Debian 3.0 DSA-422-1 Critical: CVS Access Issues and Fixes
debian
January 15, 2004
Anyone who could modify the CVSROOT/passwd could gain access to all local users on the CVS server, including root.
Topics Covered
Summary
Package : cvs
Vulnerability : multiple problems
Problem type : remote
Debian-specific: no
CVE Id(s) : CAN-2003-0977
The account management of the CVS pserver (which is used to give remote
access to CVS repositories) uses a CVSROOT/passwd file in each
repository which contains the accounts and their authentication
information as well as the name of the local unix account to use when a
pserver account is used. Since CVS performed no checking on what unix
account was specified anyone who could modify the CVSROOT/passwd could
gain access to all local users on the CVS server, including root.
This has been fixed in upstream version 1.11.11 by preventing pserver
from running as root. For Debian this problem is solved in version
1.11.1p1debian-9 in two different ways:
* pserver is no longer allowed to use root to access repositories
* a new /etc/cvs-repouid is introduced which can be used by the system
administrator to override the unix account used to access a
repository. More information...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!