Bug 152697 - It is possible to create files with absolute pathnames in cvs
Summary: It is possible to create files with absolute pathnames in cvs
Keywords:
Status: CLOSED DUPLICATE of bug 2040112
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: General
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-14 20:59 UTC by Michal Jaegermann
Modified: 2008-05-01 15:38 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:24:22 UTC
RHSA-2004:153-01 details new set of issues with cvs.
cvs-1.11.1p1-12.src.rpm recompiles without any changes or fuss at
least on 7.x installations.  Spec file from these sources can
be "recycled" after modifications to release.

For RH8 cvs-1.11.2-18.src.rpm mentioned in the same advisory likely
can be used but this needs to be checked.



------- Additional Comments From dwb7.edu 2004-04-30 06:49:09 ----

A warning on building the rpm:

if you happen to have a /usr/local/bin/perl that is say, a symlink, to
/usr/bin/perl (as we do on our 7.3 boxes) and /usr/local/bin is in your path
before /usr/bin, the rpm will build fine. But, it won't install:

        /usr/local/bin/perl   is needed by cvs-1.11.1p1-12.legacy

Solution: make sure /usr/bin is in path before /usr/local/bin




------- Additional Comments From dwb7.edu 2004-05-03 12:02:11 ----

Available for QA:

cvs for rh7.3

http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/cvs

My public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)

mQGiBECWtgQRBACJ8Y+PpLpzgyErXsfyBM+Uxo62IBH5KMT1ipYFl+1miEFU2QGM
ECapKO2UykQQCk3DDGLj3tUr8HpxK4uicM6VcbLv073PG4ib5vTUp4GfrxYAhjlb
NZWvcCW7k3dpgXxXks98VebTkuItrRnWosZ3xJWpxk74zUpCI4AG/9qQ7wCg6CMk
8xpvgyg620roAOY0Uur/SOsD/27k3VKSD4gQUV/HygXBwAb7sJN7kzsHPvR5ORcM
sUM+ilaDqBSaxxqmZ8N2B0DbIF7XXpb6C6o+Bxk+D/z0cF6dZ2lDPC7qb6/Ke+Zq
XDvbrn1VjK5bixQsZKg/cbtNOdX6vrpbuPq+O5SaNm8/szW3GY45Gq3nJXwrydIV
ftdfA/469xZ9JDxlrEmFJBb7By8bcXLEeUXfvunY7VFwywbiIlp4b0dFkZrFaTMB
pWBTs+kHWO0e3VapCHH6afVxaYnLCvGlIkGDCuXL8PKh7sfeCDf0vRrN/sjxZbS9
WfwVgDZdePRv+ktliCdBa6lYO1PZdMDeUCOvh5NIWYIbvdaQ1bQtRGF2aWQgQm90
c2NoIChDQ01SQ0YpIDxkd2I3QGNjbXIuY29ybmVsbC5lZHU+iFkEExECABkFAkCW
tgQECwcDAgMVAgMDFgIBAh4BAheAAAoJEEmO7O7j3/yFcWkAoLP+sCJ4vOOmq6VS
By/f9mc2hVoGAJ40JNnkh9nk4KKH2DePgrrxrLsvi7kCDQRAlrYOEAgAnePsdzXu
TlYnNCC3bRhk3uc1sSkSpd3IC/eNqTlsNaUo6pON1xCL7wgLXIp9lyUYUt1V+VGF
Aj3m+aAfMynbbWqZxkbKDKZXAsDj6lp8WUszNtrZmKzpL8XWZef5SMGtUbCpK/+w
Rx6XaUz8ltz7vVB95IixseYoEnF1qkyGog6mLFvYAHBXIzazIKu06GeMk+TdAoo5
rVuXZ/uGMS0v0AG3+8RkPUJr8+eBnF6SsVyMAufkoulpDKxVGMI/nMPBOVNIFt8+
AsEajxj/7ZfAwShkXbR//dRbi8cwB71WZx6g1Zcw/FzlFaJr6/pDeKIk2Svktbki
0+YugLbSIO2V4wADBQf9HHeGImUDPwOWIGV8wmLWEBvAFsEAtmrMl/4ZU3ym8OmL
cp/hs0kGe/mSzRq0x7mmUbvGB+AkiEANGzI3eTgWx8aNF2UlDTNX4xMbTHMyFLvJ
Re0Up9lK8wXOh6oN3rZTEzUyTVQFuO5uFEeMe35ggVS8Yb/Rc8IF2gwNHAqlb/wt
fChY/LcTWZJMupxemmujGU24IfwdTVG1LyOSAbiRKN8DatBUiXPJessT1JGpuKRQ
Tu/96XuHouyXo0DeImQgsa/3rcORmlcfD5KIOm4H+/3YkFeh2njZJWylU5jxv95O
IgF/uUiLs1ZbLuOofDe/Cf+943md+oz/URBG8srh64hGBBgRAgAGBQJAlrYOAAoJ
EEmO7O7j3/yFEqcAnRYd/3fyeeLQUjvDmtZ3ArHw5x+DAJ49URz6kY27H61QKn69
AMpXD/nuNg==
=3hjw
-----END PGP PUBLIC KEY BLOCK-----



