From owner-freebsd-security Tue Jan 21 7:38:45 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EA0937B401 for ; Tue, 21 Jan 2003 07:38:43 -0800 (PST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id F178D43ED8 for ; Tue, 21 Jan 2003 07:38:41 -0800 (PST) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pcwin002.win.tue.nl (orb_rules@localhost [127.0.0.1]) by pcwin002.win.tue.nl (8.12.6/8.12.6) with ESMTP id h0LFcufw001345; Tue, 21 Jan 2003 16:38:56 +0100 (CET) (envelope-from stijn@pcwin002.win.tue.nl) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.12.6/8.12.6/Submit) id h0LFcuWX001344; Tue, 21 Jan 2003 16:38:56 +0100 (CET) Date: Tue, 21 Jan 2003 16:38:56 +0100 From: Stijn Hoop To: Tod McQuillin Cc: freebsd-security@freebsd.org Subject: Re: CVS remote vulnerability Message-ID: <20030121153856.GH219@pcwin002.win.tue.nl> References: <20030122001452.O455@glass.pun-pun.prv> <20030121152352.GG219@pcwin002.win.tue.nl> <20030122003247.H455@glass.pun-pun.prv> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Z0mFw3+mXTC5ycVe" Content-Disposition: inline In-Reply-To: <20030122003247.H455@glass.pun-pun.prv> User-Agent: Mutt/1.4i X-Bright-Idea: Let's abolish HTML mail! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Z0mFw3+mXTC5ycVe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 22, 2003 at 12:34:20AM +0900, Tod McQuillin wrote: > On Tue, 21 Jan 2003, Stijn Hoop wrote: > > The advisory claims that 'This does not apply to :pserver: method only', > > but what other method exists where you don't have to have a shell accou= nt? > > In other words, I have a CVS server where people use :ext: with > > CVS_RSH=3Dssh. How can one compromise this setup without compromising S= SH? >=20 > Even though there is a shell account, maybe the shell is set to cvs > itself. If so, normally you can't run anything but cvs but if you can > exploit it then you can get a shell on the cvs server. OK, thanks for explaining, I didn't think of that possibility. Fortunately I only have trusted local users. --Stijn --=20 What would this sentence be like if it weren't self-referential? --Z0mFw3+mXTC5ycVe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+LWmQY3r/tLQmfWcRAk1JAJ9QAyYT1XLfhOToWdqVfb2MY7alUQCfR/W8 5eCO2lbOqY2xhl9lcrmZu4w= =1BGK -----END PGP SIGNATURE----- --Z0mFw3+mXTC5ycVe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message