Subject: Re: NetBSD Security Advisory 2007-004: Insufficient length checking
To: None <>
From: Anne Bennett <>
List: tech-security
Date: 07/28/2007 16:33:46
On Sat, 28 Jul 2007, Alan Barrett replied to me:

>> I have tried this (cd /usr/src; cvs update sys/netiso/clnp_subr.c) and
[the file was not updated]
>> contents of /usr/src/CVS/Tag: Nnetbsd-3-1-RELEASE).

> That's a release tag, not a branch tag, so "cvs update" will do nothing.

That explains it; thanks.

> "cvs update -r netbsd-3-1 ${filename}" should do the right thing.

Yes, it seems to update the file.  It also gives this complaint:

   cvs update: warning: cannot open /cvsroot/CVSROOT/val-tags read/write: Permission denied

... but that seems to do no harm.  I am working as root, but the
problem seems to be the absence of the directory /cvsroot.  Presumably
the system shipped without it; I can't see myself having deleted that.

I will carry on with rebuilding the kernel now.

> I suppose the instructions in the security advisory should be improved.

Please.  I just realized that 2007-002 and -003 had not applied
properly either when I did them back in March.  :-(

> It would also be possible to change the process for creating the source
> tarballs that are shipped with releases, such that they appear to
> contain a branch tag instead of a release tag.  For example, a recursive
> search and replace in all src/**/CVS/Tag files could be performed before
> rolling the tarballs.

That sounds like a very good idea, at least to an uninformed person
like me who would not be able to see any downsides.  From my point of
view, if I'm asked to use cvs to apply security patches, or if I want
to use it to track the stable branch, it should "just work" if at all

Anyway, I'm off to re-apply the security patches; thanks for your help!

Anne Bennett.