[cvsnt] Re: New security issues in Unix CVS
Tony Hoyle
tmh at nodomain.org
Thu Jun 10 02:55:40 BST 2004
Andreas Tscharner wrote:
> Hello World, hello Tony,
>
> The page
> http://security.e-matters.de/advisories/092004.html
> describes six new security issues of the original Unix CVS. Is CVSNT
> affected by any of them?
>
It doesn't look like it at first glance. I put in global double-free
protection after the first scare a couple of years ago, so that's well
covered anyway.
Anything related to CVSROOT access isn't urgent and might be worth
looking at at some point (only an idiot would give CVSROOT checkin
access to an untrusted user... it's relatively easy to breach security
given such access anyway).
Integer overflows don't crash Intel systems so that's low priority (the
only thing max-dotdot is used for is a comparison so you'd get bogus
results rather than a crash).
There simply isn't enough detail in that report to give an absolute yes
or no to any of them (except the double free bugs, which cvsnt is not
vulnerable to). I'm not told of these things in any more detail than
anyone else... cvsnt has too few users/is too unimportant to get early
notification of security issues. Going on those descriptions and what I
know of the code though I think we're pretty safe.
Tony
More information about the cvsnt
mailing list