[ISN] Open-Source CVS Project Plugs Security Leaks

InfoSec News isn at c4i.org
Wed Apr 20 04:13:57 EDT 2005


By Ryan Naraine 
April 19, 2005 

Security researchers on Tuesday issued a warning for multiple
vulnerabilities in the open-source CVS, a popular program that allows
developers to keep track of different development versions of source

The most serious of the flaws could allow a remote compromise of
unpatched servers, the open-source Concurrent Versions System Project
confirmed in an advisory.

The flaws range from buffer overflows and memory leaks that could lead
to code execution and denial-of-service attacks.

Security alerts aggregator Secunia has slapped a "moderately critical"  
rating on the vulnerabilities and recommended that users upgrade to
version 1.11.20 immediately.

CVS, also known as the Concurrent Versioning System, implements a
version control system that keeps track of all work and changes in the
implementation of a software project.

The system is commonly used as a collaboration tool among open-source
developers, and the discovery of security flaws could cause serious
problems if an attacker embeds malicious code in software revisions
and patches.

The CVS Project described the buffer overflow as "potentially serious"  
but said it may not be exploitable.

It also confirmed that the new version fixes several plugged memory
leaks and potentially freed NULL pointers that may have been
exploitable for a denial-of-service attack.

The group also warned that several potential vulnerabilities in the
contributed Perl scripts have been fixed.

"The confirmed vulnerability could allow the execution of arbitrary
code on the CVS server, but only if a user already had commit access
and if one of the 'contrib.' scripts was installed improperly, a
condition which should have been quickly visible to any
administrator," the Project said.

A complete description of the problem has been published.

"If you were making use of any of the contributed trigger scripts on a
CVS server, you should probably still replace them with the new
versions, to be on the safe side," the group said.

A fix for this bug, however, is incomplete.

"Taint-checking has been enabled in all the contributed Perl scripts
intended to be run as trigger scripts, but no attempt has been made to
ensure that they still run in taint mode," the advisory read.

The latest security hiccup comes at a crucial time for the CVS
Project, which is still reeling from a major server attack last year.

On the Project home page, the remnants of that attack are still

"The cvshome site is currently being thoroughly cleaned as a direct
result of an exploitative code set that attacks a cvs security
violation," reads the note that greets visitors.

"The publication of this code makes all sites running cvs with any
remote protocol vulnerable. Use the following information to determine
if your site is at risk and to access either a patch for this problem
or a full source distribution with the fix included," the notice

More information about the ISN mailing list