|
From: | Derek Robert Price |
Subject: | Re: cvs: temporary file handling fixes |
Date: | Mon, 26 May 2003 23:08:59 -0400 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 |
Mark D. Baushke wrote:
Hi Alexander, You write:In particular, I was looking for a (security) bug reporting address that wouldn't automatically reach a public mailing list, -- but it seems you find unsafe temporary file handling to be a minor enough issue to be discussed in public. This is OK with me, but I thought that some vendor-sec members could prefer to handle it differently.I do not know anyone on the development team that believes that cvs is a 'secure' program today. It should be improved, but it was not designed with security in mind and is often too trusting of the data is has on hand.
Besides which, my specialty is not security. If you don't clearly label something dangerous to distribute as such, I might not always catch it. I've always thought temp file bugs were minor, but no one has ever explained the exploit to me. Can they be particularly dangerous?
Also, as Mark said, there are many security flaws in CVS. Without a lot of extra work by the system administrator, it is relatively easy to run a script as the user the CVS server is run as. Until release 1.11.6 and 1.12.1, it was even easier. This makes me tend not to worry too much about exploit dissemination, though I do usually try and fix the bugs as reported.
I personally would find it desirable to remove as many of the 'known' security holes as possible in cvs. For now, this means that you need to air them on the bug-cvs@gnu.org list.
I agree, and I tend to use bug-cvs for many reasons. For instance, it maintains a public archive which potential bug reporters and developers can search for answers. This way, we don't have to answer the same questions as often as we otherwise might, and sometimes when I don't have time to deal with the issues myself others can find them and get to them. In this case, I didn't feel I had time to decipher your patches and was hoping someone else would jump in if it was important.
I'll add some more in response to Simon's earlier mail. Derek -- *8^) Email: derek@ximbiot.com Get CVS support at <http://ximbiot.com>! -- There is not a truth on earth which I fear or would disguise. But secret slanders cannot be disarmed, because they are secret. - Thomas Jefferson to William Duane, 1806
[Prev in Thread] | Current Thread | [Next in Thread] |