Debian Bug report logs - #169967
cvs: --allowroot on :ext: accepted but ignored

version graph

Package: cvs; Maintainer for cvs is Thorsten Glaser <tg@mirbsd.de>; Source for cvs is src:cvs.

Reported by: Tim Riker <Tim@Rikers.org>

Date: Thu, 21 Nov 2002 06:03:01 UTC

Severity: normal

Tags: patch, upstream

Found in versions 1.11.2-5, cvs/1:1.12.13-8

Fixed in version cvs/1:1.12.13-11

Done: Steve McIntyre <93sam@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Tollef Fog Heen <tfheen@debian.org>, cvs@packages.qa.debian.org:
Bug#169967; Package cvs. Full text and rfc822 format available.

Acknowledgement sent to Tim Riker <Tim@Rikers.org>:
New Bug report received and forwarded. Copy sent to Tollef Fog Heen <tfheen@debian.org>, cvs@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tim Riker <Tim@Rikers.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cvs: --allowroot on :ext: accepted but ignored
Date: Wed, 20 Nov 2002 22:48:03 -0700
Package: cvs
Version: 1.11.2-5
Severity: normal
Tags: security upstream patch

upstream issue. --allow-root if used in a ~/.ssh/authorized_keys file as:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command=3D"/usr/bi=
n/cvs
--allow-root=3D/cvs/other server" ssh-dss AAAA...1Rys=3D timr@localhost

cvs accepts this option on the command line with no errors. This leads
the admin to believe that it is in fact using the option. However the
option is ignored by cvs and any CVSROOT is allowed on the server.

Patch enables checking of the option. Other cvs security implications
still apply of course.

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux localhost 2.4.20-pre11 #4 Fri Oct 25 12:51:23 MDT 2002 i686
Locale: LANG=3Den_US, LC_CTYPE=3Den_US

Versions of packages cvs depends on:
ii  debconf                       1.2.11     Debian configuration managemen=
t sy
ii  libc6                         2.3.1-3    GNU C Library: Shared librarie=
s an
ii  zlib1g                        1:1.1.4-6  compression library - runtime

-- debconf information:
  cvs/rotatekeep: 7
  cvs/badrepositories: create
  cvs/pserver_warning: =

  cvs/rotatekeep_nondefault: no
  cvs/read_cvsconf: false
  cvs/rotate_individual: true
  cvs/pserver_repos_individual: yes
  cvs/pserver_setspawnlimit: yes
  cvs/rotatekeep_individual: 7
  cvs/pserver_repos: all
* cvs/pserver: false
  cvs/cvs_conf_is_dead: =

* cvs/repositories: =

  cvs/pserver_spawnlimit: 400
  cvs/rotatehistory: no


diff -Naur cvs-1.11.1p1.orig/src/cvs.h cvs-1.11.1p1/src/cvs.h
--- cvs-1.11.1p1.orig/src/cvs.h	Tue Apr 24 12:14:53 2001
+++ cvs-1.11.1p1/src/cvs.h	Wed Nov 20 22:15:40 2002
@@ -465,6 +465,7 @@
 void Create_Root PROTO((char *dir, char *rootdir));
 void root_allow_add PROTO ((char *));
 void root_allow_free PROTO ((void));
+int root_allow_used PROTO ((void));
 int root_allow_ok PROTO ((char *));
 =

 char *gca PROTO((const char *rev1, const char *rev2));
diff -Naur cvs-1.11.1p1.orig/src/root.c cvs-1.11.1p1/src/root.c
--- cvs-1.11.1p1.orig/src/root.c	Thu Apr 19 13:45:33 2001
+++ cvs-1.11.1p1/src/root.c	Wed Nov 20 22:09:25 2002
@@ -238,6 +238,12 @@
 }
 =

 int
+root_allow_used ()
+{
+    return root_allow_count !=3D 0;
+}
+
+int
 root_allow_ok (arg)
     char *arg;
 {
diff -Naur cvs-1.11.1p1.orig/src/server.c cvs-1.11.1p1/src/server.c
--- cvs-1.11.1p1.orig/src/server.c	Wed Nov 20 22:00:49 2002
+++ cvs-1.11.1p1/src/server.c	Wed Nov 20 22:12:54 2002
@@ -760,6 +760,13 @@
 		     "E Protocol error: Duplicate Root request, for %s", arg);
 	return;
     }
+    if (root_allow_used() && !root_allow_ok(arg))
+    {
+	if (alloc_pending (80 + strlen (arg)))
+	    sprintf (pending_error_text,
+		     "E Bad root %s", arg);
+	return;
+    }
 =

 #ifdef AUTH_SERVER_SUPPORT
     if (Pserver_Repos !=3D NULL)




Information forwarded to debian-bugs-dist@lists.debian.org, Steve McIntyre <93sam@debian.org>:
Bug#169967; Package cvs. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve McIntyre <93sam@debian.org>. Full text and rfc822 format available.

Message #10 received at 169967@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 169967@bugs.debian.org
Subject: Removing tag
Date: Wed, 18 Oct 2006 21:57:16 +0100
[Message part 1 (text/plain, inline)]
This isn't a security problem. Removing tag.

Please do not reset it without contacting the security team first.

