article
discussion
 
 
 
edit this page
 
 
 
history
backlinks

GPG-Signed Commits RCS Keyword Exploit

Buy CVS & Subversion Stuff!
Buy CVS & Subversion Stuff!

Given a signed file so:

int
main (int argc, char **argv)
{
  char *version = "$Revision$";
  return 0;
}

The client could use GPG-Signed Commits to verify the contents of this file, but if RCS Keyword substitution was taking place, even on the client end, and the server were trusted to supply the data to be substituted for keywords, then a compromised server could supply a replacement revision string like:

$Revision: "; dosomethingnasty (); char *dummy = "1.3$

Substituting this string into the signed & verified file yields:

int
main (int argc, char **argv)
{
  char *version = "$Revision: "; dosomethingnasty (); char *dummy = "1.3$";
  return 0;
}

This is a potentially nasty problem. For more on why having clients sign the keyword meta-data at commit time is not feasible, see GPG-Signed Commits.

Derek Price, CVS developer and technical editor of Essential CVS (Essentials line from O'Reilly Press) and others offer consulting services and training courses through Ximbiot. Call for details and pricing!