Re: cvs security problem

[Kev <klmitch () MIT EDU>]

> I found two security problems in cvs-1.10.8.

> From the CVS info page (Node: Password authentication security):

     The separate CVS password file (*note Password authentication
  server::) allows people to use a different password for repository
  access than for login access.  On the other hand, once a user has
  non-read-only access to the repository, she can execute programs on the
  server system through a variety of means.  Thus, repository access
  implies fairly broad system access as well.  It might be possible to
  modify CVS to prevent that, but no one has done so as of this writing.

(cvs version 1.10.7; I'd be suprised if .8 has changed that much in this
respect.)

This has been the case for quite some time.  It would be nice if CVS
could be made more secure, but it would probably take a lot of work.
--
Kevin L. Mitchell <klmitch () mit edu>