[MPlayer-dev-eng] cvs remote vulnerability

D Richard Felker III dalias at aerifal.cx
Tue Jan 21 17:37:32 CET 2003


On Tue, Jan 21, 2003 at 04:17:14PM +0000, Alvaro Lopes wrote:
> D Richard Felker III wrote:
> 
> >On Tue, Jan 21, 2003 at 11:57:24AM +0100, Robert Penz wrote:
> > 
> >
> >>http://security.e-matters.de/advisories/012003.html?SID=b105dbb11a6affba5feee752bfc3c53e
> >>   
> >>
> >
> >Anyone know how real/serious this is? The advisories are always lame
> >and don't properly explain what privileges are compromised. I assume
> >if you exploit anon cvs you only get an account as the anon cvs user,
> >but with the 'security scene' kids trying to make their exploits look
> >serious to boost their egos and reputations, they like to leave this
> >sort of info out... :(
> > 
> >
> Debian also issued an advisory, so I belive it might be serious or at 
> least have some fundament. Usually they don't fix what has no need to be 
> fixed, or at least mark it as 'recommendation'.

Well yeah, even getting a shell as the anon cvs user is bad, since it
allows the attacker to get in and look for local vulns or just cause
havok (fork bombs, etc). But it's not nearly as bad as getting root
directly or getting write access to the cvs repository, which I think
(hope!) is not possible...

Rich



More information about the MPlayer-dev-eng mailing list