| Summary: | cvs 1.11.11 fixes server-side security problem | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Rainer Größlinger (RETIRED) <scandium> |
| Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | Keywords: | SECURITY |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Rainer Größlinger (RETIRED)
2003-12-19 15:48:56 UTC
The ebuild for cvs-1.11.11 is severly broken. It tries to create a directory "cvsroot" under /home, which is not possible on automounted/nfs-mounted home directories (ebuild breaks). Even if one would go through the hassle to create that directory on the file server, /home/cvsroot is still a completely wrong place for a cvs repository, which should stay on the cvs server, and not being distributed among workstations. Sure, on a standalone workstation /home/cvsroot might be ok, but those seldom need a cvs pserver. Most larger installations I've seen use NIS+automount for home directories (even sharing it across different architectures), and in such an environment its unacceptable to have /home/cvsroot created for each computer that just wants to use CVS. I suggest moving it to /var/cvsroot or something like that. ok, this problem was introduced when bug #25313 got fixed. It was in ~arch for some time and no one had any objections against that change at that time, but thank you for pointing that out, it definitly is a valid point. /var/cvsroot is one possibility, /usr/local/cvsroot would be another (the latter is more "standardized"). I'd like to hear opinions about that one and change it ASAP. No matter where you put it, someone is going to be unhappy with the decision. I do agree that /home is probably not a good place. I'd personally vote for /usr/local/cvsroot and make it fairly easy for the user to change should they wish. (via an overlay or whatever) personally, I'd also vote for /usr/local/cvsroot And it's quite easy to change it if the user likes to, since all he needs to change is the HOME var in the cvspserver file and the path in the server_args I committed the new files with the home directory changed. Unfortunatly, we cannot "revert" those people who already have it in /home/cvsroot because a) perhaps that was intentional that they have it running there and b) we could break their setup So, the risk would just be too high to mess around in their system, but after all, people who run a pserver are going to modify it anyway if they don't like the current behaviour, so I see no problem there. Mail has been busted for a day here at gentoo so I never saw this bug till just now. I object with every feeling in my body about /usr/local anything. It's not a distro place to touch /usr/local and infact would probably be a violation of a existing gentoo policies. /var/cvsroot or /chroot/cvsroot Are my votes. If this has been put in /usr/local please get it out of there ASAP Gentoo Policy states that we do NOT touch /usr/local So, I will have to side with solar on this and request that it be changed out ASAP. <ignorance>if it is "gentoo policy" it would be nice if it would be written down somewhere ?! :)</ignorance> Gentoo Development policy, ebuild howto and portage manual, none of these says that it's "gentoo policy" to not touch /usr/local... can you please enlighten us on this ?! As a consequence, I changed it to /var/cvsroot immediatly, but I'd still like to know what's up with the /usr/local thing. Gentoo follows the File Hierarchy Standard: "The /usr/local hierarchy is for use by the system administrator when installing software locally. It needs to be safe from being overwritten when the system software is updated." http://www.pathname.com/fhs/2.2/fhs-4.9.html The system (the Gentoo distribution in this case) should never touch /usr/local. s/follows/follows as closely as reasonable glsa 200312-08 <http://www.gentoo.org/security/en/glsa/glsa-200312-08.xml> sent as: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200312-08 - -------------------------------------------------------------------------- GLSA: 200312-08 package: dev-util/cvs summary: Fix for possible root compromise when using CVS pserver severity: high Gentoo bug: 36142 date: 2003-12-28 exploit: unknown affected: <=1.11.10 fixed: >=1.11.11 DESCRIPTION: Quote from <http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88>: "Stable CVS 1.11.11 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release adds code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file. Previously, any user with the ability to write the CVSROOT/passwd file could execute arbitrary code as the root user on systems with CVS pserver access enabled. We recommend this upgrade for all CVS servers!" SOLUTION: All Gentoo Linux machines with cvs installed should be updated to use cvs-1.11.11 or higher. emerge sync emerge -pv '>=dev-util/cvs-1.11.11' emerge '>=dev-util/cvs-1.11.11' emerge clean // end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/79SAnt0v0zAqOHYRAuWTAJ9UY/lAvsKQRtHLQZr/zDUf5eok6wCgumZt ICbAjuPbALouwsdG16pqS6s= =UQlf -----END PGP SIGNATURE----- |