Your message dated Tue, 28 Mar 2017 22:18:52 +0000 with message-id <e1cszs0-0006ir...@fasolo.debian.org> and subject line Bug#858769: fixed in cvs 2:1.12.13+real-22 has caused the Debian Bug report #858769, regarding "cvs init" creates CVSROOT/history and val-tags world-writeable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 858769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858769 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: cvs Version: 2:1.12.13+real-21 Severity: grave zealot:d> umask 0002 zealot:d> cvs -d `pwd` init zealot:d> ll CVSROOT/ ... -rw-rw-rw- 1 ian ian 0 Mar 26 13:38 history ... -rw-rw-rw- 1 ian ian 0 Mar 26 13:38 val-tags ... AFAICT from the text in cvs.txt.gz, a corrupted val-tags file can cause CVS to be oblivious to some tags and claim they do not exist. I don't know whether cvs's parser for val-tags is robust against malicious input. I haven't attempted a simulated attack. AIUI the history file is used to record even read-only operations. I'm not sure what the worste consequences could be of a corrupted or malicious history file. Instead, it would be better to make the file writeable only by those with wrote access to the repository, and simply not record the read-only opertaions. I have filed this bug with severity `serious' because it's a prima facie security bug and because I didn't find anything in the package or the bug system which provides a justification for why this is OK. (Note: what is needed is not an explanation of why this is necessary for CVS's current functionality. What is needed is an explanation of why these world-writeable control files cannot make cvs malfunction, if they are maliciously modified.) If these permissions are indeed safe, then please take this as a request for a documentation improvement and downgrade the bug accordingly. Thanks, Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
--- End Message ---
--- Begin Message ---Source: cvs Source-Version: 2:1.12.13+real-22 We believe that the bug you reported is fixed in the latest version of cvs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 858...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Glaser <t...@mirbsd.de> (supplier of updated cvs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Format: 1.8 Date: Tue, 28 Mar 2017 20:01:39 +0200 Source: cvs Binary: cvs Architecture: source Version: 2:1.12.13+real-22 Distribution: unstable Urgency: low Maintainer: Thorsten Glaser <t...@mirbsd.de> Changed-By: Thorsten Glaser <t...@mirbsd.de> Description: cvs - Concurrent Versions System Closes: 858769 Changes: cvs (2:1.12.13+real-22) unstable; urgency=low . * cvs init: Change default history logging configuration to only log write operations by adding “LogHistory=TMAR” * Testsuite: Alter to cope with this explicit option * cvs init: Rely on CVSUMASK for history and val-tags files in newly created repositories (Closes: #858769) * Add a NEWS.Debian entry verbosely documenting this change Checksums-Sha1: 879aa76a4d9d53628a818488845ef7d2aabbf707 2026 cvs_1.12.13+real-22.dsc 21e5b9bf0d3ad0ecfab7f63b595208b755a9cc0a 114610 cvs_1.12.13+real-22.diff.gz Checksums-Sha256: 3d1f3a25db4806d1cee6df6dfe0c03f58a8e0fb4507f7e5180be1fa2877b3f9a 2026 cvs_1.12.13+real-22.dsc 4dc31fcc03c0b95b811368425f67db5387163a21fa70ec39c77bcc9224ed87b9 114610 cvs_1.12.13+real-22.diff.gz Files: 46b63a9ca63b81ca79181a4c54dda150 2026 vcs optional cvs_1.12.13+real-22.dsc 56e7c11b44c9e57096219521c6041e6a 114610 vcs optional cvs_1.12.13+real-22.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (MirBSD) Comment: ☃ ЦΤℱ—8 ☕☂☄ iQIcBAEBCQAGBQJY2tzcAAoJEHa1NLLpkAfg4zYQAN2byoWITwBznvM0fEZqsIGO JqQl+kgAKZ+m7nqCDnTMq9z2Lt8Hw6C7SpgJ4hBiD7JQ58n75N9fav7bCBeHxJ83 Opy7lYGNDdUauaKtid7t60CJjJNtTDPZ1uYbCeskaqQdCnIz6lzDScmIhxfvt4/Y g0esn6a0nQxRwjgZ1A1rdOVpb2dfOfLBsFPwSrz0P3PzI3EVeokHnW2Hl55/GWPY 3RTkt985Js3tUM+TleJU9L4eiblRg3nQt8Yr5fKruGLqRtiIPAiq6rBPKFOLLlNU 7CGEv90mPvEjkiKzwpbeGhZTMm/41GvAdlLEVSHG/57aboI6CVYMha4/jWx304lf q9PRNK67XTaqjDHSz8kDIKC8SPWXQ5GXMP6f5YRzYHK1oZ8eR2w6w05zEWvw6bFb /dldqPl+9wVt932x7gkHXoHLoa8DxRuEoB/6TIz/kq7yPhdnw4kAOKiAGmC4Xnrv 2tsbcfGbG35AQW0Smdv9EYXYnSVQ5cb75tBCqG41ft6ycHlTErA+hlM3snEb4QF4 4hfK+YkzPvaVeKSdkSV5N6VTKaKUSiTxHNdkg4vmNbXlisdTEv5Js5FVCtqjzciE hQiehe+8ZX66lPFdQQ//ifIYyKU5zK/rao7bWSgQU2RCpwNhchpcp5kwaSn5+luc NNvEd98wx04uDZfp0qKr =WwBR -----END PGP SIGNATURE-----
--- End Message ---
