To: control@bugs.debian.org

Cc: 119402@bugs.debian.org

Subject: [Debian Installer <installer@ftp-master.debian.org>] cvs_1.11.1p1-2_i386.changes INSTALLED

Date: Mon, 19 Nov 2001 16:42:14 -0500

severity 119402 normal
thanks

Format: 1.7
Date: Mon, 19 Nov 2001 17:57:00 +0000
Source: cvs
Binary: cvs
Architecture: source i386
Version: 1.11.1p1-2
Distribution: unstable
Urgency: low
Maintainer: Eric Gillespie, Jr. <epg@debian.org>
Changed-By: Eric Gillespie, Jr. <epg@debian.org>
Description: 
 cvs        - Concurrent Versions System
Closes: 105479 119943
Changes: 
 cvs (1.11.1p1-2) unstable; urgency=low
 .
   * Disable init over pserver.  Temporarily address #119402.
   * Provide cvs-doc. (Closes: #105479)
   * List previous maintainer in debian/copyright. (Closes: #119943)
Files: 
 915f1c1fbaf2b6a7f8144fbda7e77fb4 949 devel optional cvs_1.11.1p1-2.dsc
 3fb2b52c03f9aacec389f096dade3eab 54862 devel optional cvs_1.11.1p1-2.diff.gz
 467bd748c16ae72ecad37daca0d1a94f 1210166 devel optional cvs_1.11.1p1-2_i386.deb

From: Debian Installer <installer@ftp-master.debian.org>
To: epg@debian.org (Eric Gillespie, Jr.)
X-Katie: $Revision: 1.65 $
Subject: cvs_1.11.1p1-2_i386.changes INSTALLED
Message-Id: <E165uYg-0003dz-00@auric.debian.org>
Sender: James Troup <troup@auric.debian.org>
Date: Mon, 19 Nov 2001 14:58:22 -0500
Delivered-To: epg@debian.org


Installing:
cvs_1.11.1p1-2.diff.gz
  to pool/main/c/cvs/cvs_1.11.1p1-2.diff.gz
cvs_1.11.1p1-2.dsc
  to pool/main/c/cvs/cvs_1.11.1p1-2.dsc
cvs_1.11.1p1-2_i386.deb
  to pool/main/c/cvs/cvs_1.11.1p1-2_i386.deb
Announcing to debian-devel-changes@lists.debian.org
Closing bugs: 105479 119943 


Thank you for your contribution to Debian.

Message #27 received at 119402@bugs.debian.org (full text, mbox, reply):

From: Teddy Hogeborn <teddy@fukt.bth.se>

To: 119402@bugs.debian.org

Subject: Seems like this was fixed in upstream 1.11.2

Date: 19 Sep 2003 03:21:58 +0200

By reading the source code (src/server.c) it seems like this bug was
fixed upstream in 1.11.2, and the fix still seems to be present in
cvs_1.12.1 (currently in testing).  Someone needs to confirm this.

(If this is confirmed, one Debian-specific patch file could be
eliminated ("87_disable_init_cvs_server").  Also, this bug could be
closed.)

By the way, was this ever reported upstream?  Should I have reported
it upstream myself?

/Teddy

Message #34 received at 119402-quiet@bugs.debian.org (full text, mbox, reply):

From: Lior Kaplan <kaplan@debian.org>

To: 119402-submitter@bugs.debian.org

Cc: 119402-quiet@bugs.debian.org

Subject: Debian CVS bug triage - bug #119402

Date: Fri, 05 Oct 2007 13:20:27 +0200

Dear CVS user,

Thanks for your interest in CVS and the bug report you have contributed [1].

Debian's cvs package has ~120 old bugs, most of them are couple of years old.

As part of a bug triage I'm doing for several packages, I would like your help
with verifying your bug is still relevant or getting your approval for closing 
it.

The current cvs version in Debian is 1.12.13-8 (shared by stable, testing and 
unstable).

Feel free to contact me for questions or if you need help.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=119402

Thanks.

--
Lior Kaplan
kaplan@debian.org

Message #42 received at 119402-quiet@bugs.debian.org (full text, mbox, reply):

From: Teddy Hogeborn <teddy@fukt.bsnet.se>

To: Lior Kaplan <kaplan@debian.org>

Cc: 119402-quiet@bugs.debian.org

Subject: Re: Bug#119402: Debian CVS bug triage - bug #119402

Date: Fri, 05 Oct 2007 18:45:55 +0200

Lior Kaplan <kaplan@debian.org> writes:

> I would like your help with verifying your bug is still relevant or
> getting your approval for closing it.

As I wrote six years ago in <87k7853749.fsf@tower.fukt.bth.se>,
comment #27 above, this bug can now be closed.  Especially since the
Debian-specific patch ("87_disable_init_cvs_server") seems to have
been removed from the package.

/Teddy

Message #47 received at 119402-done@bugs.debian.org (full text, mbox, reply):

From: Lior Kaplan <kaplan@debian.org>

To: 119402-done@bugs.debian.org

Subject: Re: Bug#119402: Debian CVS bug triage - bug #119402

Date: Sat, 06 Oct 2007 04:04:11 +0200

Version: 1:1.12.2-1

Teddy Hogeborn wrote:
> Lior Kaplan <kaplan@debian.org> writes:
> 
>> I would like your help with verifying your bug is still relevant or
>> getting your approval for closing it.
> 
> As I wrote six years ago in <87k7853749.fsf@tower.fukt.bth.se>,
> comment #27 above, this bug can now be closed.  Especially since the
> Debian-specific patch ("87_disable_init_cvs_server") seems to have
> been removed from the package.

Closing. The right part from the changelog:
> + 87_disable_init_cvs_server (upstream fixed a different way)

-- 
Lior Kaplan
kaplan@debian.org

GPG fingerprint:
C644 D0B3 92F4 8FE4 4662  B541 1558 9445 99E8 1DA0

Send a report that this bug log contains spam.