Red Hat Bugzilla – Bug 61802
Security bug: read-only users can manipulate tags
Last modified: 2007-04-18 12:41:07 EDT
See the post here:
And the patch here:
The latest cvs package - cvs-1.11.1p1-7.i386.rpm - is affected by this problem.
Steps to Reproduce:
- Set up a CVS pserver
- Create a "writers" file in CVSROOT
- Log in with a user name not listed in "writers"
- Notice that you can create tags, even though you should only have read-only
This seems like a really bad bug for people who depend on cvs tags and have
public anoncvs. Is this serious enough to warrant an errata?
Its in 7.3