------- Additional Comments From dwb7.edu 2004-05-04 06:20:27 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5sums of the packages:

1e356a75538e20e9ecdd2e8eaf9143f8  cvs-1.11.1p1-12.legacy.i386.rpm
861282eacd1b162fc65246b1bdf50a3e  cvs-1.11.1p1-12.legacy.src.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl8K2SY7s7uPf/IURAvKgAKDCbS+OSyBTHzEdtYojMh1gTIFEiACdGdDz
sWfAsO14VCrmdBMYPvE9hbI=
=mPj8
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7.edu 2004-05-04 07:04:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sha1sums:

sha1sum -b cvs*
ba9d377026e87b324ec5ff397f87ff3989ab1f6e *cvs-1.11.1p1-12.legacy.i386.rpm
648f2cd648ccd944c11d99696e03d95db6ee5a46 *cvs-1.11.1p1-12.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAl8yLSY7s7uPf/IURAqLFAJ0YIWVPMiBjUNuR29aK3z2TqnK7NQCdGUgM
AJTU6InpHXkDbFcATr+pz2M=
=SSWo
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7.edu 2004-05-10 08:14:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These RPMS are built from the AS2.1 rpms, referenced in:

https://rhn.redhat.com/errata/RHSA-2004-153.html

(fix CAN-2004-0180 and CAN-2004-0405)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAn8aBSY7s7uPf/IURArcVAJ4v6WS3Xrx+Xli3cLt3YKU+c8nHEwCgl9tG
3upQ44Ej3x1CBh4ZcLduEss=
=UjZM
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-05-10 08:16:03 ----

*** Bug 1584 has been marked as a duplicate of this bug. ***



------- Additional Comments From dwb7.edu 2004-05-10 08:49:59 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --- cvs.spec-7.3legacy	Mon May 10 14:42:31 2004
+++ cvs.spec-as	Mon May 10 14:41:19 2004
@@ -3,7 +3,7 @@
 Summary: A version control system.
 Name: cvs
 Version: %{cvsbase}%{cvspatch}
- -Release: 9.7.legacy
+Release: 12
 License: GPL
 Group: Development/Tools
 Source: ftp://ftp.cvshome.org/pub/cvs-%{cvsbase}/cvs-%{version}.tar.gz
@@ -18,9 +18,12 @@
 Patch7: cvs-1.11.1p1-timestamp.patch
 Patch8: cvs-1.11.1p1-extzlib.patch
 Patch9: cvs-e-matters.patch
- -Patch10: cvs-1.11.10-1.11.11.patch
- -Patch11: cvs-1.11.9-absolute-modules.patch
- -
+Patch10: cvs-1.11.9-absolute-modules.patch
+Patch11: cvs-1.11.1p1-sscanf.patch
+Patch12: cvs-1.11.10-1.11.11.patch
+Patch13: cvs-1.11.2-1.11.14-noCVS.patch
+Patch14: 03cvs-client-exploit-fix-1.11.2.diff
+Patch15: cvs-cat-etc-fix-1.11.2.diff
 Prereq: /sbin/install-info
 Prefix: %{_prefix}
 Buildroot: %{_tmppath}/%{name}-root
@@ -54,8 +57,12 @@
 %patch7 -p0 -b .timestamp
 %patch8 -p1 -b .extzlib
 %patch9 -p1 -b .e-matters
- -%patch10 -p1 -b .10-and-11-security
- -%patch11 -p0 -b .absolute-modules
+%patch10 -p0 -b .absolute-modules
+%patch11 -p1 -b .sscanf
+%patch12 -p1 -b .1.11.10-1.11.11
+%patch13 -p1 -b .noCVS
+%patch14 -p0 -b .client-exploit
+%patch15 -p0 -b .cat-etc-fix
 
