[cvsnt] Re: New security issues in Unix CVS

Tony Hoyle tmh at nodomain.org
Thu Jun 10 02:55:40 BST 2004


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Andreas Tscharner wrote:
> Hello World, hello Tony,
> 
> The page
> http://security.e-matters.de/advisories/092004.html
> describes six new security issues of the original Unix CVS. Is CVSNT
> affected by any of them?
> 
It doesn't look like it at first glance.  I put in global double-free 
protection after the first scare a couple of years ago, so that's well 
covered anyway.

Anything related to CVSROOT access isn't urgent and might be worth 
looking at at some point (only an idiot would give CVSROOT checkin 
access to an untrusted user... it's relatively easy to breach security 
given such access anyway).

Integer overflows don't crash Intel systems so that's low priority (the 
only thing max-dotdot is used for is a comparison so you'd get bogus 
results rather than a crash).

There simply isn't enough detail in that report to give an absolute yes 
or no to any of them (except the double free bugs, which cvsnt is not 
vulnerable to).  I'm not told of these things in any more detail than 
anyone else... cvsnt has too few users/is too unimportant to get early 
notification of security issues.  Going on those descriptions and what I 
know of the code though I think we're pretty safe.

Tony





More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook