The Web    Google
Open Source CVS Flaw Sparks Use Audits

Open Source CVS Flaw Sparks Use Audits
June 10, 2004

Security researchers have found multiple potential security flaws in one of the main tools of modern open source code management, the Concurrent Version System. However, new versions of CVS have already been issued that correct the flaws.

CVS, a source code maintenance system, has become the standard software configuration management (SCM) system of the Free and Open Source development communities. CVS enables developers to contribute and collaborate on code without version conflicts. It also allows developers to store the current version of the source code as well as a record of all committed changes and who made them.

The latest flaw comes after security researchers warned of a flaw in the CVS that could be used to launch malicious code on the vulnerable system. Security researchers released a patch for that "critical" vulnerability late last month.

However, researchers have since found several additional vulnerabilities. One involves a flaw that could lead to a missing NULL terminator; others relate to an error_prog_name string, an argument integer overflow and an out of bounds issue in serv_notify code.

A malicious attacker could theoretically exploit that vulnerability to execute code, execute commands, read sensitive information, or cause a denial of service attack . Even an anonymous user with only read-only access could exploit the vulnerability on an un-patched server.

CVS project maintainers at have released new versions of CVS, 1.12.9 and 1.11.7, as well as binaries for most major Linux distributions.

The group also recommended that all CVS users upgrade to the latest version. In addition, they said the vulnerabilities relate almost entirely to the pserver method of accessing CVS.

Pserver is a daemon implementation of CVS and was supposed to be a more organized way of using CVS. The pserver read-only access is for general public use and is used to help end users get up to date versions of software. Beyond updating to the latest versions of CVS, the security advisories also said users should consider running their CVS server chrooted over SSH rather than using the pserver daemon.

CVS is the dominant code version management tool in use today by many open source projects, including the Apache Software Foundation, which, according to board member Ken Coar, plans to review its CVS usage.

"Of course time will be spent examining our repositories," Coar told "I daresay the same will apply to any other group using distributed CVS."

Though CVS dominates in usage with many major open source development projects, another system, known Subversion (SVN), is starting to make itself known. Some in the open source community even see SVN as a successor to CVS, both of which are sponsored by Brian Behlendorf's CollabNet (also of Apache Software Foundation).

But Coar said he doesn't see recent issues with CVS as enough for the Apache Software Foundation to drop CVS and move to SVN. "My personal opinion is that it's unlikely, at least as a consequence of these vulnerabilities," Coar said. "There's a significant overlap of ASF developers with the SVN project, and there has been discussion about moving to SVN, partly because the technology is seen as more robust and current. Some of the ASF projects already use SVN rather than CVS," he said.

"I think that over time new projects will choose their repository tool, and the older projects may or may not migrate. But again, that's not because of any security issues in CVS. These discussions go back many months."

  • Report: IT Security Begins at the Top
  • Do-Not-Spam List Great For Spammers
  • 10/26: Famus-B Worm Sends Email About Iraq
  • 3/16: Rbot-YB Worm OKs Remote Access
  • 5/3: SymbOS/Locknut-C Infects Handsets
  • War Threat Threaded to Digital Attacks?
  • 7/12 Atak.A Worm Low Threat but High Traffic
  • 4/8: Mytob-S Worm Continues to Flourish
  • Schumer Introduces No Spam Registry Bill
  • 1/12: Kobot-B Worm Uses 3 Windows Flaws
  • 3/30: Kelvir-F IM Worm Sends Message
  • Home Security Camera Background