 %build
 %{!?nokerberos: CPPFLAGS="-I/usr/kerberos/include"; export CPPFLAGS}
@@ -100,18 +107,22 @@
 %{_datadir}/%{name}
 
 %changelog
- -* Mon Jan 12 2004 Jason Rohwedder <rohwedde> 1.11.1p1-9.7.legacy
- -- applied cvs-1.11.9-absolute-modules.patch
- -- to make Seth's previous changelog true :)
- -- He actually patched
- -- http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88
- -
- -* Mon Jan 12 2004 Seth Vidal <skvidal.edu>
- -- apply security patch for CAN-2003-0977
- -
- -* Tue Dec 30 2003 Seth Vidal <skvidal.edu> 1.11.1p1-8.7.duke.1
- -- apply security patch for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
- -- second patch to make the above build
+* Mon Apr  5 2004 Nalin Dahyabhai <nalin> 1.11.1p1-12
+- add further fix from Derek Robert Price for client-trusts-server
+  vulnerability in handling of filename paths (CAN-2004-0180)
+
+* Fri Mar 19 2004 Nalin Dahyabhai <nalin> 1.11.1p1-11
+- add fix from Derek Robert Price for client-trusts-server vulnerability in
+  handling of filename paths (CAN-2004-0180)
+
+* Thu Dec 18 2003 Nalin Dahyabhai <nalin> 1.11.1p1-10
+- rebuild
+
+* Thu Dec 18 2003 Nalin Dahyabhai <nalin> 1.11.1p1-9
+- extract fix for CAN-2003-0977 from 1.11.9-to-1.11.10 changes: absolute
+  module names can make a server attempt to create a directory using the
+  client's privileges
+- include fix for CAN-2002-0844, an off-by-one in sscanf call
 
 * Thu Jan 16 2003 Nalin Dahyabhai <nalin> 1.11.1p1-8.7
 - incorporate fix for double-free in server (CAN-2003-0015)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAn86PSY7s7uPf/IURArOuAJ4kBG4pfTQhwC0LqCafp9+qd+ODzQCdG443
rb7/0vhpnMAJQ6EObik5eNg=
=+UL1
-----END PGP SIGNATURE-----



------- Additional Comments From jkeating 2004-05-18 18:41:54 ----

I've seen no QA yet.  These really need to get QA before I push them to
updates-testing...  There also needs to be 7.2/8.0 packages...



------- Additional Comments From dom 2004-05-19 07:22:02 ----

Last 7.2 update was an identical version and so the same update will apply. RH 8
(and 9 surely?) will need a slightly different version.



------- Additional Comments From dwb7.edu 2004-05-19 17:21:55 ----

bug #1620 now resolves this in addition to the new cvs issues.



------- Additional Comments From jkeating 2004-05-31 08:45:00 ----



*** This bug has been marked as a duplicate of 1620 ***



------- Bug moved to this database by dkl 2005-03-30 18:24 -------

This bug previously known as bug 1485 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1485
Originally filed under the Fedora Legacy product and General component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.




Note You need to log in before you can comment on or make changes to this bug.