[cvsnt] Re: Latest CVS vulnerabilities: CVSNT affected?

Tony Hoyle tmh at nodomain.org
Tue Apr 19 20:37:46 BST 2005


Andreas Tscharner wrote:
> CVSHome released a new stable and a new feature release of CVS, both 
> security fixes. They referenced CAN-2005-0753. I've found this number in 
> the NEWS file, the entry on CVE is still marked as reserved.

CVE aren't giving anything away... Arthur is chasing it I think.

> Is CVSNT affected too?

 From the information I have they're talking about double-free problems, 
which cvsnt has been immune to for a couple of years (I code very 
defensively and realized the potential problem a long time ago).

There's some mention of a perl problem which isn't a vulnerability 
really - it must be assumed that anyone with commit access to the 
CVSROOT directory has the ability to run arbitrary executables.  CVSNT 
has the chroot settings and 'run as user' to mitigate this but really 
CVSROOT should be locked down to administrators only - something I've 
been meaning to make the default for a while, and probably will for the 
next release.

It also helps that the Windows stuff doesn't use the Unix perl scripts 
anyway... we have our own set of utilities.

> BTW: Additionally CVS has some new features ported from CVSNT :-)

Which ones?  Any potential compatibility issues?

Tony



More information about the cvsnt mailing list