May 19, 2004 1:42 PM PDT

Flaws drill holes in open-source repository

By Robert Lemos
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Universities, research centers retrench after hacks
April 15, 2004; Developers take Linux attacks to heart
December 9, 2003; Flaw in Linux kernel allows attack
December 1, 2003

Flaws in two popular source code repository applications could allow attackers to access and corrupt open-source software projects, a security researcher said Wednesday.

One vulnerability affects the Concurrent Versions System (CVS), an application used by many developers to store program code. The other flaw affects a newer, less widely used system known as Subversion, said Stefan Esser, the researcher who discovered the security holes.

The CVS software, in particular, is run by many large open-source projects to create servers that maintain the versions of a program under development. Groups developing the Gnome and KDE Linux desktops, the Apache Web server and large Linux distributions, are among those that use servers with the source code databases.



		Get Up to Speed on... Open source Get the latest headlines and company-specific news in our expanded GUTS section.

These groups were notified of the security issues earlier in May and have already installed patches, said Esser, who is the chief security and technology officer at e-Matters, a German software company.

"The really big projects usually use CVS...servers just as a distribution channel," Esser stated in an e-mail interview, noting that the servers used by major developers to hold code are generally accessible only through a secured connection. "Lots of smaller open-source projects are, however, running their development on vulnerable servers," he added.

The flaw in CVS, which is used more widely than Subversion, affects all versions of the software released before May 19, according to an alert sent out by Esser. The vulnerability, technically known as a "heap overflow," occurs because data from the system's users is not vetted carefully enough. The CVS Project and major Linux and BSD distributions have posted advisories on the issue.

Securer software--open or proprietary?

The hole in Subversion, a rewrite of the CVS application, is much easier to take advantage of, Esser said. That vulnerability is caused by an error in the way the code parses dates. It could be exploited to allow "remote code execution on Subversion servers and therefore could lead to a repository compromise," according to Esser's advisory.

"The CVS flaw is several levels harder to abuse," Esser said.

The source-code database holes aren't the first to cause developers some worry. Last year, a vulnerability in CVS software opened up development servers to attacks by allowing an intruder to raise his or her level of privilege. The flaw led to some compromises.

Attackers have increasingly started to focus on software that runs on Linux, the operating system most often used with CVS. In March and April, Linux and Solaris servers at academic supercomputing centers were struck by unknown intruders.

The Samba Project, which maintains file server software that integrates with Microsoft Windows networks, uses Subversion. However, the project's developers were warned about the security issue before it was made public, Esser noted.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

(The Subversion system attempts to improve the usability and security of the CVS application.)

Derek Price, the CVS release manager, and Esser sent a vulnerability notification to the members of Vendor-Sec, a limited community of major open-source projects that share security information. Esser also contacted other big users of the application, including SourceForge, XFree86, the Free Software Foundation and The PHP Group.

"For this particular issue, the release was synchronized with other vendors," Price said. "I'm sure there are other groups out there. That's what my announcement was for."

The Debian Project, a major Linux distribution, released a patch for the CVS software on Wednesday, in an advisory timed to publish simultaneously with e-Matter's alerts.

Martin Schulze, a developer and member of the Debian Project, said he thought the threat of the CVS flaw should be limited.

"The impact should be little to other projects, if they are applying the patch, which is pretty simple," Schulze said. "If they don't, it is possible to exploit the CVS server and gain access to the machine with the (access level of the server)--that should only be a regular user, not root."

See more CNET content tagged:
Concurrent Versions System, open source, flaw, vulnerability, attacker

Add a Comment (Log in or register) 1 comment

Every source of IT...
by bjbrock May 20, 2004 6:56 AM PDT: solutions is showing the lack of care in producing a safe product. Microsoft, Linux, Apple, Symantec, Sisco,... and on and on and on. As software bloats, so do the flaws. If these companies can't deal with the complications of IT, they need to get into some other industry. EVERY vendor is bloating their products and the end result is trash. This constant bickering between opposing camps is a joke. Not one solution provider has any room to brag. They all have serious flaws and the consumer is getting burnt by the whole lot of them. IT has turned into a trash heap befiiting of the local dump! Pardon me...land fill.; Reply to this comment

Latest tech news headlines

Creating a 'Facebook for spies'
Posted in News - Digital Media by Steven Musil

September 7, 2008 10:30 AM PDT
The main problem with Windows Vista
Posted in Defensive Computing by Michael Horowitz

September 6, 2008 7:50 PM PDT
Google-focused satellite enters orbit
Posted in News - Digital Media by Jonathan Skillings

September 6, 2008 7:33 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Coop's Corner
Chris Shipley 1, Internet lynch mob 0
Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
Creating a 'Facebook for spies'
The CIA, FBI, and National Security Agency are reportedly testing a new social-networking site designed for use by analysts within the 16 U.S. intelligence agencies.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Crossfade
The Standard, 'A Different Skin': Free MP3 of the Day
Eschewing the danceable beats favored by many of its post-punk brethren, while opting instead for more ominous and insistent rhythms, is what makes the Standard visceral and engaging. Download a free MP3 of "A Different Skin" courtesy of CNET Download Mus
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.