[sr #111001] unsafe permission in www-zh-cn CVS source repo

[Bob Proulx]

Follow-up Comment #3, sr#111001 (group administration):

Technically those permissions are not unsafe, at least they are not unsafe for
Savannah.  That's the context in which I make this comment.

CVS is based upon RCS and both of those use the permissions on the ,v file to
specify the file mode to be used when the file is checked out.  That
information might possibly have been stored in the ,v file as a data field
back decades ago when the file was defined but instead this information is
stored in the file mode itself.

It's an interesting question though.  Could a malicious attacker use an
executable ,v file in some way?  And I add in some way more effectively than
being able to use other commands?  Because being able to execute this
arbitrary path means they would be able to execute other arbitrary paths, most
likely.  And in that case I can think of many other more effective attacks. 
Regardless this could only be used as a secondary layer of attack after
already being able to execute the primary successfully by being able to invoke
arbitrary executables.

Being curious I looked and ran a find command across the entire CVS collection
and located 100943 ,v files stored in the repositories that are marked
executable.  That includes a lot of files that are scripts and should be
marked executable.  Which is just to say that this is not something that is
isolated to the translations.

Though certainly in the translations there is no need for these files to be
executable.  It would be very good for the translations to clean this up with
a commit from their working copy sandbox to clean up these.



    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/support/?111001>

_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/