import 1.11.11 for security reasons
from GENTOO LINUX SECURITY ANNOUNCEMENT 200312-08 "Stable CVS 1.11.11 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release adds code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file. Previously, any user with the ability to write the CVSROOT/passwd file could execute arbitrary code as the root user on systems with CVS pserver access enabled. We recommend this upgrade for all CVS servers!"
This commit is contained in:
itojun
parent
95a042fe31
commit
977212b1bf
|
|
@ -1,3 +1,38 @@
|
|||
2003-12-18 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* NEWS: Note syslog of root attempts.
|
||||
|
||||
2003-12-18 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* NEWS: Note that pserver can no longer run as root.
|
||||
|
||||
2003-12-07 Mark D. Baushke <mdb@cvshome.org>
|
||||
|
||||
* configure.in (AC_SYS_LARGEFILE): Remove. More work is needed
|
||||
before AC_SYS_LARGEFILE will work on all platforms.
|
||||
* configure, config.h.in: Regenerated.
|
||||
* NEWS: Remove last note.
|
||||
|
||||
* configure.in (AC_SYS_LARGEFILE): Add. The history file on
|
||||
Solaris boxes can grow beyond 2GB.
|
||||
* configure, config.h.in: Regenerated.
|
||||
* NEWS: Note addition of --disable-largefiles option.
|
||||
|
||||
2003-12-05 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* configure.in: Update to require Automake 1.7.9.
|
||||
|
||||
2003-12-04 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* configure.in: Update for dev version 1.11.10.1.
|
||||
* NEWS: Add Changes since 1.11.10 section.
|
||||
* configure: Regenerated.
|
||||
|
||||
2003-12-04 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* configure.in: Update for release 1.11.10.
|
||||
* configure: Regenerated.
|
||||
|
||||
2003-12-03 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* configure.in: Always AC_LIBOBJ(fncase) when filenames are found to be
|
||||
|
|
|
|||
|
|
@ -1,5 +1,15 @@
|
|||
Changes since 1.11.9:
|
||||
*********************
|
||||
Changes since 1.11.10:
|
||||
**********************
|
||||
|
||||
SERVER SECURITY ISSUES
|
||||
|
||||
* pserver can no longer be configured to run as root via the
|
||||
$CVSROOT/CVSROOT/passwd file, so if your passwd file is compromised, it no
|
||||
longer leads directly to a root hack. Attempts to root will also be logged
|
||||
via the syslog.
|
||||
|
||||
Changes from 1.11.9 to 1.11.10:
|
||||
*******************************
|
||||
|
||||
SERVER SECURITY ISSUES
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.58 for Concurrent Versions System (CVS) 1.11.10.
|
||||
# Generated by GNU Autoconf 2.58 for Concurrent Versions System (CVS) 1.11.11.
|
||||
#
|
||||
# Report bugs to <bug-cvs@gnu.org>.
|
||||
#
|
||||
|
|
@ -269,8 +269,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
|
|||
# Identity of this package.
|
||||
PACKAGE_NAME='Concurrent Versions System (CVS)'
|
||||
PACKAGE_TARNAME='cvs'
|
||||
PACKAGE_VERSION='1.11.10'
|
||||
PACKAGE_STRING='Concurrent Versions System (CVS) 1.11.10'
|
||||
PACKAGE_VERSION='1.11.11'
|
||||
PACKAGE_STRING='Concurrent Versions System (CVS) 1.11.11'
|
||||
PACKAGE_BUGREPORT='bug-cvs@gnu.org'
|
||||
|
||||
ac_unique_file="src/cvs.h"
|
||||
|
|
@ -784,7 +784,7 @@ if test "$ac_init_help" = "long"; then
|
|||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures Concurrent Versions System (CVS) 1.11.10 to adapt to many kinds of systems.
|
||||
\`configure' configures Concurrent Versions System (CVS) 1.11.11 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
|
|
@ -846,7 +846,7 @@ fi
|
|||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of Concurrent Versions System (CVS) 1.11.10:";;
|
||||
short | recursive ) echo "Configuration of Concurrent Versions System (CVS) 1.11.11:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
|
|
@ -1031,7 +1031,7 @@ fi
|
|||
test -n "$ac_init_help" && exit 0
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
Concurrent Versions System (CVS) configure 1.11.10
|
||||
Concurrent Versions System (CVS) configure 1.11.11
|
||||
generated by GNU Autoconf 2.58
|
||||
|
||||
Copyright (C) 2003 Free Software Foundation, Inc.
|
||||
|
|
@ -1045,7 +1045,7 @@ cat >&5 <<_ACEOF
|
|||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by Concurrent Versions System (CVS) $as_me 1.11.10, which was
|
||||
It was created by Concurrent Versions System (CVS) $as_me 1.11.11, which was
|
||||
generated by GNU Autoconf 2.58. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
|
|
@ -1657,7 +1657,7 @@ fi
|
|||
|
||||
# Define the identity of the package.
|
||||
PACKAGE='cvs'
|
||||
VERSION='1.11.10'
|
||||
VERSION='1.11.11'
