Debian Bug report logs - #119402
cvs pserver allows "init" in any dir; even if user is in "readers" file

version graph

Package: cvs; Maintainer for cvs is Thorsten Glaser <tg@mirbsd.de>; Source for cvs is src:cvs (PTS, buildd, popcon).

Reported by: Teddy Hogeborn <teddy@recompile.se>

Date: Tue, 13 Nov 2001 07:03:02 UTC

Severity: normal

Found in version 1.10.7-7

Fixed in version 1:1.12.2-1

Done: Lior Kaplan <kaplan@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, epg@debian.org (Eric Gillespie, Jr.):
Bug#119402; Package cvs. (full text, mbox, link).


Acknowledgement sent to Teddy Hogeborn <teddy@bilbo.fukt.bth.se>:
New Bug report received and forwarded. Copy sent to epg@debian.org (Eric Gillespie, Jr.). (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Teddy Hogeborn <teddy@bilbo.fukt.bth.se>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cvs pserver allows "init" in any dir; even if user is in "readers" file
Date: Tue, 13 Nov 2001 07:49:46 +0100
Package: cvs
Version: 1.10.7-7
Severity: grave

From the manual:

----
   Unlike with previous versions of CVS, read-only users should be able
merely to read the repository, and not to execute programs on the
server or otherwise gain unexpected levels of access.  Or to be more
accurate, the _known_ holes have been plugged.  Because this feature is
new and has not received a comprehensive security audit, you should use
whatever level of caution seems warranted given your attitude concerning
security.
----

It seems that the cvs "init" command is not restricted.  You have to
use the raw protocol to exploit it, however; like this:

(This is assuming ":pserver:jrandom@cvsserver:/var/lib/cvs/root" is a
valid read-only user with password "foo".)

----
$ tcpconnect cvsserver cvspserver
BEGIN AUTH REQUEST
/var/lib/cvs/root
jrandom
AE00
END AUTH REQUEST
I LOVE YOU
init /tmp/foo
ok
----

This will create a new repository directory in /tmp/foo, provided that
the user that cvs runs as (either "jrandom" or the third field in the
CVSROOT/oasswd file) has write access there.  But it does not matter
if "jrandom" is in the "readers" or the "writers" file or not.

That is rather bad.  It does not even matter if
"--allow-root=/var/lib/cvs/root" is given to cvs in /etc/inetd.conf or
not.

This bug also seems to be present in cvs 1.11.1p1 (which is the latest
in both "testing" and "unstable").

/Teddy

-- System Information
Debian Release: 2.2
Architecture: i386
Kernel: Linux bilbo 2.2.19 #1 Wed Jun 13 05:57:42 MEST 2001 i686

Versions of packages cvs depends on:
ii  debconf                       0.2.80.17  Debian configuration management sy
ii  libc6                         2.1.3-19   GNU C Library: Shared libraries an
ii  zlib1g [libz1]                1:1.1.3-5  compression library - runtime     

-- Configuration Files:




Information forwarded to debian-bugs-dist@lists.debian.org, epg@debian.org (Eric Gillespie, Jr.):
Bug#119402; Package cvs. (full text, mbox, link).


Acknowledgement sent to Gordon Matzigkeit <gord@fig.org>:
Extra info received and forwarded to list. Copy sent to epg@debian.org (Eric Gillespie, Jr.). (full text, mbox, link).


Message #10 received at 119402@bugs.debian.org (full text, mbox, reply):

From: Gordon Matzigkeit <gord@fig.org>
To: 119402@bugs.debian.org
Subject: better safe than sorry
Date: 19 Nov 2001 10:14:04 -0600
Hi,

Until this bug can be analyzed upstream, I suggest that remote access
to the init function be disabled.  The appended patch does this.

Thanks,

-- 
 Gordon Matzigkeit <gord@fig.org>  //\ I'm a FIG (http://fig.org/)
Committed to freedom and diversity \// I use GNU (http://fig.org/gnu/)

--- cvs-1.11.1p1/src/server.c.orig      Mon Nov 19 10:07:08 2001
+++ cvs-1.11.1p1/src/server.c   Mon Nov 19 10:10:48 2001
@@ -4796,7 +4796,10 @@
   REQ_LINE("watch-remove", serve_watch_remove, 0),
   REQ_LINE("watchers", serve_watchers, 0),
   REQ_LINE("editors", serve_editors, 0),
+/* Disable init until it can't be used outside of the repository. */
+#if 0
   REQ_LINE("init", serve_init, RQ_ROOTLESS),
+#endif
   REQ_LINE("annotate", serve_annotate, 0),
   REQ_LINE("rannotate", serve_rannotate, 0),
   REQ_LINE("noop", serve_noop, RQ_ROOTLESS),



Information forwarded to debian-bugs-dist@lists.debian.org, epg@debian.org (Eric Gillespie, Jr.):
Bug#119402; Package cvs. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to epg@debian.org (Eric Gillespie, Jr.). (full text, mbox, link).


Message #15 received at 119402@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: 119402@bugs.debian.org
Subject: Update
Date: Mon, 19 Nov 2001 15:20:16 -0500
This patch looks reasonable.  Will you be able to do an upload soon?  This
bug must be fixed within the next 7 days in order to meet the woody freeze
deadline.  I am able to NMU if necessary.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, epg@debian.org (Eric Gillespie, Jr.):
Bug#119402; Package cvs. (full text, mbox, link).


Acknowledgement sent to "Eric Gillespie, Jr." <epg@pretzelnet.org>:
Extra info received and forwarded to list. Copy sent to epg@debian.org (Eric Gillespie, Jr.). (full text, mbox, link).


Message #20 received at 119402@bugs.debian.org (full text, mbox, reply):

From: "Eric Gillespie, Jr." <epg@pretzelnet.org>
To: control@bugs.debian.org
Cc: 119402@bugs.debian.org
Subject: [Debian Installer <installer@ftp-master.debian.org>] cvs_1.11.1p1-2_i386.changes INSTALLED
Date: Mon, 19 Nov 2001 16:42:14 -0500
severity 119402 normal
thanks

Format: 1.7
Date: Mon, 19 Nov 2001 17:57:00 +0000
Source: cvs
Binary: cvs
Architecture: source i386
Version: 1.11.1p1-2
Distribution: unstable
Urgency: low
Maintainer: Eric Gillespie, Jr. <epg@debian.org>
Changed-By: Eric Gillespie, Jr. <epg@debian.org>
Description: 
 cvs        - Concurrent Versions System
Closes: 105479 119943
Changes: 
 cvs (1.11.1p1-2) unstable; urgency=low
 .
   * Disable init over pserver.  Temporarily address #119402.
   * Provide cvs-doc. (Closes: #105479)
   * List previous maintainer in debian/copyright. (Closes: #119943)
Files: 
 915f1c1fbaf2b6a7f8144fbda7e77fb4 949 devel optional cvs_1.11.1p1-2.dsc
 3fb2b52c03f9aacec389f096dade3eab 54862 devel optional cvs_1.11.1p1-2.diff.gz
 467bd748c16ae72ecad37daca0d1a94f 1210166 devel optional cvs_1.11.1p1-2_i386.deb

From: Debian Installer <installer@ftp-master.debian.org>
To: epg@debian.org (Eric Gillespie, Jr.)
X-Katie: $Revision: 1.65 $
Subject: cvs_1.11.1p1-2_i386.changes INSTALLED
Message-Id: <E165uYg-0003dz-00@auric.debian.org>
Sender: James Troup <troup@auric.debian.org>
Date: Mon, 19 Nov 2001 14:58:22 -0500
Delivered-To: epg@debian.org


Installing:
cvs_1.11.1p1-2.diff.gz
  to pool/main/c/cvs/cvs_1.11.1p1-2.diff.gz
cvs_1.11.1p1-2.dsc
  to pool/main/c/cvs/cvs_1.11.1p1-2.dsc
cvs_1.11.1p1-2_i386.deb
  to pool/main/c/cvs/cvs_1.11.1p1-2_i386.deb
Announcing to debian-devel-changes@lists.debian.org
Closing bugs: 105479 119943 


Thank you for your contribution to Debian.




Severity set to `normal'. Request was from "Eric Gillespie, Jr." <epg@pretzelnet.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Steve McIntyre <93sam@debian.org>:
Bug#119402; Package cvs. (full text, mbox, link).


Acknowledgement sent to Teddy Hogeborn <teddy@fukt.bth.se>:
Extra info received and forwarded to list. Copy sent to Steve McIntyre <93sam@debian.org>. (full text, mbox, link).


Message #27 received at 119402@bugs.debian.org (full text, mbox, reply):

From: Teddy Hogeborn <teddy@fukt.bth.se>
To: 119402@bugs.debian.org
Subject: Seems like this was fixed in upstream 1.11.2
Date: 19 Sep 2003 03:21:58 +0200
By reading the source code (src/server.c) it seems like this bug was
fixed upstream in 1.11.2, and the fix still seems to be present in
cvs_1.12.1 (currently in testing).  Someone needs to confirm this.

(If this is confirmed, one Debian-specific patch file could be
eliminated ("87_disable_init_cvs_server").  Also, this bug could be
closed.)

By the way, was this ever reported upstream?  Should I have reported
it upstream myself?

/Teddy



Changed Bug submitter from Teddy Hogeborn <teddy@bilbo.fukt.bth.se> to Teddy Hogeborn <teddy@fukt.bth.se>. Request was from Teddy Hogeborn <teddy@fukt.bth.se> to control@bugs.debian.org. (full text, mbox, link).


Information stored:
Bug#119402; Package cvs. (full text, mbox, link).


Acknowledgement sent to Lior Kaplan <kaplan@debian.org>:
Extra info received and filed, but not forwarded. (full text, mbox, link).


Message #34 received at 119402-quiet@bugs.debian.org (full text, mbox, reply):

From: Lior Kaplan <kaplan@debian.org>
To: 119402-submitter@bugs.debian.org
Cc: 119402-quiet@bugs.debian.org
Subject: Debian CVS bug triage - bug #119402
Date: Fri, 05 Oct 2007 13:20:27 +0200
Dear CVS user,

Thanks for your interest in CVS and the bug report you have contributed [1].

Debian's cvs package has ~120 old bugs, most of them are couple of years old.

As part of a bug triage I'm doing for several packages, I would like your help
with verifying your bug is still relevant or getting your approval for closing 
it.

The current cvs version in Debian is 1.12.13-8 (shared by stable, testing and 
unstable).

Feel free to contact me for questions or if you need help.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=119402

Thanks.

--
Lior Kaplan
kaplan@debian.org




Message sent on to Teddy Hogeborn <teddy@fukt.bth.se>:
Bug#119402. (full text, mbox, link).


Information stored:
Bug#119402; Package cvs. (full text, mbox, link).


Acknowledgement sent to Teddy Hogeborn <teddy@fukt.bsnet.se>:
Extra info received and filed, but not forwarded. (full text, mbox, link).


Message #42 received at 119402-quiet@bugs.debian.org (full text, mbox, reply):

From: Teddy Hogeborn <teddy@fukt.bsnet.se>
To: Lior Kaplan <kaplan@debian.org>
Cc: 119402-quiet@bugs.debian.org
Subject: Re: Bug#119402: Debian CVS bug triage - bug #119402
Date: Fri, 05 Oct 2007 18:45:55 +0200
Lior Kaplan <kaplan@debian.org> writes:

> I would like your help with verifying your bug is still relevant or
> getting your approval for closing it.

As I wrote six years ago in <87k7853749.fsf@tower.fukt.bth.se>,
comment #27 above, this bug can now be closed.  Especially since the
Debian-specific patch ("87_disable_init_cvs_server") seems to have
been removed from the package.

/Teddy




Reply sent to Lior Kaplan <kaplan@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Teddy Hogeborn <teddy@fukt.bth.se>:
Bug acknowledged by developer. (full text, mbox, link).


Message #47 received at 119402-done@bugs.debian.org (full text, mbox, reply):

From: Lior Kaplan <kaplan@debian.org>
To: 119402-done@bugs.debian.org
Subject: Re: Bug#119402: Debian CVS bug triage - bug #119402
Date: Sat, 06 Oct 2007 04:04:11 +0200
Version: 1:1.12.2-1

Teddy Hogeborn wrote:
> Lior Kaplan <kaplan@debian.org> writes:
> 
>> I would like your help with verifying your bug is still relevant or
>> getting your approval for closing it.
> 
> As I wrote six years ago in <87k7853749.fsf@tower.fukt.bth.se>,
> comment #27 above, this bug can now be closed.  Especially since the
> Debian-specific patch ("87_disable_init_cvs_server") seems to have
> been removed from the package.

Closing. The right part from the changelog:
> + 87_disable_init_cvs_server (upstream fixed a different way)

-- 
Lior Kaplan
kaplan@debian.org

GPG fingerprint:
C644 D0B3 92F4 8FE4 4662  B541 1558 9445 99E8 1DA0




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 03 Nov 2007 07:25:21 GMT) (full text, mbox, link).


Bug unarchived. Request was from Teddy Hogeborn <teddy@fukt.bsnet.se> to control@bugs.debian.org. (Sat, 29 Nov 2008 21:34:15 GMT) (full text, mbox, link).


Changed Bug submitter from Teddy Hogeborn <teddy@fukt.bth.se> to Teddy Hogeborn <teddy@fukt.bsnet.se>. Request was from Teddy Hogeborn <teddy@fukt.bsnet.se> to control@bugs.debian.org. (Sat, 29 Nov 2008 21:34:15 GMT) (full text, mbox, link).


Bug archived. Request was from Teddy Hogeborn <teddy@fukt.bsnet.se> to control@bugs.debian.org. (Sat, 29 Nov 2008 21:34:19 GMT) (full text, mbox, link).


Bug unarchived. Request was from Teddy Hogeborn <teddy@recompile.se> to control@bugs.debian.org. (Mon, 10 Oct 2011 08:03:40 GMT) (full text, mbox, link).


Changed Bug submitter to 'Teddy Hogeborn <teddy@recompile.se>' from 'Teddy Hogeborn <teddy@fukt.bsnet.se>' Request was from Teddy Hogeborn <teddy@recompile.se> to control@bugs.debian.org. (Mon, 10 Oct 2011 08:03:41 GMT) (full text, mbox, link).


Bug archived. Request was from Teddy Hogeborn <teddy@recompile.se> to control@bugs.debian.org. (Mon, 10 Oct 2011 08:03:41 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 1 13:13:15 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.