Regards,
Neil
-- 
<h01ger> I miss a computer physically... I can ping it, but don't know where 
	it is...
[signature.asc (application/pgp-signature, inline)]

Tags removed: security Request was from Neil McGovern <neilm@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information stored:
Bug#169967; Package cvs. Full text and rfc822 format available.

Acknowledgement sent to Lior Kaplan <kaplan@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #17 received at 169967-quiet@bugs.debian.org (full text, mbox):

From: Lior Kaplan <kaplan@debian.org>
To: 169967-submitter@bugs.debian.org
Cc: 169967-quiet@bugs.debian.org
Subject: Debian CVS bug triage - bug #169967
Date: Fri, 05 Oct 2007 13:20:28 +0200
Dear CVS user,

Thanks for your interest in CVS and the bug report you have contributed [1].

Debian's cvs package has ~120 old bugs, most of them are couple of years old.

As part of a bug triage I'm doing for several packages, I would like your help
with verifying your bug is still relevant or getting your approval for closing 
it.

The current cvs version in Debian is 1.12.13-8 (shared by stable, testing and 
unstable).

Feel free to contact me for questions or if you need help.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169967

Thanks.

--
Lior Kaplan
kaplan@debian.org




Message sent on to Tim Riker <Tim@Rikers.org>:
Bug#169967. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve McIntyre <93sam@debian.org>:
Bug#169967; Package cvs. Full text and rfc822 format available.

Acknowledgement sent to Tim Riker <Tim@Rikers.org>:
Extra info received and forwarded to list. Copy sent to Steve McIntyre <93sam@debian.org>. Full text and rfc822 format available.

Message #25 received at 169967@bugs.debian.org (full text, mbox):

From: Tim Riker <Tim@Rikers.org>
To: 169967@bugs.debian.org
Subject: Bug#169967
Date: Fri, 05 Oct 2007 11:19:47 -0600
I did not test this, but I just looked through the latest source and it 
still seems to be an issue.

I do think this is a security issue, though it's app security and not 
host security. Accepting the --allow-root option and ignoring it leads 
to a state of false security administrator.
-- 
Tim Riker - http://Rikers.org/ - TimR@Debian.org
Embedded Linux Technologist - http://eLinux.org/
BZFlag maintainer - http://BZFlag.org/ - for fun!




Bug marked as found in version 1:1.12.13-8. Request was from Lior Kaplan <kaplan@debian.org> to control@bugs.debian.org. (Sat, 20 Oct 2007 21:39:02 GMT) Full text and rfc822 format available.

Reply sent to Steve McIntyre <93sam@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Tim Riker <Tim@Rikers.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 169967-close@bugs.debian.org (full text, mbox):

From: Steve McIntyre <93sam@debian.org>
To: 169967-close@bugs.debian.org
Subject: Bug#169967: fixed in cvs 1:1.12.13-11
Date: Sun, 18 May 2008 01:47:03 +0000
Source: cvs
Source-Version: 1:1.12.13-11

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive:

cvs_1.12.13-11.diff.gz
  to pool/main/c/cvs/cvs_1.12.13-11.diff.gz
cvs_1.12.13-11.dsc
  to pool/main/c/cvs/cvs_1.12.13-11.dsc
cvs_1.12.13-11_i386.deb
  to pool/main/c/cvs/cvs_1.12.13-11_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 169967@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 27 Jan 2008 19:08:02 +0000
Source: cvs
Binary: cvs
Architecture: source i386
Version: 1:1.12.13-11
Distribution: unstable
Urgency: low
Maintainer: Steve McIntyre <93sam@debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Description: 
 cvs        - Concurrent Versions System
Closes: 169967
Changes: 
 cvs (1:1.12.13-11) unstable; urgency=low
 .
   * Be more aggressive about checking --allow-root; can now be used for
     limiting allowed CVSROOTs using rsh/ssh as well. Closes: #169967,
     thanks to Tim Riker for the original patch.
Checksums-Sha1: 
 a8f60611d412ec360730b9131f81edc06add6105 1124 cvs_1.12.13-11.dsc
 2937406899b16dfd183d6a416af10a14bd2751de 104593 cvs_1.12.13-11.diff.gz
 c5216c8cbffc4b032cf43c4d858a66b137c4eaa9 1681242 cvs_1.12.13-11_i386.deb
Checksums-Sha256: 
 683a2b3a9e1718982c5d385727141b4bb50c6144cdc677e19a2adc8629ad53ef 1124 cvs_1.12.13-11.dsc
 0644f8597e0fcb023c88a25be0a2aaef6eae912730cf34f6f0ea471df8ac7dc8 104593 cvs_1.12.13-11.diff.gz
 5c52115e1ed017403d16c5d2f24c973f8bb2069c06a54b81409d1cad58a49922 1681242 cvs_1.12.13-11_i386.deb
Files: 
 239e4bc4df796af0c9f786a2b2d0a6d6 1124 devel optional cvs_1.12.13-11.dsc
 ecd43903a2b018b967592d628ffa3f27 104593 devel optional cvs_1.12.13-11.diff.gz
 5f934b229d76af3db72331e05f6a4bc1 1681242 devel optional cvs_1.12.13-11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIL4n9fDt5cIjHwfcRAl2TAJ4/EAe0vYipkiyRY7EpyiByu6R20gCfY251
Ydt8aXBG7aEKYxF46cYRIvg=
=b+q/
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 26 Jun 2008 07:37:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:32:23 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.