COMMAND

    CVS

SYSTEMS AFFECTED

    Systems running CVS

PROBLEM

    Elliot Lee posted following.   If you run the  CVS pserver as  per
    the instructions  in the  CVS info  page (running  it as root from
    inetd)  anyone  can  get  access  to  any account except root (and
    perhaps root too - there may be CVS commands that run scripts  and
    don't check if  uid == 0).  If you don't  run it as  root they can
    still get full access to the repository.

    Basically,  the  user  makes  their  own  CVS  repository  with  a
    "customized"  password  file,  changes  commitinfo  so  it  runs a
    "chmod 6555 /bin/sh" script, and does a commit of something.

    Sending passwords across the network in cleartext is the least  of
    your worries with pserver (part of CVS).  Two bigger concerns  are
    that it  runs on  a unprivileged  port from  inetd which  means on
    most systems you can steal  connections away from it and  grab the
    passwords (ok, so OpenBSD and  some other OSes will stop  you from
    rebinding to the port as a  different uid, but all you have  to do
    is make inetd give up and  release it) and that the password  used
    for  access  is  stored  unencrypted  (trivially  encoded, but not
    encrypted) on the local disk.

SOLUTION

    This is old news.   The latest cvs (1.9.14,  perhaps .10 as  well)
    has a --allow-root  option that needs  to be passed  to it on  the
    command line  to tell  you what  repositires to  allow access  to.
    Then,  of   course,  you   have   to   be  sure   that   $CVSROOT,
    $CVSROOT/CVSROOT  and  $CVSROOT/CVSROOT/*  are  not  writable   by
    anyone who shouldn't have root.

    Don't trust pserver is best recommendation.