|
||||
|
||||
|
||||
# Some tools Automake needs.
|
||||
|
|
@ -11947,7 +11947,7 @@ _ASBOX
|
|||
} >&5
|
||||
cat >&5 <<_CSEOF
|
||||
|
||||
This file was extended by Concurrent Versions System (CVS) $as_me 1.11.10, which was
|
||||
This file was extended by Concurrent Versions System (CVS) $as_me 1.11.11, which was
|
||||
generated by GNU Autoconf 2.58. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
|
|
@ -12013,7 +12013,7 @@ _ACEOF
|
|||
|
||||
cat >>$CONFIG_STATUS <<_ACEOF
|
||||
ac_cs_version="\\
|
||||
Concurrent Versions System (CVS) config.status 1.11.10
|
||||
Concurrent Versions System (CVS) config.status 1.11.11
|
||||
configured by $0, generated by GNU Autoconf 2.58,
|
||||
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
dnl configure.in for cvs
|
||||
AC_INIT([Concurrent Versions System (CVS)],[1.11.10],[bug-cvs@gnu.org],[cvs])
|
||||
AC_INIT([Concurrent Versions System (CVS)],[1.11.11],[bug-cvs@gnu.org],[cvs])
|
||||
AC_CONFIG_SRCDIR(src/cvs.h)
|
||||
AM_INIT_AUTOMAKE([gnu 1.7.5 dist-bzip2 no-define])
|
||||
AM_INIT_AUTOMAKE([gnu 1.7.9 dist-bzip2 no-define])
|
||||
AC_PREREQ(2.58)
|
||||
|
||||
AC_PREFIX_PROGRAM(cvs)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,17 @@
|
|||
2003-12-05 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* stamp-1, stamp-vti, version-client.texi, version.texi: Regenerated.
|
||||
|
||||
2003-12-04 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* stamp-1, stamp-vti, version-client.texi, version.texi: Regenerated
|
||||
for 1.11.10.1.
|
||||
|
||||
2003-12-04 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* stamp-1, stamp-vti, version-client.texi, version.texi: Regenerated
|
||||
for 1.11.10.
|
||||
|
||||
2003-11-18 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* stamp-vti, version.texi: Regenerated.
|
||||
|
|
|
|||
|
|
@ -1,3 +1,7 @@
|
|||
2003-12-09 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* system.h: Correct spelling in comment.
|
||||
|
||||
2003-12-03 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* fncase.c (OSX_filename_classes): New array.
|
||||
|
|
|
|||
|
|
@ -467,7 +467,7 @@ extern int errno;
|
|||
* defining a configure macro to define WOE32 appropriately. If they ever do
|
||||
* write such a beast, we should use it, though in most cases it would be
|
||||
* preferable to avoid referencing any OS or compiler anyhow, per Autoconf
|
||||
* convention, and reference only tested features of hte system.
|
||||
* convention, and reference only tested features of the system.
|
||||
*/
|
||||
# define WOE32 1
|
||||
#endif /* defined (__CYGWIN32__) || defined (WIN32) */
|
||||
|
|
|
|||
|
|
@ -1,3 +1,29 @@
|
|||
2003-12-18 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* server.c (switch_to_user): SysLog attempts to root from pserver.
|
||||
|
||||
2003-12-18 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* server.c (switch_to_user): Don't allow CVS to run as root in pserver
|
||||
mode.
|
||||
(Original patch from Wichert Akkerman via Bradley M Kuhn
|
||||
<bkuhn@fsf.org>.)
|
||||
* sanity.sh (pserver): Check for bad root error message.
|
||||
|
||||
2003-12-17 Larry Jones <lawrence.jones@eds.com>
|
||||
|
||||
* run.c (close_on_exec): fcntl is not documented to return 0 for
|
||||
success (and QNX doesn't), only -1 for error.
|
||||
(Patch from George Refseth <george.refseth@arxi.no>.)
|
||||
|
||||
2003-12-09 Mark D. Baushke <mdb@cvshome.org>
|
||||
|
||||
* server.c (template_proc): Fix broken Template protocol code.
|
||||
Must call send buf_send_counted() for Template files to avoid
|
||||
"Protocol error: uncounted data discarded" messages in some
|
||||
circumstances.
|
||||
(Problem reported by "Jim.Hyslop" <Jim.Hyslop@Leitch.com>.)
|
||||
|
||||
2003-12-03 Derek Price <derek@ximbiot.com>
|
||||
|
||||
* sanity.sh (recase-8csss): rename to...
|
||||
|
|
|
|||
|
|
@ -25653,6 +25653,7 @@ done
|
|||
${PROG} commit: Rebuilding administrative file database"
|
||||
cat >${CVSROOT_DIRNAME}/CVSROOT/passwd <<EOF
|
||||
testme:q6WV9d2t848B2:$username
|
||||
dontroot:q6WV9d2t848B2:root
|
||||
anonymous::$username
|
||||
$username:
|
||||
willfail: :whocares
|
||||
|
|
@ -25701,6 +25702,16 @@ Ay::'d
|
|||
END AUTH REQUEST
|
||||
Root ${CVSROOT_DIRNAME}
|
||||
noop
|
||||
EOF
|
||||
|
||||
dotest_fail pserver-4.2 \
|
||||
"${testcvs} --allow-root=${CVSROOT_DIRNAME} pserver" \
|
||||
"error 0: root not allowed" <<EOF
|
||||
BEGIN AUTH REQUEST
|
||||
${CVSROOT_DIRNAME}
|
||||
dontroot
|
||||
Ay::'d
|
||||
END AUTH REQUEST
|
||||
EOF
|
||||
|
||||
dotest pserver-5 "${testcvs} --allow-root=${CVSROOT_DIRNAME} pserver" \
|
||||
|
|
|
|||
Loading…
Reference in New Issue