COMMAND

    CVS

SYSTEMS AFFECTED

    Systems using CVS

PROBLEM

    Carlo Wood found following.   As might be well  known, there is  a
    security problem with  the read-only CVS  access.  The  problem is
    that when someone manages to change or replace the  CVSROOT/passwd
    file, then he or she can get root.

SOLUTION

    The  only  way  to  avoid  this  is  by making the restrictions on
    CVSROOT (and all directories above it) as tight as on /etc,  which
    is clearly  not the  case for  egcs because  you can  checkout the
    CVSROOT directory (which demands  the anonymous user to  set locks
    in there).  Carlo wrote a patch for cvs-1.9.29 (although 1.9.30 is
    out  now)   which  reads   a  file   /etc/cvs.passwd  instead   of
    CVSROOT/passwd.   The  normal  procedure  for  adding changes like
    this into cvs seems  to be that people  use it first, as  a patch.
    You can get it at

        http://www.xs4all.nl/~carlo17/cvs/

    for now.