Security problems in CVS

Date: Fri, 29 Aug 1997 12:08:48 -0400
From: Elliot Lee <sopwith@REDHAT.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Somewhat of a security hole in CVS

If you run the CVS pserver as per the instructions in the CVS info page
(running it as root from inetd) anyone can get access to any account
except root (and perhaps root too - there may be CVS commands that run
scripts and don't check if uid == 0). If you don't run it as root they can
still get full access to the repository.

Basically, the luser makes their own CVS repository with a "customized"
password file, changes commitinfo so it runs a "chmod 6555 /bin/sh"
script, and does a commit of something.

This is more of a site configuration problem than anything else - it's not
really a weakness inherent in CVS(?). A patch to server.c to limit usage
of the 'Repository' and 'Directory' commands to only those listed in
/etc/cvs-repositories might be useful, but I'm not sure how thorough that
would be.

Of course, having someone do a complete security audit of CVS wouldn't
hurt either ;-) It is becoming increasingly used on the 'net for software
distribution - the OpenBSD project being an example - and it lacks some
basic features, such as integrated anonymous user support (without having
to make a separate user and run the server as root, or enable rsh/ssh
access), that it could use.

Hope this helps,
-- Elliot - http://www.redhat.com/
What's nice about GUI is that you see what you manipulate.
What's bad about GUI is that you can only manipulate what you see.

| http://www.cauce.org/ | http://www.linuxnet.org/ |